The document discusses finding and analyzing iOS kernel bugs through fuzzing techniques. It begins by providing background on the iOS kernel structure based on XNU and OSX. It then summarizes two known iOS kernel bugs from the past that involved integer overflows and type conversions. The document goes on to describe passive and active fuzzing approaches that can be used to find new bugs, including hooking kernel functions to fuzz parameters. It also provides tips on reversing iOS kernel extensions and debugging the kernel. Finally, it analyzes examples of bugs found through fuzzing and how to understand the crash causes and trigger paths through static analysis and debugging.
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
This document discusses a new iOS kernel exploitation technique that involves manipulating mach ports. It fills the kernel heap with pointers to mach ports, then overwrites those pointers to fake ports that point to attacker-controlled data structures. This allows calling kernel APIs and the Mach API using the fake ports to potentially execute arbitrary code or escalate privileges. The technique was previously private but was leaked in late 2016 and used in the Yalu jailbreak.
This document summarizes a presentation on reverse engineering OS X drivers. It discusses the structure of the OS X kernel, drivers, and kernel extensions. It outlines some of the challenges in reverse engineering OS X drivers, such as parsing C++ code and dependencies, and describes approaches to address these challenges like processing relocation information and parsing DWARF files to build a kernel type library in IDA.
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...Adrian Huang
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Virtual File System in Linux Kernel
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
MacOS memory allocator (libmalloc) ExploitationAngel Boy
The document discusses the memory allocator libmalloc used in MacOS. It details the data structures used to manage tiny chunks of memory less than 1008 bytes, including blocks, chunks, magazines, free lists, bitmaps and regions. The mechanism of allocating, freeing and caching tiny chunks is also described.
Windows 10 Nt Heap Exploitation (English version)Angel Boy
The document discusses the Windows memory allocator and heap exploitation. It describes the core components and data structures of the NT heap, including the _HEAP structure, _HEAP_ENTRY chunks, BlocksIndex structure, and FreeLists. It also explains the differences between the backend and frontend allocators as well as how chunks of different sizes are managed.
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
iOS 8 specific security talk given at Ruxcon 2014 security conference. Includes description of kernel vulnerability used to break KASLR in Pangu 7.1 + TAIG 8.1.1 jailbreaks.
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
This document discusses a new iOS kernel exploitation technique that involves manipulating mach ports. It fills the kernel heap with pointers to mach ports, then overwrites those pointers to fake ports that point to attacker-controlled data structures. This allows calling kernel APIs and the Mach API using the fake ports to potentially execute arbitrary code or escalate privileges. The technique was previously private but was leaked in late 2016 and used in the Yalu jailbreak.
This document summarizes a presentation on reverse engineering OS X drivers. It discusses the structure of the OS X kernel, drivers, and kernel extensions. It outlines some of the challenges in reverse engineering OS X drivers, such as parsing C++ code and dependencies, and describes approaches to address these challenges like processing relocation information and parsing DWARF files to build a kernel type library in IDA.
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...Adrian Huang
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Virtual File System in Linux Kernel
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
MacOS memory allocator (libmalloc) ExploitationAngel Boy
The document discusses the memory allocator libmalloc used in MacOS. It details the data structures used to manage tiny chunks of memory less than 1008 bytes, including blocks, chunks, magazines, free lists, bitmaps and regions. The mechanism of allocating, freeing and caching tiny chunks is also described.
Windows 10 Nt Heap Exploitation (English version)Angel Boy
The document discusses the Windows memory allocator and heap exploitation. It describes the core components and data structures of the NT heap, including the _HEAP structure, _HEAP_ENTRY chunks, BlocksIndex structure, and FreeLists. It also explains the differences between the backend and frontend allocators as well as how chunks of different sizes are managed.
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
iOS 8 specific security talk given at Ruxcon 2014 security conference. Includes description of kernel vulnerability used to break KASLR in Pangu 7.1 + TAIG 8.1.1 jailbreaks.
A hands-on introduction to the ELF Object file formatrety61
In our 6th semester we developed miASMa - a 2 pass Macro Assembler for an x86 machine. miASMa generates Relocatable Object Files that conforming to the ELF Format.
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
The document discusses using return-oriented programming (ROP) to bypass address space layout randomization (ASLR) and data execution prevention (DEP). It describes using the procedure linkage table (PLT) to leak the address of functions like puts to bypass ASLR. A ROP chain is then constructed to call read to read "/bin/sh" into memory and execute it, achieving arbitrary code execution.
Part II: LLVM Intermediate RepresentationWei-Ren Chen
This document discusses the LLVM intermediate representation (IR) and the lowering process from LLVM IR to machine code. It covers:
1) The characteristics of LLVM IR including SSA form, infinite virtual registers, and phi nodes.
2) How the LLVM IRBuilder class is used to conveniently generate LLVM instructions.
3) The lowering flow from LLVM IR to selection DAGs to machine DAGs to machine instructions and finally machine code.
4) How assembler relaxation can optimize and correct instructions during assembly.
Page cache mechanism in Linux kernel.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
GNU Toolchain is the de facto standard of IT industrial and has been improved by comprehensive open source contributions. In this session, it is expected to cover the mechanism of compiler driver, system interaction (take GNU/Linux for example), linker, C runtime library, and the related dynamic linker. Instead of analyzing the system design, the session is use case driven and illustrated progressively.
