[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.10,0:00:15.13,Default,,0000,0000,0000,,{\i1}34c3 preroll music{\i0}
Dialogue: 0,0:00:15.13,0:00:19.70,Default,,0000,0000,0000,,Herald Angel: And now I want to introduce\Nour first speaker and the topic he's
Dialogue: 0,0:00:19.70,0:00:27.84,Default,,0000,0000,0000,,talking about. iOS kernel exploitation\Narchaeology. A kernel exploit from late\N
Dialogue: 0,0:00:27.84,0:00:35.23,Default,,0000,0000,0000,,2013 early 2014 will be digged out and\Nanalyzed proper archaeology all the
Dialogue: 0,0:00:35.23,0:00:43.16,Default,,0000,0000,0000,,digging... digging and analysis is done by\Nargp here to my left on the stage and give
Dialogue: 0,0:00:43.16,0:00:46.59,Default,,0000,0000,0000,,him a big round of applause. And the stage\Nis yours, thanks.
Dialogue: 0,0:00:46.59,0:00:47.88,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:00:47.88,0:00:58.88,Default,,0000,0000,0000,,argp: Thanks for the introduction. First\Nof all, thank you all for being here. As
Dialogue: 0,0:00:58.88,0:01:03.90,Default,,0000,0000,0000,,the person that did the introduction told\Nyou this is going to be an archeology talk
Dialogue: 0,0:01:03.90,0:01:09.94,Default,,0000,0000,0000,,so I apologize in advance if it's not that\Ninteresting for you. So we'll talk about a
Dialogue: 0,0:01:09.94,0:01:16.31,Default,,0000,0000,0000,,bit older stuff rather than new things.\NOkay so a bit a few things about myself.
Dialogue: 0,0:01:16.85,0:01:20.92,Default,,0000,0000,0000,,Actually, I think from all these things,\Nthe most important are the the Phrack
Dialogue: 0,0:01:20.92,0:01:26.83,Default,,0000,0000,0000,,papers, right? So, yeah. Let's ignore all\Nthe other stuff okay? So, what I'm going
Dialogue: 0,0:01:26.83,0:01:35.06,Default,,0000,0000,0000,,to talk about. I'm going to talk about the\Nevasi0n7 kernel exploit. Now evasi0n7 was
Dialogue: 0,0:01:35.06,0:01:42.06,Default,,0000,0000,0000,,a jailbreak it was released by the evad3rs\Non the 22nd of December 2013. It supported
Dialogue: 0,0:01:42.06,0:01:50.21,Default,,0000,0000,0000,,iOS7 to iOS7.1 beta 3. That's not the\N7.1 stable release, right? So that's a
Dialogue: 0,0:01:50.21,0:01:55.76,Default,,0000,0000,0000,,beta. And this supported all devices at\Nthat time including the iPhone 5s which
Dialogue: 0,0:01:55.76,0:02:03.100,Default,,0000,0000,0000,,was the first 64-bit device except the\NApple TV. So, I decided to reverse
Dialogue: 0,0:02:03.100,0:02:08.90,Default,,0000,0000,0000,,engineer the kernel exploit of the\Njailbreak focused just on that. Because I
Dialogue: 0,0:02:08.90,0:02:14.17,Default,,0000,0000,0000,,was really interested, not so much in the\Nbug itself, which was as we will see not
Dialogue: 0,0:02:14.17,0:02:18.80,Default,,0000,0000,0000,,very complicated. But I was really\Ninterested to understand the exploitation
Dialogue: 0,0:02:18.80,0:02:25.97,Default,,0000,0000,0000,,techniques that the evad3rs used. So, I\Nstarted reversing it, and I understanding
Dialogue: 0,0:02:25.97,0:02:32.33,Default,,0000,0000,0000,,it, and at some point I just said I'm just\Ngonna do a reimplementation of the kernel
Dialogue: 0,0:02:32.33,0:02:37.03,Default,,0000,0000,0000,,exploit. So, this talk is basically my\Nnotes on this whole process. And, of
Dialogue: 0,0:02:37.03,0:02:42.39,Default,,0000,0000,0000,,course, it's not a jailbreak walkthrough,\Nright? And I'm going to specifically focus
Dialogue: 0,0:02:42.39,0:02:50.04,Default,,0000,0000,0000,,on the various problems I encountered\Nduring this task and how I overcame them.
Dialogue: 0,0:02:50.04,0:02:58.25,Default,,0000,0000,0000,,And hopefully it's going to give you some\Nhelpful takeways for if you do iOS kernel
Dialogue: 0,0:02:58.25,0:03:05.46,Default,,0000,0000,0000,,research nowadays. Okay, so, the general\Noutline is I'm going to say a few things
Dialogue: 0,0:03:05.46,0:03:11.73,Default,,0000,0000,0000,,about the version 7 to setup the stage.\NAnd then I'm going to explain the kernel
Dialogue: 0,0:03:11.73,0:03:18.97,Default,,0000,0000,0000,,bug itself. And, then I'm going to talk in\Nlength about my debugging setup. And, I
Dialogue: 0,0:03:18.97,0:03:26.14,Default,,0000,0000,0000,,think that's a very important step that\Nusually phone or embedded talks
Dialogue: 0,0:03:26.14,0:03:29.86,Default,,0000,0000,0000,,exploitation talks don't analyze that\Nmuch, and I think it's a really important
Dialogue: 0,0:03:29.86,0:03:36.22,Default,,0000,0000,0000,,part. Because usually having a working the\Ndebugging set up is, basically, maybe half
Dialogue: 0,0:03:36.22,0:03:41.08,Default,,0000,0000,0000,,the job of doing a reliable exploit. Then\NI'm going to do to talk about my
Dialogue: 0,0:03:41.08,0:03:46.52,Default,,0000,0000,0000,,reimplementation of the exploit, and\Nhopefully, at the end, we're gonna have
Dialogue: 0,0:03:46.52,0:03:53.87,Default,,0000,0000,0000,,some things to take away or maybe not. We\Nwill see. Okay so it was the evasi0n7
Dialogue: 0,0:03:53.87,0:03:59.30,Default,,0000,0000,0000,,jailbreak was released about 4 years ago.\NAnd that's the archaeology in the title.
Dialogue: 0,0:03:59.30,0:04:04.83,Default,,0000,0000,0000,,That's ancient history right? And if you\Nwere following the jailbreak community,
Dialogue: 0,0:04:04.83,0:04:12.12,Default,,0000,0000,0000,,you might remember this huge drama around\Nthis jailbreak, initially, with geohot and
Dialogue: 0,0:04:12.12,0:04:17.16,Default,,0000,0000,0000,,if he was planning or not to release it\Nbefore the evad3rs. And who he was
Dialogue: 0,0:04:17.16,0:04:22.86,Default,,0000,0000,0000,,planning to sell it to, and some leaked\Ndiscussion that he had with some of that
Dialogue: 0,0:04:22.86,0:04:31.07,Default,,0000,0000,0000,,he was offering money to buy. And geohot,\Nhis jailbreak supposedly using
Dialogue: 0,0:04:31.07,0:04:37.77,Default,,0000,0000,0000,,some of the bugs the evad3rs were using so\Nthis is a huge drama. And then after the
Dialogue: 0,0:04:37.77,0:04:43.32,Default,,0000,0000,0000,,evasi0n7 jailbreak released, like maybe a\Nfew hours ago, people realize that if your
Dialogue: 0,0:04:43.32,0:04:54.22,Default,,0000,0000,0000,,phone had a Chinese locale then the\Njailbreak was installing a piracy app. So,
Dialogue: 0,0:04:54.22,0:04:57.44,Default,,0000,0000,0000,,that was basically a third-party app that
Dialogue: 0,0:04:57.44,0:05:00.66,Default,,0000,0000,0000,,was taking you to an\Napp store not operated
Dialogue: 0,0:05:00.66,0:05:05.21,Default,,0000,0000,0000,,by Apple but by TaiG that had some pirated\Nversions of the real applications on the
Dialogue: 0,0:05:05.21,0:05:12.70,Default,,0000,0000,0000,,App Store. And, of course, that also\Ncreate like a huge drama, this practice.
