NSPredicate Exploitation on macOS and iOS - Understanding Security Vulnerabilities and Bypasses

Explore a technical security presentation from DEF CON 31 that delves into NSPredicate exploitation techniques on Apple's macOS and iOS platforms. Learn about the groundbreaking FORCEDENTRY sandbox escape from 2021 and discover how researchers found ways to bypass Apple's subsequent security restrictions in iOS 16. Gain insights into the complete NSPredicate syntax, understanding how it interfaces with Objective-C runtime and enables C function calls. Master the techniques for circumventing PAC (Pointer Authentication Code) using NSPredicates to achieve reliable code execution with arbitrary arguments. Get hands-on experience with a new tool designed for crafting complex NSPredicates and injecting them into applications. Examine real-world exploitation scenarios, including code execution in the Preferences app and bypassing NSPredicateVisitor implementations to access sensitive system processes. Watch live demonstrations of SpringBoard exploitation for accessing user notifications and location data. Conclude with practical knowledge about current NSPredicate capabilities, including App Store Review bypasses, and essential security considerations for app developers.