Explore a systematic assessment of Apple's recent mitigation strategies and their vulnerabilities in this Black Hat conference talk. Delve into the concept of ipc_port Kernel Object-Oriented Programming (PKOOP) and its potential for bypassing defenses through corrupting unsafe kernel objects. Examine realistic attack scenarios that can achieve full control of the latest XNU version. Learn about Apple devices, jailbreaking, and various mitigation techniques such as DEP/KASLR and Freelist Randomization. Investigate new targets like Mach Port in User Space and Struct ipc port in Kernel Space. Discover general-purpose primitives for Host and VM, as well as querying, memory interoperation, and arbitrary code execution primitives. Study practical case studies, including Yalu Exp and iOS 11 Kernel Task Mitigation. Gain insights into enterprise computer security, XNU Kernel Object Protector, and inline hooking. Evaluate the findings and discuss their implications for kernel security.
Overview
Syllabus
Intro
Apple Devices & Jailbreaking
Mitigation - DEP/KASLR
Mitigation - Freelist Randomization
black hat Mitigation - Wrong Zone Free Protection
blackhat New Target - Mach Port in User Space
black hat New Target - Struct ipc port in Kernel Space
blackhat (Mach) Port-oriented Programming (POP)
MIG in Kernel Cache
blackhat General Purpose Primitives for Host
General Purpose Primitives for VM
Querying Primitives
Memory Interoperation Primitives
Arbitrary Code Execution Primitives
Practical Case Study: Yalu Exp
iOS 11 Kernel Task Mitigation
blackhat Mitigation bypass in Async_wake Exp
Enterprise Computer Security
XNU Kernel Object Protector
Inline Hooking
Examiners
Evaluation
Discussion
Conclusion
Reference
Taught by
Black Hat