Dialogue: 0,0:05:13.70,0:05:17.66,Default,,0000,0000,0000,,Okay, so a lot of things were said about\Nthe jailbreak at that time and about the
Dialogue: 0,0:05:17.66,0:05:23.82,Default,,0000,0000,0000,,TaiG pirate App Store. But what I really\Nset apart was this tweet. And the really
Dialogue: 0,0:05:23.82,0:05:28.03,Default,,0000,0000,0000,,important thing that I like about this\Ntweet is, that it doesn't really make
Dialogue: 0,0:05:28.03,0:05:31.43,Default,,0000,0000,0000,,sense. So he says that we have to decide\Nto remotely disable the default
Dialogue: 0,0:05:31.43,0:05:35.28,Default,,0000,0000,0000,,installation of TaiG in China for further\Ninvestigations of the piracy. So that
Dialogue: 0,0:05:35.28,0:05:40.74,Default,,0000,0000,0000,,whole thing doesn't make sense. So you\Nmean, you didn't know what was happening?
Dialogue: 0,0:05:40.74,0:05:45.49,Default,,0000,0000,0000,,You didn't bundle it with a jailbreak? Are\Nyou going to disable it for new
Dialogue: 0,0:05:45.49,0:05:50.04,Default,,0000,0000,0000,,installations? And then, what does\Nremotely then mean exactly? So what about
Dialogue: 0,0:05:50.04,0:05:56.29,Default,,0000,0000,0000,,the people that already had the apps, the\Npiracy app. How are you going to disable
Dialogue: 0,0:05:56.29,0:06:04.52,Default,,0000,0000,0000,,that? Is that what remotely refers to? So\Nthat's an excellent tweet I think. Okay,
Dialogue: 0,0:06:04.52,0:06:11.37,Default,,0000,0000,0000,,so some point after the evasi0n7 jailbreak\Nwas released geohot did a writeup on the
Dialogue: 0,0:06:11.37,0:06:19.15,Default,,0000,0000,0000,,userland part of it. So, he analyzed how\Nthe userland part worked and he stopped at
Dialogue: 0,0:06:19.15,0:06:27.69,Default,,0000,0000,0000,,the point of gaining root and basically,\Nhe mentioned in his writeup that the
Dialogue: 0,0:06:27.69,0:06:33.18,Default,,0000,0000,0000,,evasi0n7 untethered binary, which\Nbasically what was good doing the kernel
Dialogue: 0,0:06:33.18,0:06:40.26,Default,,0000,0000,0000,,exploit, was obfuscated. And as we will\Nsee this was indeed the case and as far as
Dialogue: 0,0:06:40.26,0:06:46.04,Default,,0000,0000,0000,,I know that's the first jailbreak that\Nused the deliberate obfuscation. I don't
Dialogue: 0,0:06:46.04,0:06:51.33,Default,,0000,0000,0000,,know the reason, I assume it's\Npartly to hide the the piracy
Dialogue: 0,0:06:51.33,0:06:57.24,Default,,0000,0000,0000,,app store that was bundled with it and\Nmaybe partly to hide the bug, the kernel
Dialogue: 0,0:06:57.24,0:07:07.37,Default,,0000,0000,0000,,bug, but I'm not sure about the reason.\NNow p0sixninja who found as far as I know
Dialogue: 0,0:07:07.37,0:07:12.12,Default,,0000,0000,0000,,the bug, the kernel bug did a writeup on\Nthe kernel bug, it's on the iPhone wiki,
Dialogue: 0,0:07:12.12,0:07:17.63,Default,,0000,0000,0000,,and he basically describes the bug and he\Nstops at the point where he gets a crash
Dialogue: 0,0:07:17.63,0:07:25.53,Default,,0000,0000,0000,,log from gdb. So he doesn't say anything\Nabout how to exploit it. Okay, so after
Dialogue: 0,0:07:25.53,0:07:31.25,Default,,0000,0000,0000,,all these things happened then I decided\Nto reverse engineer the untethered binary
Dialogue: 0,0:07:31.25,0:07:37.18,Default,,0000,0000,0000,,and understand the exploitation techniques\Nand I was really interested to reverse
Dialogue: 0,0:07:37.18,0:07:41.29,Default,,0000,0000,0000,,engineer the obfuscation that the evad3rs\Nwere using, it seemed like an interesting
Dialogue: 0,0:07:41.29,0:07:46.25,Default,,0000,0000,0000,,challenge, and... but as I also mentioned\Nearlier I was really interested to
Dialogue: 0,0:07:46.25,0:07:49.80,Default,,0000,0000,0000,,understand the exploitation techniques\Nthat they were using that was more
Dialogue: 0,0:07:49.80,0:07:58.51,Default,,0000,0000,0000,,important for me at that time. And,\Nokay, so the jailbreak was released
Dialogue: 0,0:07:58.51,0:08:06.34,Default,,0000,0000,0000,,December 2013 and I started doing that\Naround February 2014, and I did that while
Dialogue: 0,0:08:06.34,0:08:10.31,Default,,0000,0000,0000,,having an actual day job, right, so I was\Nspending at most two days per week on
Dialogue: 0,0:08:10.31,0:08:20.36,Default,,0000,0000,0000,,that. So what was my setup? I had an\NiPhone 4, and if you know about iPhone 4s
Dialogue: 0,0:08:20.36,0:08:25.57,Default,,0000,0000,0000,,they have a boot ROM bug called limera1n\Nwhich basically allows you to load
Dialogue: 0,0:08:25.57,0:08:31.52,Default,,0000,0000,0000,,arbitrary kernels, unsigned kernels, on\Nthe device and run them and that basically
Dialogue: 0,0:08:31.52,0:08:38.05,Default,,0000,0000,0000,,means that you can very easily\Nset up kernel debugging. So initially I
Dialogue: 0,0:08:38.05,0:08:46.03,Default,,0000,0000,0000,,had an iPhone 4 device with iOS 7.0.6. I\Nwant to remind you that iPhone 4 is ARM32,
Dialogue: 0,0:08:46.03,0:08:52.99,Default,,0000,0000,0000,,right. I also had an iPhone 5s with the\Nsame version of iOS and I had that in
Dialogue: 0,0:08:52.99,0:09:00.27,Default,,0000,0000,0000,,order to verify all my findings and all my\Ntests on - to redo my tests on an ARM64
Dialogue: 0,0:09:00.27,0:09:06.28,Default,,0000,0000,0000,,device and as I told you - the iPhone 5s\Nat that time was the only ARM64 device.