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
The document discusses ioremap and mmap functions in Linux for mapping physical addresses into the virtual address space. Ioremap is used when physical addresses are larger than the virtual address space size. It maps physical addresses to virtual addresses that can be accessed by the CPU. Mmap allows a process to map pages of a file into virtual memory. It is useful for reducing memory copies and improving performance of file read/write operations. The document outlines the functions, flags, and flows of ioremap, mmap, and implementing a custom mmap file operation for direct physical memory mapping.
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
The document discusses exploiting TrueType font (TTF) vulnerabilities to achieve kernel code execution on Windows systems. It begins by describing the discovery of exploitable bugs in a TTF fuzzer. Despite mitigations like KASLR, NX, SMAP, and CFG, the researchers were able to bypass these protections through techniques like controlled overflows, abusing plain kernel structures, and function-driven attacks. They show how to leverage wild overflows, control kernel memory layout, and hijack control flow to achieve arbitrary code execution. The document emphasizes that OS design weaknesses allow bypassing modern defenses through clever bug chaining and memory manipulation.
Let's trace Linux Lernel with KGDB @ COSCUP 2021Jian-Hong Pan
https://coscup.org/2021/en/session/39M73K
https://www.youtube.com/watch?v=L_Gyvdl_d_k
Engineers have plenty of debug tools for user space programs development, code tracing, debugging and analyzing. Except “printk”, do we have any other debug tools for Linux kernel development? The “KGDB” mentioned in Linux kernel document provides another possibility.
Will share how to experiment with the KGDB in a virtual machine. And, use GDB + OpenOCD + JTAG + Raspberry Pi in the real environment as the demo in this talk.
開發 user space 軟體時,工程師們有方便的 debug 工具進行查找、分析、除錯。但在 Linux kernel 的開發,除了 printk 外,還可以有哪些工具可以使用呢?從 Linux kernel document 可以看到 KGDB 相關的資訊,提供了在 kernel 除錯時的另一個可能性。
本次將分享,從建立最簡單環境的虛擬機機開始,到實際使用 GDB + OpenOCD + JTAG + Raspberry Pi 當作展示範例。
Anatomy of the loadable kernel module (lkm)Adrian Huang
Talk about how Linux kernel invokes your module's init function.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
COSCUP 2020 RISC-V 32 bit linux highmem portingEric Lin
- The document discusses porting HIGHMEM support to 32-bit RISC-V Linux to allow the kernel to access physical memory above 896MB. It involves deciding the memory layout, creating a PKMAP region for temporary mappings, allocating FIXMAP slots for kmap_atomic(), and setting up a page table for the PKMAP region. However, maintaining HIGHMEM comes with performance costs and some upstream developers prefer to avoid it on new architectures if possible.
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...Adrian Huang
This document describes setting up a QEMU virtual machine with Ubuntu 20.04.1 to debug Linux kernel code using gdb. It has a 2-socket CPU configuration with 16GB of memory and disabled KASAN and ASLR. The QEMU VM can be used to run sample code and observe Linux kernel behavior under gdb, such as setting conditional breakpoints to analyze page fault behavior for mmap addresses by referencing a gdb debugging text file.
The embedded Linux boot process involves multiple stages beginning with ROM code that initializes hardware and loads the first stage bootloader, X-Loader. The X-Loader further initializes hardware and loads the second stage bootloader, U-Boot, which performs additional initialization and loads the Linux kernel. The kernel then initializes drivers and mounts the root filesystem to launch userspace processes. Booting can occur from flash memory, an eMMC/SD card, over a network using TFTP/NFS, or locally via UART/USB depending on the boot configuration and available devices.
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
Process Address Space: The way to create virtual address (page table) of userspace application.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
This document provides an overview of the V8 JavaScript engine, including its compiler pipeline and optimization concepts. It discusses how V8 is used in Chrome and Node.js, and describes its compiler pipeline which includes parsing, abstract syntax trees, bytecode generation, and optimized code generation. It also covers V8 optimization concepts like hidden classes and inline caching that allow for fast property access and optimized code execution.
英文【Xu hao chen xiaobo】find your_own_ios_kernel_bugWang Hao Lee
The document provides guidance on finding kernel bugs in iOS through fuzzing techniques. It begins with background on the iOS kernel architecture and known bugs. It then discusses passive fuzzing by hooking IOKit interfaces and active fuzzing by programmatically testing IOKit driver methods. The document demonstrates analyzing two example crashes to understand the bugs through static analysis and reverse engineering techniques when debug is difficult. The conclusion encourages fuzzing to find new bugs and improving kernel code quality.
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
This document summarizes Koan-Sin Tan's presentation on exploring Apple M1 devices using open source tools. Tan has experience using open source software on Unix systems dating back to the 1970s. The presentation covers how the macOS kernel is based on Mach and has some open source components. It also discusses using IOKit on macOS to access sensor data from devices, including temperature readings from an M1 MacBook Pro. Tan provides code examples for retrieving sensor data and details challenges in accessing private APIs and sensor data on iOS devices.
