Explore a comprehensive Black Hat conference talk delving into the intricate security mechanisms of iOS and macOS. Gain insights into the Find My feature's privacy-preserving implementation, including the elliptic curve key diversification system. Discover Gatekeeper improvements in macOS Catalina, user data protections, and solutions to critical challenges like unrestricted direct memory access. Learn about DMA protection for Thunderbolt and PCIe, EFI exploit mitigations, and Mac Secure Boot. Examine the evolution of Kernel Integrity Protection, fast permission restrictions (APRR), and userland integrity safeguards. Understand the Page Protection Layer (PPL) and Pointer Authentication features. Investigate the security and privacy goals of the Find My feature for offline devices. Get information on Apple's iOS Security Research Device program and Security Bounty initiative, aimed at facilitating iOS research and enhancing overall system security.
Overview
Syllabus
Intro
Gatekeeper macOS Catalina
User Data Protections Data that requires user consent to access
Two Critical Challenges
Unrestricted Direct Memory Access
Direct Memory Access with VT-d
DMA Protection for Thunderbolt
DMA Protection for PCle Bus 0
PCle Option ROMS
OROM Sandbox
EFI Exploit Mitigations
Mac Secure Boot Summary
Software Enforced Code Integrity Before iOS 9
Kernel Integrity Protection vo
Lessons Learned
Kernel Integrity Protection v1: Read-Only Data
Kernel Integrity Protection v2
Fast Permission Restrictions (APRR) iPhone X
Pre-APRR VM Permissions
APRR: JavaScriptCore Execution Threads
APRR: JavaScriptCore JIT Compiler Thread
Protecting Userland Integrity
Page Protection Layer (PPL) iPhone XS
Page Protection Layer Summary
Pointer Authentication
Helping users find lost devices, even when offline
Security and Privacy Goals Protect owners, finders, and devices
Introduced in 2016
Making It Easier to Get Started with iOS Research
iOS Security Research Device program
Apple Security Bounty Summary
Taught by
Black Hat
