Explore the intricacies of iOS jailbreaking and security vulnerabilities in this Black Hat conference talk. Delve into the potential dangers of userland read-only memory mappings in modern operating systems. Examine how these mappings, intended to prevent common security attacks, can be exploited. Learn about userland memory sharing in iOS, DMA (Direct Memory Access) concepts, and the role of IOMMU (Input/Output Memory Management Unit) in system security. Investigate the IOSurface and IOSurfaceAccelerator components, their low-level implementations, and how they can be leveraged for attacks. Discover vulnerabilities in DMA mapping and out-of-bound write operations, and understand their exploitability. Follow the speaker's journey through KASLR bypass, code execution, and overall exploit workflow. Gain insights into post-exploitation techniques and draw valuable conclusions about iOS security.
iOS Jailbreak Internals - Userland Read-Only Memory Can Be Dangerous
Overview
Syllabus
Intro
Userland read-only memory mappings
Userland memory sharing in ios
Breaking the trust boundary
DMA overview
IOMMU(input/output memory management unit) and DART
Host-to-device DMA and device-to-host DMA
Long distance remote attack?
Indirect userland DMA
IOSurface and IOSurfaceAccelerator
Low level implementation of IOSurfaceAccelerator
IOSurfaceAccelerator TransferSurface Internals
Map IOSurface buffer via DMA
Obtain the IOSurface address in IOSpace
Start the scaler
IOMMU memory protection
Apple Graphics workflow
GPU notification architecture
Stamp address array
IOAccelEvent object
1. The DMA mapping vulnerability
2. The out-of-bound write vulnerability
Exploitability
Craft memory layout
Feasibility of memory layouting
Arbitrary read and write?
First attempt to exploit
KASLR bypass
Code execution
Overall exploit workflow
Post exploitation
Conclusion
Taught by
Black Hat
