Completed
Indirect userland DMA
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
iOS Jailbreak Internals - Userland Read-Only Memory Can Be Dangerous
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 Userland read-only memory mappings
- 3 Userland memory sharing in ios
- 4 Breaking the trust boundary
- 5 DMA overview
- 6 IOMMU(input/output memory management unit) and DART
- 7 Host-to-device DMA and device-to-host DMA
- 8 Long distance remote attack?
- 9 Indirect userland DMA
- 10 IOSurface and IOSurfaceAccelerator
- 11 Low level implementation of IOSurfaceAccelerator
- 12 IOSurfaceAccelerator TransferSurface Internals
- 13 Map IOSurface buffer via DMA
- 14 Obtain the IOSurface address in IOSpace
- 15 Start the scaler
- 16 IOMMU memory protection
- 17 Apple Graphics workflow
- 18 GPU notification architecture
- 19 Stamp address array
- 20 IOAccelEvent object
- 21 1. The DMA mapping vulnerability
- 22 2. The out-of-bound write vulnerability
- 23 Exploitability
- 24 Craft memory layout
- 25 Feasibility of memory layouting
- 26 Arbitrary read and write?
- 27 First attempt to exploit
- 28 KASLR bypass
- 29 Code execution
- 30 Overall exploit workflow
- 31 Post exploitation
- 32 Conclusion