Overview
Syllabus
Intro
Userland read-only memory mappings
Userland memory sharing in ios
Breaking the trust boundary
DMA overview
IOMMU(input/output memory management unit) and DART
Host-to-device DMA and device-to-host DMA
Long distance remote attack?
Indirect userland DMA
IOSurface and IOSurfaceAccelerator
Low level implementation of IOSurfaceAccelerator
IOSurfaceAccelerator TransferSurface Internals
Map IOSurface buffer via DMA
Obtain the IOSurface address in IOSpace
Start the scaler
IOMMU memory protection
Apple Graphics workflow
GPU notification architecture
Stamp address array
IOAccelEvent object
1. The DMA mapping vulnerability
2. The out-of-bound write vulnerability
Exploitability
Craft memory layout
Feasibility of memory layouting
Arbitrary read and write?
First attempt to exploit
KASLR bypass
Code execution
Overall exploit workflow
Post exploitation
Conclusion
Taught by
Black Hat