iOS Jailbreak Internals - Userland Read-Only Memory Can Be Dangerous

iOS Jailbreak Internals - Userland Read-Only Memory Can Be Dangerous

Black Hat via YouTube Direct link

Exploitability

23 of 32

23 of 32

Exploitability

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

iOS Jailbreak Internals - Userland Read-Only Memory Can Be Dangerous

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 Userland read-only memory mappings
  3. 3 Userland memory sharing in ios
  4. 4 Breaking the trust boundary
  5. 5 DMA overview
  6. 6 IOMMU(input/output memory management unit) and DART
  7. 7 Host-to-device DMA and device-to-host DMA
  8. 8 Long distance remote attack?
  9. 9 Indirect userland DMA
  10. 10 IOSurface and IOSurfaceAccelerator
  11. 11 Low level implementation of IOSurfaceAccelerator
  12. 12 IOSurfaceAccelerator TransferSurface Internals
  13. 13 Map IOSurface buffer via DMA
  14. 14 Obtain the IOSurface address in IOSpace
  15. 15 Start the scaler
  16. 16 IOMMU memory protection
  17. 17 Apple Graphics workflow
  18. 18 GPU notification architecture
  19. 19 Stamp address array
  20. 20 IOAccelEvent object
  21. 21 1. The DMA mapping vulnerability
  22. 22 2. The out-of-bound write vulnerability
  23. 23 Exploitability
  24. 24 Craft memory layout
  25. 25 Feasibility of memory layouting
  26. 26 Arbitrary read and write?
  27. 27 First attempt to exploit
  28. 28 KASLR bypass
  29. 29 Code execution
  30. 30 Overall exploit workflow
  31. 31 Post exploitation
  32. 32 Conclusion

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.