Dialogue: 0,0:09:06.28,0:09:10.48,Default,,0000,0000,0000,,Actually, I think on the market, I don't\Nthink there was another consumer device
Dialogue: 0,0:09:10.48,0:09:19.24,Default,,0000,0000,0000,,with ARM64 at that time. So that's the\Nexact version of version 7 I was analyzing
Dialogue: 0,0:09:19.24,0:09:26.27,Default,,0000,0000,0000,,and of course IDA, gdb, lldb. Now the lols\Nin this slide they don't actually refer to
Dialogue: 0,0:09:26.27,0:09:30.64,Default,,0000,0000,0000,,something funny they actually mean\Nsomething very painful and that caused a
Dialogue: 0,0:09:30.64,0:09:37.09,Default,,0000,0000,0000,,lot of like sleepless nights, but I'll get\Nonto that. Okay, a few things about the
Dialogue: 0,0:09:37.09,0:09:44.31,Default,,0000,0000,0000,,obfuscation. So, not all the functions of\Nthe entire binary were obfuscated, but
Dialogue: 0,0:09:44.31,0:09:51.98,Default,,0000,0000,0000,,some of the important ones were, and those\Nwere the ones that were triggering the bug
Dialogue: 0,0:09:51.98,0:09:56.93,Default,,0000,0000,0000,,and they were actually doing heap\Nmanipulation and all the other important
Dialogue: 0,0:09:56.93,0:10:01.18,Default,,0000,0000,0000,,things. Now I have been told, I haven't\Nchecked that, but I have been told that
Dialogue: 0,0:10:01.18,0:10:05.26,Default,,0000,0000,0000,,later versions remove the obfuscation but\NI'm not sure about that, I haven't
Dialogue: 0,0:10:05.26,0:10:09.77,Default,,0000,0000,0000,,verified it and I already had my\Nimplementation done at that point so I
Dialogue: 0,0:10:09.77,0:10:20.17,Default,,0000,0000,0000,,wasn't that interested to look at that. So\Nas I mentioned the kernel bug that the
Dialogue: 0,0:10:20.17,0:10:26.73,Default,,0000,0000,0000,,evasi0n7 untethered binary was based on\Nwas found by p0sixninja, and basically as
Dialogue: 0,0:10:26.73,0:10:34.04,Default,,0000,0000,0000,,far as he says on that iPhone wiki page he\Nused that six line bash script fuzzer to
Dialogue: 0,0:10:34.04,0:10:41.84,Default,,0000,0000,0000,,find it. So as you can see he basically\Ncreates device nodes and, with
Dialogue: 0,0:10:41.84,0:10:50.44,Default,,0000,0000,0000,,controlled arguments here like minor and\Nmajor numbers. Now in order to get to the
Dialogue: 0,0:10:50.44,0:10:57.10,Default,,0000,0000,0000,,point to create device nodes you basically\Nneed to be outside of the application
Dialogue: 0,0:10:57.10,0:11:04.33,Default,,0000,0000,0000,,sandbox that exists on iOS and you also\Nneed root privileges and that's what I
Dialogue: 0,0:11:04.33,0:11:08.22,Default,,0000,0000,0000,,refer to as the userland part of the\Nevasi0n7 binary and I'm not going to cover
Dialogue: 0,0:11:08.22,0:11:14.81,Default,,0000,0000,0000,,that at all. So I'm gonna start my\Nanalysis from the point on that we have
Dialogue: 0,0:11:14.81,0:11:19.32,Default,,0000,0000,0000,,escaped the sandbox, we have obtained\Nroot and now we go to exploit the kernel
Dialogue: 0,0:11:19.32,0:11:29.27,Default,,0000,0000,0000,,bug. Now that's code from that version of\Nthe XNU kernel that had the bug. Now this
Dialogue: 0,0:11:29.27,0:11:39.53,Default,,0000,0000,0000,,ptsd_open function is called everytime\Nuserland code opens a /dev/ptmx device and
Dialogue: 0,0:11:39.53,0:11:43.94,Default,,0000,0000,0000,,then this ptmx_get_ioctl function is\Ncalled. Now the important thing here
Dialogue: 0,0:11:43.94,0:11:46.78,Default,,0000,0000,0000,,is that dev here is completely\Nuser controlled and then
Dialogue: 0,0:11:46.78,0:11:49.02,Default,,0000,0000,0000,,it's passed to this ptmx_get_ioctl
Dialogue: 0,0:11:49.02,0:11:54.76,Default,,0000,0000,0000,,function with no checks at all, right, and\Nthen this ptmx_get_ioctl function uses
Dialogue: 0,0:11:54.76,0:11:59.95,Default,,0000,0000,0000,,this to index an array without any checks.\NSo basically the bug's an invalid indexing
Dialogue: 0,0:11:59.95,0:12:05.62,Default,,0000,0000,0000,,bug, right, so since we can control that\Nyou can put here whatever. I have here the
Dialogue: 0,0:12:05.62,0:12:14.36,Default,,0000,0000,0000,,ptmx_ioctl struct that, okay, this array\Nhere is, so this state struct here is
Dialogue: 0,0:12:14.36,0:12:21.79,Default,,0000,0000,0000,,global to the kernel and this\Npis_ioctl_list array here is on the kernel
Dialogue: 0,0:12:21.79,0:12:30.42,Default,,0000,0000,0000,,heap and it is an array of ptmx_ioctl\Nstructs and that's the PTMX ioctl struct
Dialogue: 0,0:12:30.42,0:12:35.61,Default,,0000,0000,0000,,and the important thing here is, that\NI'm going to refer to again and again
Dialogue: 0,0:12:35.61,0:12:41.29,Default,,0000,0000,0000,,during the talk, is that it has a pointer\Nto a tty struct as the first element of
Dialogue: 0,0:12:41.29,0:12:50.68,Default,,0000,0000,0000,,the structure. Okay, so we control the\Nindex to the array, so what can we do with
Dialogue: 0,0:12:50.68,0:12:57.35,Default,,0000,0000,0000,,that? So here as you can see it return\Nthe ptmx_get_ioctl function returns
Dialogue: 0,0:12:57.35,0:13:04.96,Default,,0000,0000,0000,,whatever it indexes, right. So, as you can\Nsee here is it assigns this pti variable
Dialogue: 0,0:13:04.96,0:13:10.68,Default,,0000,0000,0000,,and then does all kinds of interesting\Nthings, so pti is controllable, tp is
Dialogue: 0,0:13:10.68,0:13:14.16,Default,,0000,0000,0000,,controllable here as well after this\Ndereference here to some controllable
Dialogue: 0,0:13:14.16,0:13:21.45,Default,,0000,0000,0000,,value and, I mean in other code parts of\Nthe kernel this is called again and so
Dialogue: 0,0:13:21.45,0:13:26.98,Default,,0000,0000,0000,,there are there are a lot of things to\Nconsider when you know the bug and
Dialogue: 0,0:13:26.98,0:13:33.79,Default,,0000,0000,0000,,then you try to think how to exploit it.\NOkay, one important thing here that I
Dialogue: 0,0:13:33.79,0:13:44.38,Default,,0000,0000,0000,,wanted to mention is that this ptmx,\Nthis function here ptmx_get_ioctl also
Dialogue: 0,0:13:44.38,0:13:51.85,Default,,0000,0000,0000,,does the allocation of this struct here,\Nof this tty struct here and that's
Dialogue: 0,0:13:51.85,0:14:00.28,Default,,0000,0000,0000,,important because I'm going to use further\Non. Okay, another important thing is that
Dialogue: 0,0:14:00.28,0:14:05.93,Default,,0000,0000,0000,,you basically, this bug what allows you\Nto do is you can control the size of this
Dialogue: 0,0:14:05.93,0:14:14.60,Default,,0000,0000,0000,,array here, so by, can you see that?\NOkay, so by repeatedly open the ptmx
Dialogue: 0,0:14:14.60,0:14:21.82,Default,,0000,0000,0000,,device you can grow this array and you can\Ngrow it as you see here by this grow
Dialogue: 0,0:14:21.82,0:14:29.83,Default,,0000,0000,0000,,vector that's 16, but it doesn't matter.\NWhat matters is that the size of this
Dialogue: 0,0:14:29.83,0:14:38.30,Default,,0000,0000,0000,,array in bytes is controllable by you, the\Nperson who are trying to exploit this bug.
