Star 0


The more you know about your enemy, then the more probability you have of defeating him – But how? Ever since iOS 10, Apple has released the unpacked/decrypted kernel cache (*.ipsw files) but the system source code, specifically the kernel and driver parts are kept closed. Further more, symbol info in the binaries (kernel cache) have also been removed which brings more difficulty for reverse engineering.
To us a challenge means a chance. As is true in security research, the more attack interfaces you expose and the newer your implementations the more likely you could hunt some 0days. The are always existing interfaces and implementation code changes (e.g. more selectors exposed in driver services via IOUserClient) in every iOS/MacOS system update or new hardware iteration. This talk will cover the typical workflow and thinking needed in order to explore and analyze new kernel attack interfaces. Using our workflow, we have found dozens of kernel and driver 0days and will introduce you to the steps we took to hunt them down. Some of the bugs we will cover include:
CVE-2018-4462 – An Integer overflow vulnerability which can leak kernel information found in AMDFramebuffer driver
NULL PAGE Reference Issue found in IntelAccelerator
Overflow Issue due to No Boundary Check in IOUSBFamliy extension
OOB read issue found in AMDRadeonX4000_AMDAccelResource class
Divide Zero issue found in IOAccelCommandQueue class
In addition, we will open source the relative toolchain to explore the attack interfaces and also release a kernel vulnerability hunting system based on enhanced passive fuzzing.