Star 0

Abstract

With the introduction of Pointer Authentication Code(PAC) in A12, exploitation became much harder. CFI made forging a valid function pointer, C++ virtual table, or the return address stored on the stack, etc. an almost impossible task for the attacker. But this task is essential in order to achieve arbitrary memory read/write, or code execution. In this talk, we will describe how PAC is implemented in iOS 12, including key initialization (IA Key, IB Key, DA Key, DB Key, and G Key) and typical use cases to protect different pointers on both user-land and the kernel. We then discuss several possible ways to attack PAC, illustrated by our tests. Since new mitigations are always introduced on the AP (Application Processor) side of iOS, like for example with the new A12 CPU, it's tempting for an attacker to shift focus to other areas. One of those areas is the cellular baseband. The baseband on the new iDevices is now provided by Intel and it is full of surprises. But in particular, it has not the same level of mitigations of the AP, making it attractive as first RCE target. In this talk we will describe this ""new"" iDevice baseband both in general and in details and ways of attacking it.