Dialogue: 0,0:14:38.30,0:14:44.68,Default,,0000,0000,0000,,Now, for example these are notes from my\Nexploit so if I did one allocation, if I
Dialogue: 0,0:14:44.68,0:14:51.24,Default,,0000,0000,0000,,did one open of this ptmx device then this\Narray was going into kalloc_64. If I was
Dialogue: 0,0:14:51.24,0:14:59.09,Default,,0000,0000,0000,,doing 17 it was going to kalloc_128, if I\Nwas doing 33 opens here it was going to
Dialogue: 0,0:14:59.09,0:15:06.71,Default,,0000,0000,0000,,kalloc_192 and so on and so forth. So I\Ncould decide in which kalloc zone I could
Dialogue: 0,0:15:06.71,0:15:14.01,Default,,0000,0000,0000,,place the array. If you don't know kalloc\Nzones, they are basically, you can think
Dialogue: 0,0:15:14.01,0:15:20.83,Default,,0000,0000,0000,,them as container, you can think kalloc\Nzones as containers for heap objects on
Dialogue: 0,0:15:20.83,0:15:26.58,Default,,0000,0000,0000,,the kernel heap. All of them can be of\Ndifferent type but they're, all of them
Dialogue: 0,0:15:26.58,0:15:33.26,Default,,0000,0000,0000,,are of the same size, right, so kalloc_64\Ncan have different structures of size 64
Dialogue: 0,0:15:33.26,0:15:43.26,Default,,0000,0000,0000,,bytes, but all of them are our size 64\Nbytes. Okay so I started debugging the
Dialogue: 0,0:15:43.26,0:15:49.94,Default,,0000,0000,0000,,untethered binary in userland, that's how\NI started. So initially I was using gdb
Dialogue: 0,0:15:49.94,0:15:57.89,Default,,0000,0000,0000,,and I found out that nothing worked with\Ngdb. It was at that point Apple was
Dialogue: 0,0:15:57.89,0:16:01.64,Default,,0000,0000,0000,,starting to move from gdb to lldb, so I\Ndon't, maybe that was the reason gdb
Dialogue: 0,0:16:01.64,0:16:05.96,Default,,0000,0000,0000,,wasn't tested at all. So when I\Nsay nothing worked I mean that I was
Dialogue: 0,0:16:05.96,0:16:11.80,Default,,0000,0000,0000,,placing break points and they weren't\Nhitting and I was trying like stepping and
Dialogue: 0,0:16:11.80,0:16:16.27,Default,,0000,0000,0000,,it was continuing execution and stuff like\Nthat. Sometimes I couldn't even attach the
Dialogue: 0,0:16:16.27,0:16:23.53,Default,,0000,0000,0000,,binary. So then I moved to lldb, on lldb\Nset up with debugserver and things were
Dialogue: 0,0:16:23.53,0:16:29.49,Default,,0000,0000,0000,,much better. Now, while I was\Nexperimenting stealing from, just with
Dialogue: 0,0:16:29.49,0:16:35.44,Default,,0000,0000,0000,,userland debugging my iPhone 4 device went\Nto into a recovery loop and I wasn't able
Dialogue: 0,0:16:35.44,0:16:46.34,Default,,0000,0000,0000,,to get out of it, so I was forced to do a\Nclean restore of the device. The problem
Dialogue: 0,0:16:46.34,0:16:51.75,Default,,0000,0000,0000,,was that at that time only iOS 7.1 was\Nsigned by Apple, so I couldn't install a
Dialogue: 0,0:16:51.75,0:16:55.89,Default,,0000,0000,0000,,version of files that hit the kernel that\Nhit the bug that I was interested to look
Dialogue: 0,0:16:55.89,0:16:59.61,Default,,0000,0000,0000,,at, but on the other hand I couldn't not\Nrestore my device because that was the
Dialogue: 0,0:16:59.61,0:17:05.24,Default,,0000,0000,0000,,only device I had at the point I could do\Nkernel debugging with. So I updated my
Dialogue: 0,0:17:05.24,0:17:11.80,Default,,0000,0000,0000,,device to 7.1. As I said just told you 7.1\Ndidn't have a vulnerable kernel
Dialogue: 0,0:17:11.80,0:17:22.21,Default,,0000,0000,0000,,to this bug, so what I wanted to do was\Nbasically to boot an iOS 7.1 device with a
Dialogue: 0,0:17:22.21,0:17:27.99,Default,,0000,0000,0000,,7.0.6 kernel, and in order to do that I\Ncould use the limera1n bug that allowed me
Dialogue: 0,0:17:27.99,0:17:32.85,Default,,0000,0000,0000,,to boot arbitrary kernels and the utility\Nto do that was redsn0w, right. The problem
Dialogue: 0,0:17:32.85,0:17:40.40,Default,,0000,0000,0000,,was that redsn0w only supported up to iOS\N6 and it wasn't, it didn't have support
Dialogue: 0,0:17:40.40,0:17:46.10,Default,,0000,0000,0000,,for iOS 7 so I left all the other things I\Nwas doing and I started reversing redsn0w
Dialogue: 0,0:17:46.10,0:17:51.53,Default,,0000,0000,0000,,to understand how it worked. Redsn0w, if\Nyou don't know it's, it was back then
Dialogue: 0,0:17:51.53,0:17:55.74,Default,,0000,0000,0000,,and still is closed source, right, so I\Nstarted reversing that to understand how
Dialogue: 0,0:17:55.74,0:18:00.88,Default,,0000,0000,0000,,it worked in order to support, for me to\Nhot patch it, to binary
Dialogue: 0,0:18:00.88,0:18:06.65,Default,,0000,0000,0000,,patch it to add support for iOS 7 and I\Nspent like I don't know maybe a month on
Dialogue: 0,0:18:06.65,0:18:11.70,Default,,0000,0000,0000,,that and then I realized that it was, it\Nwasn't leading me anywhere, I couldn't
Dialogue: 0,0:18:11.70,0:18:17.03,Default,,0000,0000,0000,,understand a lot of things about how\Nredsn0w was implemented, so I I stopped
Dialogue: 0,0:18:17.03,0:18:25.70,Default,,0000,0000,0000,,doing that, and at that point I found\Nopensn0w which was an effort by winocm to
Dialogue: 0,0:18:25.70,0:18:32.16,Default,,0000,0000,0000,,implement redsn0w as open source. So, it\Nseemed to have support for iOS 7 and that
Dialogue: 0,0:18:32.16,0:18:40.12,Default,,0000,0000,0000,,was good, I tested that and it was\Nworking. Now my problem was that I
Dialogue: 0,0:18:40.12,0:18:44.46,Default,,0000,0000,0000,,couldn't have an arbitrary\Nlength of boot-args. Boot-args are the
Dialogue: 0,0:18:44.46,0:18:48.59,Default,,0000,0000,0000,,arguments that you pass to the kernel when\Nit boots and they are really important in
Dialogue: 0,0:18:48.59,0:18:57.63,Default,,0000,0000,0000,,iOS because by passing certain boot-args\Nto the kernel you can disable sign checks,
Dialogue: 0,0:18:57.63,0:19:02.32,Default,,0000,0000,0000,,you can enable kernel debugging, so it's\Nreally important to be able to pass
Dialogue: 0,0:19:02.32,0:19:09.47,Default,,0000,0000,0000,,arbitrary length boot-args. And iOS 7.1\Nwas using absurd 9 character so that was
Dialogue: 0,0:19:09.47,0:19:15.73,Default,,0000,0000,0000,,the reason opensn0w couldn't support more\NSo what I ended up doing was I patched
Dialogue: 0,0:19:15.73,0:19:22.56,Default,,0000,0000,0000,,iBEC, which is basically the loader\Nof the kernel, right, that passes boot-
Dialogue: 0,0:19:22.56,0:19:29.94,Default,,0000,0000,0000,,args to the kernel when it boots and,\Nbasically I changed the pointer to the
Dialogue: 0,0:19:29.94,0:19:35.57,Default,,0000,0000,0000,,boot-args to some other place that had\Nmuch more space. So at that point I was
Dialogue: 0,0:19:35.57,0:19:41.62,Default,,0000,0000,0000,,able to pass arbitrary-length boot-args to\Nmy kernel. So where we are at last? So I
Dialogue: 0,0:19:41.62,0:19:50.36,Default,,0000,0000,0000,,had an iPhone 4 device with iOS 7.1 and I\Nwas using opensn0w to boot the 7.0.6
Dialogue: 0,0:19:50.36,0:19:56.80,Default,,0000,0000,0000,,kernel that had the bug that I was\Ninterested to exploit. Now, one side note
Dialogue: 0,0:19:56.80,0:20:04.16,Default,,0000,0000,0000,,here is that as I was doing that and I was\Ntrying to add to open snow all the patches
Dialogue: 0,0:20:04.16,0:20:09.76,Default,,0000,0000,0000,,to the kernel to enable kernel debugging,\NI was reversing the evasi0n7 binary as
Dialogue: 0,0:20:09.76,0:20:15.22,Default,,0000,0000,0000,,well. Now, the evasi0n7 binary was trying\Nalso to, after it exploited the kernel
Dialogue: 0,0:20:15.22,0:20:19.80,Default,,0000,0000,0000,,it was patching it to enable kernel\Ndebugging, but, so I was just copying
Dialogue: 0,0:20:19.80,0:20:23.74,Default,,0000,0000,0000,,their patches, right, and adding them to\Nopensn0w, but I realized at some point
Dialogue: 0,0:20:23.74,0:20:29.92,Default,,0000,0000,0000,,that they missed some check for the debug-\Nenabled variable and KDP wasn't really
Dialogue: 0,0:20:29.92,0:20:35.92,Default,,0000,0000,0000,,working, so the session was established\Nand it seemed like it was working, but if
Dialogue: 0,0:20:35.92,0:20:40.93,Default,,0000,0000,0000,,you tried to actually use the kernel,\Nthe KDP, the kernel debugging setup for
Dialogue: 0,0:20:40.93,0:20:45.47,Default,,0000,0000,0000,,to do actual, like to attach debugger to\Nthe kernel and do whatever, like place a
Dialogue: 0,0:20:45.47,0:20:54.24,Default,,0000,0000,0000,,breakpoint or step then KDP just froze. So\NI added another part that was required on
Dialogue: 0,0:20:54.24,0:21:02.73,Default,,0000,0000,0000,,that. Ok, so kernel debugging at last, but\Nthat's not really what happened, because
Dialogue: 0,0:21:02.73,0:21:07.98,Default,,0000,0000,0000,,you know breakpoints didn't always work so\Nyou were placing a breakpoint and it
Dialogue: 0,0:21:07.98,0:21:12.71,Default,,0000,0000,0000,,wasn't hitting when execution was reaching\Nthere and you were trying to step
Dialogue: 0,0:21:12.71,0:21:17.34,Default,,0000,0000,0000,,instructions and the execution just\Ncontinues, so you were stepping one
Dialogue: 0,0:21:17.34,0:21:21.21,Default,,0000,0000,0000,,instruction it was just like you would\Ntype in continue and if you were taking
Dialogue: 0,0:21:21.21,0:21:26.76,Default,,0000,0000,0000,,too long to type an lldb command then KDP\Nfroze and then you had to restart your
Dialogue: 0,0:21:26.76,0:21:33.26,Default,,0000,0000,0000,,device, re-establish the kernel debugging\Nsession and start from zero. And if you
Dialogue: 0,0:21:33.26,0:21:37.95,Default,,0000,0000,0000,,issue commands too fast then KDB froze\Nagain, so you have to reboot again. It was
Dialogue: 0,0:21:37.95,0:21:47.32,Default,,0000,0000,0000,,amazing, it was great time. And now I did\Nsimilar stuff with iOS 6 and I distinctly
Dialogue: 0,0:21:47.32,0:21:53.11,Default,,0000,0000,0000,,remember that was much easier and kernel\Ndebugging worked much better. And... I
Dialogue: 0,0:21:53.11,0:21:58.67,Default,,0000,0000,0000,,mean the issue that comes to everyone's\Nmind that does that is: do Apple engineers
Dialogue: 0,0:21:58.67,0:22:05.58,Default,,0000,0000,0000,,really use KDP for debugging the iOS\Nkernel or do they use something else?