A hands-on introduction to the ELF Object file formatrety61
In our 6th semester we developed miASMa - a 2 pass Macro Assembler for an x86 machine. miASMa generates Relocatable Object Files that conforming to the ELF Format.
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
The document discusses using return-oriented programming (ROP) to bypass address space layout randomization (ASLR) and data execution prevention (DEP). It describes using the procedure linkage table (PLT) to leak the address of functions like puts to bypass ASLR. A ROP chain is then constructed to call read to read "/bin/sh" into memory and execute it, achieving arbitrary code execution.
Part II: LLVM Intermediate RepresentationWei-Ren Chen
This document discusses the LLVM intermediate representation (IR) and the lowering process from LLVM IR to machine code. It covers:
1) The characteristics of LLVM IR including SSA form, infinite virtual registers, and phi nodes.
2) How the LLVM IRBuilder class is used to conveniently generate LLVM instructions.
3) The lowering flow from LLVM IR to selection DAGs to machine DAGs to machine instructions and finally machine code.
4) How assembler relaxation can optimize and correct instructions during assembly.
Page cache mechanism in Linux kernel.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
GNU Toolchain is the de facto standard of IT industrial and has been improved by comprehensive open source contributions. In this session, it is expected to cover the mechanism of compiler driver, system interaction (take GNU/Linux for example), linker, C runtime library, and the related dynamic linker. Instead of analyzing the system design, the session is use case driven and illustrated progressively.
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
The document discusses ioremap and mmap functions in Linux for mapping physical addresses into the virtual address space. Ioremap is used when physical addresses are larger than the virtual address space size. It maps physical addresses to virtual addresses that can be accessed by the CPU. Mmap allows a process to map pages of a file into virtual memory. It is useful for reducing memory copies and improving performance of file read/write operations. The document outlines the functions, flags, and flows of ioremap, mmap, and implementing a custom mmap file operation for direct physical memory mapping.
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
The document discusses exploiting TrueType font (TTF) vulnerabilities to achieve kernel code execution on Windows systems. It begins by describing the discovery of exploitable bugs in a TTF fuzzer. Despite mitigations like KASLR, NX, SMAP, and CFG, the researchers were able to bypass these protections through techniques like controlled overflows, abusing plain kernel structures, and function-driven attacks. They show how to leverage wild overflows, control kernel memory layout, and hijack control flow to achieve arbitrary code execution. The document emphasizes that OS design weaknesses allow bypassing modern defenses through clever bug chaining and memory manipulation.
Let's trace Linux Lernel with KGDB @ COSCUP 2021Jian-Hong Pan
https://coscup.org/2021/en/session/39M73K
https://www.youtube.com/watch?v=L_Gyvdl_d_k
Engineers have plenty of debug tools for user space programs development, code tracing, debugging and analyzing. Except “printk”, do we have any other debug tools for Linux kernel development? The “KGDB” mentioned in Linux kernel document provides another possibility.
Will share how to experiment with the KGDB in a virtual machine. And, use GDB + OpenOCD + JTAG + Raspberry Pi in the real environment as the demo in this talk.
開發 user space 軟體時,工程師們有方便的 debug 工具進行查找、分析、除錯。但在 Linux kernel 的開發,除了 printk 外,還可以有哪些工具可以使用呢?從 Linux kernel document 可以看到 KGDB 相關的資訊,提供了在 kernel 除錯時的另一個可能性。
本次將分享,從建立最簡單環境的虛擬機機開始,到實際使用 GDB + OpenOCD + JTAG + Raspberry Pi 當作展示範例。
Anatomy of the loadable kernel module (lkm)Adrian Huang
Talk about how Linux kernel invokes your module's init function.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
COSCUP 2020 RISC-V 32 bit linux highmem portingEric Lin
- The document discusses porting HIGHMEM support to 32-bit RISC-V Linux to allow the kernel to access physical memory above 896MB. It involves deciding the memory layout, creating a PKMAP region for temporary mappings, allocating FIXMAP slots for kmap_atomic(), and setting up a page table for the PKMAP region. However, maintaining HIGHMEM comes with performance costs and some upstream developers prefer to avoid it on new architectures if possible.
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...Adrian Huang
This document describes setting up a QEMU virtual machine with Ubuntu 20.04.1 to debug Linux kernel code using gdb. It has a 2-socket CPU configuration with 16GB of memory and disabled KASAN and ASLR. The QEMU VM can be used to run sample code and observe Linux kernel behavior under gdb, such as setting conditional breakpoints to analyze page fault behavior for mmap addresses by referencing a gdb debugging text file.
The embedded Linux boot process involves multiple stages beginning with ROM code that initializes hardware and loads the first stage bootloader, X-Loader. The X-Loader further initializes hardware and loads the second stage bootloader, U-Boot, which performs additional initialization and loads the Linux kernel. The kernel then initializes drivers and mounts the root filesystem to launch userspace processes. Booting can occur from flash memory, an eMMC/SD card, over a network using TFTP/NFS, or locally via UART/USB depending on the boot configuration and available devices.
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
Process Address Space: The way to create virtual address (page table) of userspace application.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
This document provides an overview of the V8 JavaScript engine, including its compiler pipeline and optimization concepts. It discusses how V8 is used in Chrome and Node.js, and describes its compiler pipeline which includes parsing, abstract syntax trees, bytecode generation, and optimized code generation. It also covers V8 optimization concepts like hidden classes and inline caching that allow for fast property access and optimized code execution.