Dialogue: 0,0:22:06.24,0:22:15.33,Default,,0000,0000,0000,,Okay, so now I could debug the evasi0n7\Nuntethered binary both from the userland
Dialogue: 0,0:22:15.33,0:22:23.13,Default,,0000,0000,0000,,side and from the kernel side, and that\Nwas good because I was analyzing at run
Dialogue: 0,0:22:23.13,0:22:31.73,Default,,0000,0000,0000,,time and at the same time I was reversing\Nit in IDA, so the obfuscation who... I
Dialogue: 0,0:22:31.73,0:22:38.48,Default,,0000,0000,0000,,could do it much faster since I was taking\Nhints from runtime. So I... at that point
Dialogue: 0,0:22:38.48,0:22:42.86,Default,,0000,0000,0000,,things started moving fast and I quickly\Nfound that it was abusing the data by
Dialogue: 0,0:22:42.86,0:22:49.18,Default,,0000,0000,0000,,structure to obtain read/write access to\Nphysical memory. I mean that was
Dialogue: 0,0:22:49.18,0:22:52.94,Default,,0000,0000,0000,,interesting to me, but I was expecting\Nsomething else. I was expecting something
Dialogue: 0,0:22:52.94,0:22:58.39,Default,,0000,0000,0000,,like what they did in iOS in the evasi0n6\Njailbreak, that they did like a lot of
Dialogue: 0,0:22:58.39,0:23:04.39,Default,,0000,0000,0000,,heap manipulation and that's my interest\Nactually, heap exploitation. So at that
Dialogue: 0,0:23:04.39,0:23:10.37,Default,,0000,0000,0000,,point I decided to stop reversing it and\Nreimplement the exploit the way that I
Dialogue: 0,0:23:10.37,0:23:16.19,Default,,0000,0000,0000,,wanted to do it. So obviously that wasn't\Nwork from scratch, it was from everything
Dialogue: 0,0:23:16.19,0:23:20.33,Default,,0000,0000,0000,,that I understood up to that point, and\Nwhat I really wanted to use was the
Dialogue: 0,0:23:20.33,0:23:25.41,Default,,0000,0000,0000,,vm_map_copy structures technique by Dowd\Nand Mandt and I'm going to explain that in
Dialogue: 0,0:23:25.41,0:23:31.67,Default,,0000,0000,0000,,the following slides, how it works.\NOkay, so at that point I had the clear
Dialogue: 0,0:23:31.67,0:23:37.09,Default,,0000,0000,0000,,understanding of the bug, what it was and\NI had the general idea like about how to
Dialogue: 0,0:23:37.09,0:23:41.78,Default,,0000,0000,0000,,exploit it and I mean if you've done\Nthat you know then it takes a lot of pen
Dialogue: 0,0:23:41.78,0:23:47.98,Default,,0000,0000,0000,,and paper like ideas you develop on paper,\Nthen you go test them and they don't work
Dialogue: 0,0:23:47.98,0:23:53.41,Default,,0000,0000,0000,,and then you design them again and then\Nagain and you fail and you despair and
Dialogue: 0,0:23:53.41,0:23:58.29,Default,,0000,0000,0000,,then you suddenly have an idea and you\Nspend like I don't know like two nights
Dialogue: 0,0:23:58.29,0:24:04.03,Default,,0000,0000,0000,,stay up until 5:00 in the morning testing\Nthings and they don't work and then you
Dialogue: 0,0:24:04.03,0:24:10.70,Default,,0000,0000,0000,,despair again and ad nauseam. But\Neventually you get somewhere so let's talk
Dialogue: 0,0:24:10.70,0:24:18.63,Default,,0000,0000,0000,,about exploitation now. Now, a few things\Nto refresh your memory about the bug. So
Dialogue: 0,0:24:18.63,0:24:26.20,Default,,0000,0000,0000,,as I said it was an invalid indexing bug.\NThis pis_ioctl_list array was on the heap
Dialogue: 0,0:24:26.20,0:24:32.76,Default,,0000,0000,0000,,and I could control in which kalloc zone\Nit can go. I can grow it, but once I grow
Dialogue: 0,0:24:32.76,0:24:42.70,Default,,0000,0000,0000,,it I cannot shrink it back. Now, that's\Ncode from that ptmx_get_ioctl function, so
Dialogue: 0,0:24:42.70,0:24:46.76,Default,,0000,0000,0000,,what... basically what it does it\Nallocates a new ptmx_ioctl structure and
Dialogue: 0,0:24:46.76,0:24:53.29,Default,,0000,0000,0000,,then it uses the index that you provide...\Nthat you control to store the address on
Dialogue: 0,0:24:53.29,0:25:01.09,Default,,0000,0000,0000,,the array. Now, this allocation here...\Nthis struct here goes into kalloc.88 and
Dialogue: 0,0:25:01.09,0:25:07.90,Default,,0000,0000,0000,,that's useful for the next parts. Okay, a\Nfew things about the technique I wanted to
Dialogue: 0,0:25:07.90,0:25:13.00,Default,,0000,0000,0000,,use... about the exploitation technique I\Nwanted to use. So it's the vm_map_copy
Dialogue: 0,0:25:13.00,0:25:19.16,Default,,0000,0000,0000,,technique, it was proposed by Dowd and\NMandt and basically they were spraying the
Dialogue: 0,0:25:19.16,0:25:24.78,Default,,0000,0000,0000,,heap with these structs here, the\Nvm_map_copy structs, and assuming you have
Dialogue: 0,0:25:24.78,0:25:31.25,Default,,0000,0000,0000,,like some way to corrupt this struct that\Nyou've sprayed on the heap if you can
Dialogue: 0,0:25:31.25,0:25:39.30,Default,,0000,0000,0000,,overwrite this kdata element here, then\Nbasically what you have is a leak of
Dialogue: 0,0:25:39.30,0:25:44.67,Default,,0000,0000,0000,,kernel memory other adjacent like next to\Nthe kdata, whatever is below or above the
Dialogue: 0,0:25:44.67,0:25:49.94,Default,,0000,0000,0000,,kdata pointer or arbitrary if you put\Nwhatever address you want in there. By
Dialogue: 0,0:25:49.94,0:25:58.02,Default,,0000,0000,0000,,overwriting the kalloc_size element here\Nand then freeing the struct on the heap,
Dialogue: 0,0:25:58.02,0:26:03.91,Default,,0000,0000,0000,,you put it on a wrong zone and basically\Nwhen you allocate it back, since you put
Dialogue: 0,0:26:03.91,0:26:10.16,Default,,0000,0000,0000,,it on on a different size zone, you can\Nhave a heap overflow. So that's a general
Dialogue: 0,0:26:10.16,0:26:14.02,Default,,0000,0000,0000,,overview of this technique. So but you\Ncorrupt this struct and you get primitive
Dialogue: 0,0:26:14.02,0:26:21.84,Default,,0000,0000,0000,,exploitation primitives. Okay, so what was\Nthe idea I had at that point? The idea
Dialogue: 0,0:26:21.84,0:26:28.66,Default,,0000,0000,0000,,was to use the... this pis_ioctl_list\Nindex bug to corrupt this kdata pointer
Dialogue: 0,0:26:28.66,0:26:38.37,Default,,0000,0000,0000,,here and to have arbitrarily... Sorry, we\Nhave a relative leak of kernel heap
Dialogue: 0,0:26:38.37,0:26:44.76,Default,,0000,0000,0000,,memory, and that would be my first step\Ntowards exploiting the bug. Of course the
Dialogue: 0,0:26:44.76,0:26:52.48,Default,,0000,0000,0000,,end goal is to have arbitrary read/write,\Nright, and of course it was just a fuzzy
Dialogue: 0,0:26:52.48,0:26:56.27,Default,,0000,0000,0000,,idea at that point and you know that's\Nalways the goal, but when you study the
Dialogue: 0,0:26:56.27,0:27:03.62,Default,,0000,0000,0000,,bug and you see the different code paths\Nand how the things you affect are used,
Dialogue: 0,0:27:03.62,0:27:08.33,Default,,0000,0000,0000,,then you have some maybe not completely\Nconcrete things in your mind, but you know
Dialogue: 0,0:27:08.33,0:27:14.23,Default,,0000,0000,0000,,that interesting things can happen, so\Nthat's what I had at that point.
Dialogue: 0,0:27:14.23,0:27:23.87,Default,,0000,0000,0000,,Okay, so let's talk about the exploitation\Nstrategies now. So at stage one I sprayed
Dialogue: 0,0:27:23.87,0:27:31.40,Default,,0000,0000,0000,,the kernel heap with vm_map_copy structs\Nand I decided to work on the kalloc.256
Dialogue: 0,0:27:31.40,0:27:36.28,Default,,0000,0000,0000,,zone, and the reason for that was\Ncompletely arbitrary... was because of all
Dialogue: 0,0:27:36.28,0:27:40.59,Default,,0000,0000,0000,,the kernel debugging I have done up to\Nthis point of this entire binary I saw
Dialogue: 0,0:27:40.59,0:27:45.86,Default,,0000,0000,0000,,that this kalloc zone was not really used\Nthat much, either by the kernel or by
Dialogue: 0,0:27:45.86,0:27:51.97,Default,,0000,0000,0000,,whatever the exploit was doing. So...\Nthat's good because it means that you
Dialogue: 0,0:27:51.97,0:27:55.95,Default,,0000,0000,0000,,can... you as an exploiter can have much\Nbetter control over the kernel heap if
Dialogue: 0,0:27:55.95,0:28:04.70,Default,,0000,0000,0000,,there aren't other things placing\Nallocations on the zone you work. So I
Dialogue: 0,0:28:04.70,0:28:12.61,Default,,0000,0000,0000,,decided to use the kalloc.256 zone and I\Navoided of course kalloc.384 because the
Dialogue: 0,0:28:12.61,0:28:20.56,Default,,0000,0000,0000,,tty structs were going there and that\Nwould really mess up my heap arrangements.
Dialogue: 0,0:28:20.56,0:28:30.29,Default,,0000,0000,0000,,So the first... let me actually... ok. So\Nwhat I wanted to do was to do this.
Dialogue: 0,0:28:30.29,0:28:37.25,Default,,0000,0000,0000,,So initially you spray the heap with\Nvm_map_copy structs and you control both
Dialogue: 0,0:28:37.25,0:28:41.82,Default,,0000,0000,0000,,their size and their contents, the content\Ndon't matter at this point. So it... just
Dialogue: 0,0:28:41.82,0:28:48.42,Default,,0000,0000,0000,,the size matters. So I spray with 256\Nbytes vm_map_copy structs and then I free
Dialogue: 0,0:28:48.42,0:28:53.13,Default,,0000,0000,0000,,every other second one and I create this\Nkind of pattern like a vm_map_copy and a
Dialogue: 0,0:28:53.13,0:28:59.21,Default,,0000,0000,0000,,free slot and a vm_map_copy and a free\Nslot and then I grow the pis_ioctl_list
Dialogue: 0,0:28:59.21,0:29:08.62,Default,,0000,0000,0000,,array to 256 bytes and then it goes into\None of these free slots here. Now, the
Dialogue: 0,0:29:08.62,0:29:14.99,Default,,0000,0000,0000,,code for doing that looks something like\Nthat, so what this basically does it
Dialogue: 0,0:29:14.99,0:29:24.51,Default,,0000,0000,0000,,sends... it creates this... so if you see\Nhere the out of line mach messages as
Dialogue: 0,0:29:24.51,0:29:31.57,Default,,0000,0000,0000,,basically these vm_map_copy structs and...\NTheir size is 256, their buffer doesn't
Dialogue: 0,0:29:31.57,0:29:37.95,Default,,0000,0000,0000,,matter at this point and you just send\Nthem like machs and methods. And then
Dialogue: 0,0:29:37.95,0:29:42.99,Default,,0000,0000,0000,,after you've sprayed with them then you\Nfree every second one here... with this
Dialogue: 0,0:29:42.99,0:29:51.78,Default,,0000,0000,0000,,loop here. So in order to make this free\Nslot you just receive this mach out of
Dialogue: 0,0:29:51.78,0:29:58.03,Default,,0000,0000,0000,,line messages that correspond to the\Nvm_map_copy structs. And after you've
Dialogue: 0,0:29:58.03,0:30:04.52,Default,,0000,0000,0000,,created the holes you basically grow the\Narray to 256 bytes. How do you do that? As
Dialogue: 0,0:30:04.52,0:30:12.01,Default,,0000,0000,0000,,I mentioned earlier you open the dev ptmx\Ndevice a number of times. How many times
Dialogue: 0,0:30:12.01,0:30:18.43,Default,,0000,0000,0000,,doesn't matter, like a specific number of\Ntimes that I mentioned earlier, that I
Dialogue: 0,0:30:18.43,0:30:26.37,Default,,0000,0000,0000,,have noticed grows it 256 bytes. So that's\Nthe arrangement you have at that first
Dialogue: 0,0:30:26.37,0:30:35.52,Default,,0000,0000,0000,,stage. Okay, so the second stage is done\Non the kalloc.88 zone. So I spray again
Dialogue: 0,0:30:35.52,0:30:41.64,Default,,0000,0000,0000,,with vm_map_copy structs and this \Ntime I make them 88 bytes to go to
Dialogue: 0,0:30:41.64,0:30:50.57,Default,,0000,0000,0000,,the kalloc.88 zone and then I create again\Nholes. And then I trigger the bug with an
Dialogue: 0,0:30:50.57,0:30:56.25,Default,,0000,0000,0000,,invalid index value and remember that when\Nyou trigger the bug a ptmx_ioctl struct is
Dialogue: 0,0:30:56.25,0:31:01.61,Default,,0000,0000,0000,,allocated and this goes to kalloc.88. But\Nbecause on kalloc.88 I have created this
Dialogue: 0,0:31:01.61,0:31:06.84,Default,,0000,0000,0000,,pattern of used free used free it goes\Ninto one of the free slots. So now I have
Dialogue: 0,0:31:06.84,0:31:13.62,Default,,0000,0000,0000,,a ptmx_ioctl struct in one of my free\Nslots. I don't know where that is but I
Dialogue: 0,0:31:13.62,0:31:23.09,Default,,0000,0000,0000,,know that it falls into the pattern,\Nright, so I trigger the bug and remember
Dialogue: 0,0:31:23.09,0:31:29.20,Default,,0000,0000,0000,,that basically you control this index,\Nright, so since I control the index I
Dialogue: 0,0:31:29.20,0:31:35.27,Default,,0000,0000,0000,,point it to the vm_map... to the kdata\Nelement of the vm_map_copy struct that I
Dialogue: 0,0:31:35.27,0:31:39.81,Default,,0000,0000,0000,,know is below the free slot that the array\Nwent into. I don't know the address,
Dialogue: 0,0:31:39.81,0:31:46.95,Default,,0000,0000,0000,,right, I can't put like an address there,\Nbut I can... I know the relatives... the
Dialogue: 0,0:31:46.95,0:31:52.33,Default,,0000,0000,0000,,relative distance in bytes because I\Ncreated the pattern... the heap pattern.