英文【Xu hao chen xiaobo】find your_own_ios_kernel_bugWang Hao Lee
The document provides guidance on finding kernel bugs in iOS through fuzzing techniques. It begins with background on the iOS kernel architecture and known bugs. It then discusses passive fuzzing by hooking IOKit interfaces and active fuzzing by programmatically testing IOKit driver methods. The document demonstrates analyzing two example crashes to understand the bugs through static analysis and reverse engineering techniques when debug is difficult. The conclusion encourages fuzzing to find new bugs and improving kernel code quality.
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
This document summarizes Koan-Sin Tan's presentation on exploring Apple M1 devices using open source tools. Tan has experience using open source software on Unix systems dating back to the 1970s. The presentation covers how the macOS kernel is based on Mach and has some open source components. It also discusses using IOKit on macOS to access sensor data from devices, including temperature readings from an M1 MacBook Pro. Tan provides code examples for retrieving sensor data and details challenges in accessing private APIs and sensor data on iOS devices.
ISIS (Now OSIRIS) Lab at NYU Tandon school hosts weekly sessions for young hackers. They excelled at developing this talent. This week I gave a talk discussing where vulnerabilities occur, how people handle them as well as a deep dive into various technical aspects of the Application Binary Interface (ABI) for the XNU derived kernels. The deep dive also included covering the loading mechanisms for Mach-O though the kernel and DYLD.
For the second part, I did a walk through which is recorded on youtube (https://www.youtube.com/watch?v=yg9svg9xE8g). It is about how we can use GCC to help you write assembly for your shellcode. It is especially useful for complex logic and for getting you bootstrapped on architectures you might not be familiar with. We use GCC to build up concise code for executing a system call. Just be aware that using GCC for this purpose will usually be enough to buildup ~90% of the work, you'd be responsible to shape it into something that meets all the requirements of your exploit.
At the end, there is a challenge given. It is to build shellcode which downloads and loads a dylib into a process without touch disk. There is a template on github (https://github.com/nologic/shellcc) for downloading and loading from disk.
Readactor-Practical Code Randomization Resilient to Memory Disclosurech0psticks
This is NOT the official slides!! Just a paper reading summary presented in our security research group.
Readactor----paper published on S&P(Oakland)2015.
Abstract: Code-reuse attacks such as return-oriented pro- gramming (ROP) pose a severe threat to modern software. Designing practical and effective defenses against code-reuse attacks is highly challenging. One line of defense builds upon fine-grained code diversification to prevent the adversary from constructing a reliable code-reuse attack. However, all solutions proposed so far are either vulnerable to memory disclosure or are impractical for deployment on commodity systems.
In this paper, we address the deficiencies of existing solutions and present the first practical, fine-grained code randomization defense, called Readactor, resilient to both static and dynamic ROP attacks. We distinguish between direct memory disclosure, where the attacker reads code pages, and indirect memory disclosure, where attackers use code pointers on data pages to infer the code layout without reading code pages. Unlike previous work, Readactor resists both types of memory disclosure. Moreover, our technique protects both statically and dynamically generated code. We use a new compiler-based code generation paradigm that uses hardware features provided by modern CPUs to enable execute-only memory and hide code pointers from leakage to the adversary. Finally, our extensive evaluation shows that our approach is practical—we protect the entire Google Chromium browser and its V8 JIT compiler—and efficient with an average SPEC CPU2006 performance overhead of only 6.4%.
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...Priyanka Aash
"Though many security mechanisms are deployed in Apple's macOS and iOS systems, some old-fashioned or poor-quality kernel code still leaves the door widely open to attackers. Especially, as kernel's critical components, device drivers are frequently exploited to attack Apple systems. In fact, bug hunting in Apple kernel drivers is not easy since they are mostly closed-source and heavily relying on object-oriented programming. In this talk, we will share our experience of analyzing and attacking Apple kernel drivers. In specific, we will introduce a new tool called Ryuk. Ryuk employs static analysis techniques to discover bugs by itself or assist manual review.
In addition, we further combine static analysis with dynamic fuzzing for bug hunting in Apple drivers. In specific, we will introduce how we integrate Ryuk to the state-of-art Apple driver fuzzer, PassiveFuzzFrameworkOSX, for finding exploitable bugs.
Most importantly, we will illustrate Ryuk's power with several new vulnerabilities that are recently discovered by Ryuk. In specific, we will show how we exploit these vulnerabilities for privilege escalation on macOS 10.13.3 and 10.13.2. We will not only explain why these bugs occur and how we find them, but also demonstrate how we exploit them with innovative kernel exploitation techniques."
The document discusses sniffing Mach messages on iOS and macOS. It provides an overview of the Mach message protocol and how to intercept and parse Mach messages using LLDB scripts. It describes setting breakpoints at functions like bootstrap_look_up and mach_msg, and using Python scripts to extract information from the messages, including the port name and number. Examples are given of intercepting messages from the libsimulatetouch library. The challenge proposed is to port the LLDB scripts to macOS and identify other uses of Mach messages, such as using Frida.