Dialogue: 0,0:31:52.33,0:31:58.29,Default,,0000,0000,0000,,So let's go to... okay. So it looks like\Nthat. So that's my first stage, right,
Dialogue: 0,0:31:58.29,0:32:02.59,Default,,0000,0000,0000,,free, vm_map_copy, ... and this is the\Nsame pattern on the kalloc.88 zone.
Dialogue: 0,0:32:02.59,0:32:08.00,Default,,0000,0000,0000,,When you trigger the bug, this ptmx_ioctl\Nstructure is allocated. It goes into one
Dialogue: 0,0:32:08.00,0:32:16.59,Default,,0000,0000,0000,,of the free slots, right, and then the bug\Nitself, which is what we see here is...
Dialogue: 0,0:32:16.59,0:32:21.34,Default,,0000,0000,0000,,remember you control the index, so this is\Nthe new allocation that went here, and
Dialogue: 0,0:32:21.34,0:32:27.21,Default,,0000,0000,0000,,then it goes and stores the address where\Nthe index tells it to store it. But
Dialogue: 0,0:32:27.21,0:32:31.50,Default,,0000,0000,0000,,remember that this is controlled, we\Ncontrol that, so what I do I point this
Dialogue: 0,0:32:31.50,0:32:36.81,Default,,0000,0000,0000,,here relatively to the neighboring\Nvm_map_copy struct at the kdata field,
Dialogue: 0,0:32:36.81,0:32:42.46,Default,,0000,0000,0000,,right. So in this kdata field here of the\Nvm_map_copy struct I have now this
Dialogue: 0,0:32:42.46,0:32:52.74,Default,,0000,0000,0000,,address, right. So that's how the heap\Nlooks like. I have here the code, it's
Dialogue: 0,0:32:52.74,0:33:00.66,Default,,0000,0000,0000,,very similar to the first stage that you\Nspray with vm_map_copy structs of size 88,
Dialogue: 0,0:33:00.66,0:33:05.92,Default,,0000,0000,0000,,machs and methods, right, and then you\Nreceive every second one, you create the
Dialogue: 0,0:33:05.92,0:33:15.91,Default,,0000,0000,0000,,holes on the 88 zone and then you trigger\Nthe bug here, right. This invalid pis
Dialogue: 0,0:33:15.91,0:33:29.61,Default,,0000,0000,0000,,index number here is basically what points\Nrelatively here, right. So I have now the
Dialogue: 0,0:33:29.61,0:33:37.18,Default,,0000,0000,0000,,address of this ptmx_ioctl struct which is\Nan address on the kalloc.88 zone. I have
Dialogue: 0,0:33:37.18,0:33:42.67,Default,,0000,0000,0000,,it on the kdata field of this vm_map_copy\Nstruct here. So what I do... I can simply
Dialogue: 0,0:33:42.67,0:33:51.35,Default,,0000,0000,0000,,receive these methods and in its content I\Ncan see the address of that slot on the
Dialogue: 0,0:33:51.35,0:34:00.54,Default,,0000,0000,0000,,kalloc.88 zone. So that's the code to do \Nthat, I simply receive all the messages
Dialogue: 0,0:34:00.54,0:34:12.08,Default,,0000,0000,0000,,and that's my address. Okay, so at this\Npoint I only... what I only have is this
Dialogue: 0,0:34:12.08,0:34:21.50,Default,,0000,0000,0000,,address here, right? I have the address of\Nthis heap slot. So, at that point I
Dialogue: 0,0:34:21.50,0:34:28.70,Default,,0000,0000,0000,,started looking at other code paths that\Nthis invalid index... what other
Dialogue: 0,0:34:28.70,0:34:34.60,Default,,0000,0000,0000,,variables this invalid index was\Ninfluencing and I found the code path that
Dialogue: 0,0:34:34.60,0:34:40.27,Default,,0000,0000,0000,,was actually giving... was giving me a\Nwrite and... But in order to reach that I
Dialogue: 0,0:34:40.27,0:34:45.57,Default,,0000,0000,0000,,needed to survive several dereferences,\Nand what I only knew was just the
Dialogue: 0,0:34:45.57,0:34:50.79,Default,,0000,0000,0000,,kalloc.88 address, right? Nothing else. So\NI will now walk you through everything
Dialogue: 0,0:34:50.79,0:35:00.71,Default,,0000,0000,0000,,that gave me this write. So I clean up the\Nkalloc.256 zone and I spray it again with
Dialogue: 0,0:35:00.71,0:35:06.38,Default,,0000,0000,0000,,vm_map_copy structs and create holes\Nexactly like the previous step...
Dialogue: 0,0:35:06.38,0:35:15.07,Default,,0000,0000,0000,,the first stage. Again, next to the\Npis_ioctl_list array I have a vm_map_copy
Dialogue: 0,0:35:15.07,0:35:23.11,Default,,0000,0000,0000,,struct, but at this time I... in all the\Nthe vm_map_copy structs I put a payload of
Dialogue: 0,0:35:23.11,0:35:29.89,Default,,0000,0000,0000,,the... of this fake ptmx_ioctl address I\Nhave. And remember that the first element
Dialogue: 0,0:35:29.89,0:35:40.25,Default,,0000,0000,0000,,of the ptmx_ioctl struct is a pointer to\Ntty struct and I can use the leaked
Dialogue: 0,0:35:40.25,0:35:44.86,Default,,0000,0000,0000,,address I have for this pointer that I\Ndon't know... I didn't know where to point
Dialogue: 0,0:35:44.86,0:35:52.88,Default,,0000,0000,0000,,it to. So, the next step was to clean up\Nthe kalloc.88 zone and spray it again, and
Dialogue: 0,0:35:52.88,0:35:58.65,Default,,0000,0000,0000,,again I sprayed with vm_map_copy structs,\Nbut at this time at their payload I can
Dialogue: 0,0:35:58.65,0:36:07.23,Default,,0000,0000,0000,,put now the fake tty struct that the\Nptmx_ioctl struct is pointing to. The
Dialogue: 0,0:36:07.23,0:36:15.78,Default,,0000,0000,0000,,problem at that point was that the tty\Nstruct with 256 bytes and kalloc.88 has...