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...PROIDEA
Practical introduction to iOS Application Security Testing. This presentation covers fundamentals of iOS and its security mechanisms, basic life cycle of a penetration test, setting up testing environment, static and dynamic analysis with some real-world examples. Presentation targeted for those interested in security testing of iOS apps.
This document discusses IOKit security on Apple operating systems and introduces two tools: Kitlib and KextHelper. Kitlib is a Python wrapper that provides convenient functions for writing IOKit fuzzers in Python. It uses SWIG and ctypes to interface with IOKit calls with low performance overhead. KextHelper is an IDA plugin that helps analyze OSX kernel extensions (KEXTs). The document also provides background on IOKit security concepts and case studies of past IOKit vulnerabilities found by the author and their company.
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
This document discusses kernel exploitation techniques. It begins by explaining the KernelIo technique for reading and writing kernel memory on Windows and Linux despite protections like SMAP and SMEP. It then discusses several vulnerability cases that can enable KernelIo like out of bounds writes, kmalloc overflows, and abusing KASLR. Next, it analyzes design flaws in kernels like linked lists, hidden pointers, and callback mechanisms. It evaluates the state of exploitation on modern systems and envisions future hardened operating system designs. It advocates moving to C++ for exploitation development rather than shellcoding and introduces a C++ exploitation framework. The document was presented by Peter Hlavaty of the Keen Team and encourages recruitment for vulnerability research.
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
With the popularity of Apple's system, many OS X kernel vulnerabilities were discovered by fuzzing IOKit. OS X kernel exploitation technology has developed in the past few years, yet recent Apple patches have mitigated most of those technology to avoid generic address leak as well as zone Feng Shui approaches, which, as a result, make harder to exploit OS X kernel vulnerabilities.
In the first part of this talk, we will show several vulnerabilities discovered by KeenTeam whose details have never been published before. Then we conclude about several root causes to Apple IOKit driver's weakness, and how to take advantage of those weakness to find bugs more efficiently.
The second part will cover how to exploit a vulnerability in such case, and how to pave a road from crash to root with the presence of Apple’s new mitigation.
The lecture by Norman Feske for Summer Systems School'12.
Genode Compositions
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
The lecture by Norman Feske for Summer Systems School'12.
Genode Architecture
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
The document discusses the basics of I/O and event-driven I/O models in Linux like blocking I/O, non-blocking I/O, I/O multiplexing using select/poll and their internals. It then introduces epoll as a more efficient alternative to select/poll and describes its user-space API, kernel structures and how it works by adding file descriptors to an epoll instance and waking up blocked processes on I/O events.
Android boot time optimization involves measuring boot times, analyzing the results, and reducing times. Key areas of focus include the bootloader, kernel initialization, zygote class preloading, and system service startup. Hibernation technologies like QuickBoot and Fast-On can improve resume speeds by saving a system image to flash. The "R-Loader" concept aims to minimize hardware re-initialization on resume by directly loading a suspended kernel image.
The document provides an introduction to iOS penetration testing. It discusses the speaker's background in mobile and web penetration testing with a focus on iOS. The agenda outlines that the talk will cover introduction to iOS, Objective-C runtime basics, setting up a testing environment, and fundamentals of application testing with a focus on black-box testing. It will not cover jailbreak development, Swift, white-box testing, or webapp pentesting. The document then delves into various aspects of iOS including the security model, application sandboxing, Objective-C, and the iOS runtime. It also discusses tools and techniques for static analysis, runtime manipulation, bypassing protections, and investigating local storage.
Lab Handson: Power your Creations with Intel Edison!Codemotion
by Francesco Baldassarri - Come along and play with Intel Edison, for the Internet of Things? Learn about the Developer Kit for IoT, chose your preferred environment and test it – or test all the possibilities? We will be providing information and hands on training for developers interested in testing our solutions in C/C++, Javascript, Arduino, Wyliodrin and Python. Just bring you laptop and we will help you to get started. We will also provide information about our Cloud Analytics platform, and test hardware samples with the Grove Starter Kit – Intel IoT Edition. Visit us anytime and start making! What will you make?
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹GangSeok Lee
This document contains information about various techniques for hooking functions in the Windows kernel, including kernel hooks, SSDT hooking, IDT hooking, one-byte hooking, and blind hooking using debug registers. It discusses the motivations, concepts, and demonstrations of each technique. The document also contains information on kernel structures like EPROCESS, ETHREAD, KPCR, TEB, and PEB. It provides code samples and explanations for techniques like modifying the SSDT, hooking interrupts, and using debug registers to dynamically hook functions without directly patching memory or tables.
http://fr.droidcon.com/2014/agenda/
http://fr.droidcon.com/2014/agenda/detail?title=The+Android+Native+Development+Kit
The Android NDK is used to integrate C/C++ code into Android applications and libraries.
Learn how you can use the NDK and NDK-based libraries with Eclipse and Android Studio, and how you can debug and optimize your code.
Discover what changes from the new Android Runtime may break your integration, and how you can target new 64-bit architectures with the upcoming android L-release.
Speaker : Alexander Weggerle, Intel
This document contains the slides from a presentation given by WonoKaerun at the Indonesian Security Conference 2011 in Palembang. The presentation introduces rootkits and techniques for hiding malware at the kernel level on Linux systems. It covers topics like loadable kernel modules, interrupt descriptor table hooking, virtual file system hacking, page fault handler hijacking, debugging register abuse, and kernel instrumentation patching. The goal is to evade detection by security solutions by gaining control of the kernel before anti-rootkit defenses can activate. Throughout, the document emphasizes the cat-and-mouse nature of offensive and defensive security research.
This document summarizes a presentation on vulnerabilities found in Apple's graphics drivers. The researchers discovered race conditions and information leaks in the drivers that could allow bypassing sandbox protections and gaining kernel code execution. Specifically:
1) A race condition was found in the unmapping of graphics memory that could lead to use-after-free and double-free issues. This could be exploited to achieve kernel code execution.
2) Further auditing uncovered that other operations like mapping graphics memory were not properly locked, allowing similar race conditions.
3) An information leak was discovered that revealed details about the kernel address space layout randomization on macOS. This could help bypass protections on the kernel.
The researchers provided details
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
A Visual Guide to 1 Samuel | A Tale of Two HeartsSteve Thomason
These slides walk through the story of 1 Samuel. Samuel is the last judge of Israel. The people reject God and want a king. Saul is anointed as the first king, but he is not a good king. David, the shepherd boy is anointed and Saul is envious of him. David shows honor while Saul continues to self destruct.
Chapter wise All Notes of First year Basic Civil Engineering.pptxDenish Jangid
Chapter wise All Notes of First year Basic Civil Engineering
Syllabus
Chapter-1
Introduction to objective, scope and outcome the subject
Chapter 2
Introduction: Scope and Specialization of Civil Engineering, Role of civil Engineer in Society, Impact of infrastructural development on economy of country.
Chapter 3
Surveying: Object Principles & Types of Surveying; Site Plans, Plans & Maps; Scales & Unit of different Measurements.
Linear Measurements: Instruments used. Linear Measurement by Tape, Ranging out Survey Lines and overcoming Obstructions; Measurements on sloping ground; Tape corrections, conventional symbols. Angular Measurements: Instruments used; Introduction to Compass Surveying, Bearings and Longitude & Latitude of a Line, Introduction to total station.
Levelling: Instrument used Object of levelling, Methods of levelling in brief, and Contour maps.
Chapter 4
Buildings: Selection of site for Buildings, Layout of Building Plan, Types of buildings, Plinth area, carpet area, floor space index, Introduction to building byelaws, concept of sun light & ventilation. Components of Buildings & their functions, Basic concept of R.C.C., Introduction to types of foundation
Chapter 5
Transportation: Introduction to Transportation Engineering; Traffic and Road Safety: Types and Characteristics of Various Modes of Transportation; Various Road Traffic Signs, Causes of Accidents and Road Safety Measures.
Chapter 6
Environmental Engineering: Environmental Pollution, Environmental Acts and Regulations, Functional Concepts of Ecology, Basics of Species, Biodiversity, Ecosystem, Hydrological Cycle; Chemical Cycles: Carbon, Nitrogen & Phosphorus; Energy Flow in Ecosystems.
Water Pollution: Water Quality standards, Introduction to Treatment & Disposal of Waste Water. Reuse and Saving of Water, Rain Water Harvesting. Solid Waste Management: Classification of Solid Waste, Collection, Transportation and Disposal of Solid. Recycling of Solid Waste: Energy Recovery, Sanitary Landfill, On-Site Sanitation. Air & Noise Pollution: Primary and Secondary air pollutants, Harmful effects of Air Pollution, Control of Air Pollution. . Noise Pollution Harmful Effects of noise pollution, control of noise pollution, Global warming & Climate Change, Ozone depletion, Greenhouse effect
Text Books:
1. Palancharmy, Basic Civil Engineering, McGraw Hill publishers.
2. Satheesh Gopi, Basic Civil Engineering, Pearson Publishers.
3. Ketki Rangwala Dalal, Essentials of Civil Engineering, Charotar Publishing House.
4. BCP, Surveying volume 1
This presentation was provided by Rebecca Benner, Ph.D., of the American Society of Anesthesiologists, for the second session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session Two: 'Expanding Pathways to Publishing Careers,' was held June 13, 2024.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxEduSkills OECD
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.pptHenry Hollis
The History of NZ 1870-1900.
Making of a Nation.
From the NZ Wars to Liberals,
Richard Seddon, George Grey,
Social Laboratory, New Zealand,
Confiscations, Kotahitanga, Kingitanga, Parliament, Suffrage, Repudiation, Economic Change, Agriculture, Gold Mining, Timber, Flax, Sheep, Dairying,
How to Setup Warehouse & Location in Odoo 17 InventoryCeline George
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
3. iOS Kernel Basics
OSX is older that iOS
Guess iOS kernel is developed based on OSX kernel
Learn from OSX kernel
OSX kernel concepts
Early derived from FreeBSD kernel
Named as XNU
Open source
3
5. BSD
Implement File System, Socket and ...
Export POSIX API
Basic interface between kernel and user space
sysent[] - store kernel function address
typedef int32_t sy_call_t(struct proc *, void *, int *);
function call number - /usr/include/sys/syscall.h
5
7. IOKit Objects
OSObject
Root object of all IOKit objects
Overwrite new operator to alloc memory
Declare “init” method to initialize object self
OSMetaClass
Run-time object type check
According to object name
OSDynamicCast
7
8. IOKit Objects
IOService
Define an interface for most kernel
extension
Basic methods - init / start / stop /
attach / detach / probe
ioreg - list all attached IOService
Available in Cydia
8
9. Write IOKit
Service - Inherit from IOService
Overwrite basic methods - init / start / stop / probe
Control - Inherit from IOUserClient
Allow user space control
Modify plist file
At least one IOKitPersonalities
CFBundleIdentifier/IOClass/IOProviderClass/IOMatchCategory/
IOUserClientClass/IOResourceMatch
9
10. Kernelcache
Store all kernel modules (XNU / extensions) into one cache file
iBoot will load the whole kernelcache and jump to entry
An encrypted and packed IMG3 file
/System/Library/Caches/com.apple.kernelcaches/kernelcache
For old devices (A4 devices)
Use xpwntool to decrypt original cache with IV + KEY
A5 devices
No IV + KEY available
10
11. Kernelcache
How to get kernelcache for A5 devices
Dump from kernel memory
task_for_pid(0) & vm_read to dump kernel memory
Read size must less then 0x1000 for once
Find all Mach-O header - test magic 0xFEEDFACE
Determine the whole cache size
Open with IDA - fail
Lack of prelink info
11
12. Kernelcache
Dump each kernel extension
Write a kextstat for iOS
Just call CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef)
from IOKit framework
12
13. Reverse Kernel
Kernelcache is combined with lots of Mach-O files
IDA Pro 6.2 could identify each Mach-O file
Reverse the whole kernel together
Open “Segmentation” view
13
14. Reverse IOKit Extension
IOKit constructor
example
First call
OSObject::new to
allocate memory
Then init IOService
At last init
OSMetaClass
14
15. Debug iOS Kernel
KDP code is included in kernel
KDP via UART
SerialKDPProxy to perform proxy between serial and UDP
Need serial communicate between USB and Dock connector
Make a cable by your own
Using redsn0w to set boot-args
-a “-v debug=0x09”
15
16. Debug iOS Kernel
A5 CPU Devices
No limera1n vulnerability - no way to set boot-arg
Need a kernel exploit to cheat kernel with boot-arg &
debug enable
See “iOS5 An Exploitation Nightmare” from Stefan Esser
for details
16
18. Summary of Known Bugs
iOS kernel attack surface
Socket/Syscalls
ioctl
FileSystem drivers
HFS
iOKit
Device drivers (USB/Baseband etc)
18
19. CVE-2010-2973
CVE-2010-2973 - IOSurfaceRoot integer overflow
Used in the jailbreakme 2 as PE exploit
Can be triggered by mobile user apps (MobileSafari)
Malformed IOSurfaceAllocSize/IOSurfaceBytesPerRow/
IOSurfaceHeight/IOSurfaceWidth values in the plist
Create a Surface object using above plist and return a userland ptr
Calling memcpy to overflow the important kernel structure to
disable the security protection
19
21. CVE-2011-0227
CVE-2011-0227 - IOMobileFrameBuffer Type
Conversion Issue
RootCause happens in the IOMobileFrameBuffer are not
properly to check the object when doing conversion
Suppose to call OSDynamicCast() while doing type
casting/conversion
The user able to control the vtable function pointer to get
code execution
21
23. Summary of Known Bugs
Conclusion
They are both PE vulns because it is happens in the IOKit
drivers framework
Closed source and less people pay attention
Good target for bug hunting!
23
25. Passive Fuzz
Passive Fuzz
First idea coming out is fuzzing
Less work with good results
Write a IOKit client to understand how the IOKit works
Fuzzing parameters for IOConnectCallStructMethod/
IOConnectCallScalarMethod
In the low-level both above APIs are calling to the
IOConnectCallMethod
25
26. Passive Fuzz
Why we need passive fuzzing?
They key point is pay less works because we are lazy to audit
code :P
Just like hook DeviceIoControl on the win32 to hunting kernel
bugs
We are going to hook IOConnectCallMethod to do the passive
fuzzing
26
27. Passive Fuzz
The Preparation
Finding a good hook framework for iOS
MobileSubstrate
http://iphonedevwiki.net/index.php/MobileSubstrate
MSHookFunction/MSHookMessage for C/Object Method
hook
Not much documents but enough to make it work
27
28. Passive Fuzz
TheOS/Tweak
Base the mobilesubstrate but more user-friendly
https://github.com/DHowett/theos
28
29. Passive Fuzz
You can also using interpose (dyld function)
Redirect the functions in the import table
No libmobilesubstrate required.
Inject your dylib via DYLD_INSERT_LIBRARIES to
make your fuzzer running!
29
30. Passive Fuzz
Tips
Struct object could be Data/Plist(XML), So pay some work
here.
Scalar object are integer values only, random enough to find
some interesting stuffs.
Results:
NULL pointer deference/Kernel Use-after-free/handled
panic exception
30
32. Active Fuzz
Weakness of passive fuzz
Only cover small amount of IOKit interfaces
Needs interaction - keep using your iPhone
Not so efficient - waste time
Advantage of active fuzz
Cover most of IOKit interfaces
Automatically and efficient
32
33. Rough Idea
Find all IOKit drivers with IOUserClient
Identify all external methods of the driver
Test all those methods
33
34. External Methods
External methods are used by IOKit to provide function to user-
space application
Application call IOConnectCallMethod to control driver
selector - which method should be called
input / output - Array of uint64_t or struct data
34
35. Kernel Dispatch
IOConnectCallMethod -> IOUserClient:: externalMethod
if dispatch != NULL
Check input and output size & call dispatch->function
else call getTargetAndMethodForIndex
Check type and size & call method->func
35
39. Key Point
Know what to fuzz
Get IOExternalMethodDispatch sMethods[]
Get IOExternalMethod methodTemplate[]
39
40. How
For the IOKit drivers without source code
Reverse the KernelCache with symbol problem resolved
IOKit structure you should know
IOExternalMethodDispatch & IOExternalMethod
Filter the IOKit keywords in the IDA name window
sMethods etc.
Will list all the IOKit drivers interface
40
44. Work Todo
Need some IDA Python works here
Add IOKit struct information in the idb file
(IOExternalMethodDispatch & IOExternalMethod)
Find the dispatch table range and mark it to the correct
struct.
44
46. Correct Input
Flags defines
I = input O = output
For example, type 3 means:
Struct input & output
We must pass the correct input/output type and count,
otherwise the request will be rejected
Start coding your own actively fuzzer!
46
47. Extra
You can also add the vtable information if you like to audit code
Before
After
47
49. Are There Bugs?
Definitely YES
Crashes could be easily generated by our fuzzer
Actually kernel code of iOS is not as good as you imagine
However analyzing crash is a hard job
No code or symbols for most IOKit drivers
Kernel debug is kinda of crap
Any exploitable bug?
This is a QUESTION
49
50. IOKit Bug Analysis
Simplify crash code
Code is generated by fuzzer - there are many IOConnectCallMethod calls
Simplify the code could help you a lot when doing static analysis
Look at panic log
fault_type & register values
Static analysis
Understand the bug and trigger path
Debug
Write exploit
50
53. Bug Sample I
Where did it crash
Try to read data at R1(=0) cause the panic
R1 is the second parameter of this function
It is mostly like a NULL ptr reference bug :(
We shall dig deeper anyway
53
54. Bug Sample I
Locate sMethod array
First to find AppleVXD375UserClient::externalMethod, which
should overwrite IOUserClient’s method
IOUserClient has symbols, see vtable for it
externalMethod pointer offset in vtable
54
55. Bug Sample I
Locate sMethod array
Search IOUserClient::registerNotificationPort address in “const”
segment
Find externalMethod pointer in vtable for AppleVXD375UserClient
AppleVXD375UserClient::externalMethod
Get IOExternalMethodDispatch struct from sMethod array
Call IOUserClient::externalMethod to dispatch it
55
57. Bug Sample I
selector = 1 dispatch struct in sMethod
function address = 0x80457534
checkStructureInputSize = 0x4
checkStructureOutputSize = 0x108
Remember the trigger code?
57
58. Bug Sample I
The whole call path
externalMethod -> sub_ 80457534 -> sub_ 804577EC ->
sub_8045779C -> sub_80456768 -> sub_80455C34 -> panic
sub_ 804577EC call OSObject::release first
This method should be used to destroy AppleVXD375UserClient itself
sub_8045779C should be responsible for freeing memory
R1(=0) maybe some class or struct address stored in
AppleVXD375UserClient object
58
59. Bug Sample I
Understand this bug
We manually try to destroy AppleVXD375UserClient
When in procedure, it will manipulate some object without
checking if it is already created
Lacks of basic check code like
if (obj->ptr != NULL)
We are not able to control PC register
59
62. Bug Sample II
Where did it crash
We got useless PC and no call stack
But luckily we had LR - store return address
Looks like calling method of certain object
R4 - object pointer
R0 - vtable
62
64. Bug Sample II
Crash code analysis
Input
R0 - IOAccelUserClient *self
R1 - int index
IOAccel *service = self + 0x78
OSObject *array[] = service + 0x10
Call array[index]->method = NULL
64
65. Bug Sample II
Weird
Why the object’s method pointer is NULL
Guess
Mistake it as a different object without checking
Todo
Figure out what’s at 0x10 offset
65
66. Bug Sample II
Locate external methods
This time it overwrite getTargetAndMethodForIndex
66
68. Bug Sample II
Where is selector 6 function ?
Check reference to IOAccelUserClient::vtable
It has a child object - IOIMGSGXUserClient
Easy to find getTargetAndMethodForIndex again
68
71. Bug Sample II
Object is created, check vtable 0x8090E5B8
0x8090E5B8+0x3C = 0x8090E5F4
71
72. Bug Sample II
Here is the story
selector 6 function call sub_80907A4C to create an object
and put it in object array at 0x10 offset
selector 3 function get object pointer from the array and call
its method without checking its class type
Actually the child has its own create/destroy method. If the
child create an object and make father to destroy it, PANIC !
Apple should call more OSMetaClassBase::safeMetaCast :P
72
74. Conclusion
Apple should audit iOS kernel code, especially code
of IOKit extensions
Since debug is quite hard, static analysis according to
panic log is very helpful
Fuzz your own iOS kernel bug !
74