Dialogue: 0,0:36:15.78,0:36:22.48,Default,,0000,0000,0000,,the slots are only 88 bytes, so I couldn't\Njust with the elements of the... just with
Dialogue: 0,0:36:22.48,0:36:29.31,Default,,0000,0000,0000,,the first 88 byte elements, I couldn't get\Nto the path that was giving the write, so
Dialogue: 0,0:36:29.31,0:36:44.73,Default,,0000,0000,0000,,I needed to find some other way to host my\Nfake tty struct. So remember that I
Dialogue: 0,0:36:44.73,0:36:50.73,Default,,0000,0000,0000,,couldn't work on any other kalloc zone or\Nanywhere else because what I only knew was
Dialogue: 0,0:36:50.73,0:36:59.21,Default,,0000,0000,0000,,the address of that kalloc.88 zone, I had\Nnothing else to build on. So at that point
Dialogue: 0,0:36:59.21,0:37:07.07,Default,,0000,0000,0000,,I started doing a much more complicated\Nheap arrangement. So instead of spraying
Dialogue: 0,0:37:07.07,0:37:15.83,Default,,0000,0000,0000,,just one thing I was spraying... I was\Ntrying to create a pattern of two
Dialogue: 0,0:37:15.83,0:37:20.48,Default,,0000,0000,0000,,controlled things. Now, I couldn't use \Nvm_map_copy structs for both these slots
Dialogue: 0,0:37:20.48,0:37:24.93,Default,,0000,0000,0000,,because the vm_map_copy structs has\Na header, right? So it would mess up my
Dialogue: 0,0:37:24.93,0:37:34.39,Default,,0000,0000,0000,,fake tty struct. So by reading i0n1c's\Nkernel heap exploitation slides, I
Dialogue: 0,0:37:34.39,0:37:40.83,Default,,0000,0000,0000,,realized that I could spray the heap with\NXML properties of length 88 from that
Dialogue: 0,0:37:40.83,0:37:48.41,Default,,0000,0000,0000,,AppleJPEGDriver and I could place as a\Nsecond controlled object after the
Dialogue: 0,0:37:48.41,0:37:53.13,Default,,0000,0000,0000,,vm_map_copy struct these XML properties\Nwhich are completely controlled in
Dialogue: 0,0:37:53.13,0:37:58.19,Default,,0000,0000,0000,,content, and I could host the second part\Nof the tty struct there. I mean, it's
Dialogue: 0,0:37:58.19,0:38:06.19,Default,,0000,0000,0000,,still not 256 bytes, but what it gives me\Nis the ability to survive all dereferences
Dialogue: 0,0:38:06.19,0:38:14.43,Default,,0000,0000,0000,,to reach the write that I was interested\Nin. Okay. So, a few things about the
Dialogue: 0,0:38:14.43,0:38:20.08,Default,,0000,0000,0000,,tty struct. So that's what I got... I\Nwanted to create on the kalloc.88 zone,
Dialogue: 0,0:38:20.08,0:38:28.05,Default,,0000,0000,0000,,right, so that's the tty struct that the\Nptmx_ioctl struct is pointing to. Now,
Dialogue: 0,0:38:28.05,0:38:38.23,Default,,0000,0000,0000,,what basically I wanted to do here is I\Nwanted to point... the final thing was
Dialogue: 0,0:38:38.23,0:38:45.61,Default,,0000,0000,0000,,to use this clist struct to control this\Nelement here, c_cs, as a start of the ring
Dialogue: 0,0:38:45.61,0:38:50.61,Default,,0000,0000,0000,,buffer for the tty, to give me an\Narbitrary write... Sorry, to give me a
Dialogue: 0,0:38:50.61,0:38:56.50,Default,,0000,0000,0000,,controlled write. I started playing a bit\Nwith to use it to do arbitrary write, but
Dialogue: 0,0:38:56.50,0:39:04.34,Default,,0000,0000,0000,,I found that I wasn't able to do it\Nbecause at later stage some other parts of
Dialogue: 0,0:39:04.34,0:39:09.96,Default,,0000,0000,0000,,the tty struct were needed that I wasn't\Nable to control, so I only had two
Dialogue: 0,0:39:09.96,0:39:17.50,Default,,0000,0000,0000,,88-slots to host my fake tty struct. So\Nthat wasn't stable. So I was only
Dialogue: 0,0:39:17.50,0:39:25.66,Default,,0000,0000,0000,,using that to do a relative write. So\Nwe'll see the code later on, let's go to
Dialogue: 0,0:39:25.66,0:39:32.43,Default,,0000,0000,0000,,the heap layout. So that's the third\Nstage. Again, remember I sprayed the
Dialogue: 0,0:39:32.43,0:39:38.94,Default,,0000,0000,0000,,kalloc.256 zone with vm_map_copy structs/\Nfrees, just place my pis_ioctl_list array
Dialogue: 0,0:39:38.94,0:39:43.15,Default,,0000,0000,0000,,next to vm_map_copy struct. Remember that\NI control the contents of vm_map_copy,
Dialogue: 0,0:39:43.15,0:39:52.27,Default,,0000,0000,0000,,right, so I placed in the buffer of\Nvm_map_copy this ptmx_ioctl address that I
Dialogue: 0,0:39:52.27,0:39:59.65,Default,,0000,0000,0000,,know and I point the invalid index that I\Ncontrol to this ptmx_ioctl... this address
Dialogue: 0,0:39:59.65,0:40:03.83,Default,,0000,0000,0000,,that I put here. And what is this address?\NIt's that leaked address that I got in the
Dialogue: 0,0:40:03.83,0:40:11.55,Default,,0000,0000,0000,,previous stage which points to the \Nkalloc.88 zone. And what's the arrangement
Dialogue: 0,0:40:11.55,0:40:16.78,Default,,0000,0000,0000,,of that kalloc.88 zone? It's as I told you a\Nvm_map_copy followed by an XML properties.
Dialogue: 0,0:40:16.78,0:40:21.17,Default,,0000,0000,0000,,vm_map_copy, XML properties... And all\Nthis hosts this fake tty struct, right?
Dialogue: 0,0:40:21.17,0:40:28.16,Default,,0000,0000,0000,,All these are the same, I just explained\Nhere how it looks like. So this points to
Dialogue: 0,0:40:28.16,0:40:35.09,Default,,0000,0000,0000,,the kdata element here and the rest of\Nit holds the rest of the... all this is
Dialogue: 0,0:40:35.09,0:40:39.66,Default,,0000,0000,0000,,basically the fake tty struct, like the\Nbuffer of the vm_map_copy and then
Dialogue: 0,0:40:39.66,0:40:47.37,Default,,0000,0000,0000,,following the XML contents of this heap\Nallocation. And where do I... this c_cs
Dialogue: 0,0:40:47.37,0:40:53.04,Default,,0000,0000,0000,,pointer that I told you that I wanted to\Ncontrol, where do I point it? I point it
Dialogue: 0,0:40:53.04,0:40:56.57,Default,,0000,0000,0000,,relatively again, I don't know any\Naddresses but I can put it relatively
Dialogue: 0,0:40:56.57,0:41:02.42,Default,,0000,0000,0000,,since I know the... since I created this\Nheap arrangement, I can put it relatively
Dialogue: 0,0:41:02.42,0:41:07.38,Default,,0000,0000,0000,,to the size of the kalloc size of the\Nneighboring vm_map_copy struct. And why do
Dialogue: 0,0:41:07.38,0:41:13.72,Default,,0000,0000,0000,,I need this? Because I want to use the\Nvm_map_copy technique by Mandt and Dowd
Dialogue: 0,0:41:13.72,0:41:20.06,Default,,0000,0000,0000,,that I mentioned earlier, so that's the\Nend goal. So what's the code looks like?
Dialogue: 0,0:41:20.06,0:41:25.91,Default,,0000,0000,0000,,Okay, that's the spray of 256, we've seen\Nthat a lot of times, then we have the
Dialogue: 0,0:41:25.91,0:41:34.00,Default,,0000,0000,0000,,freeze... wait, no, that's not the freeze.\NSo that's the allocations of the 256...
Dialogue: 0,0:41:34.00,0:41:37.86,Default,,0000,0000,0000,,that's... yeah, I don't have the freeze\Nhere because they don't matter, because we
Dialogue: 0,0:41:37.86,0:41:42.88,Default,,0000,0000,0000,,have seen them before. So what I have here\Nis the spray of the kalloc.88 zone and the
Dialogue: 0,0:41:42.88,0:41:46.72,Default,,0000,0000,0000,,important thing here is that... what I\Nwanted to show you that is that at every
Dialogue: 0,0:41:46.72,0:41:53.51,Default,,0000,0000,0000,,step I took two allocations. One is the\Nvm_map_copy struct here with the machs and
Dialogue: 0,0:41:53.51,0:42:00.84,Default,,0000,0000,0000,,methods, and the second part is the XML\Nproperties, which are sprayed on the heap
Dialogue: 0,0:42:00.84,0:42:09.92,Default,,0000,0000,0000,,when you open the device driver, the\NAppleJPEGDriver. And what are the contents
Dialogue: 0,0:42:09.92,0:42:15.59,Default,,0000,0000,0000,,of that XML properties? They're basically\Nthat fake... the second part of the fake
Dialogue: 0,0:42:15.59,0:42:20.28,Default,,0000,0000,0000,,tty struct that you have the controlled\Nc_cs pointer that will give me the
Dialogue: 0,0:42:20.28,0:42:27.44,Default,,0000,0000,0000,,relative write. So if you see here, I have\Nthis function setup_fake_tty that
Dialogue: 0,0:42:27.44,0:42:33.23,Default,,0000,0000,0000,,basically creates the structs so I don't\Nhave to type all the time, and we are at
Dialogue: 0,0:42:33.23,0:42:37.74,Default,,0000,0000,0000,,second stage here, and basically what you\Ncan see here is the creation of the
Dialogue: 0,0:42:37.74,0:42:41.77,Default,,0000,0000,0000,,fake tty struct, right? So that's the\Ndifferent elements of the fake tty as we
Dialogue: 0,0:42:41.77,0:42:47.69,Default,,0000,0000,0000,,saw it from the code. And that's the write\Noffset I wanted to... that I pointed to
Dialogue: 0,0:42:47.69,0:42:54.05,Default,,0000,0000,0000,,the kdata field of the neighboring\Nvm_map_copy struct. So, again, that's how
Dialogue: 0,0:42:54.05,0:43:02.36,Default,,0000,0000,0000,,it looks like in the heap. Okay, so after\Nthat, after we have arranged the... we
Dialogue: 0,0:43:02.36,0:43:08.78,Default,,0000,0000,0000,,have arranged it this way, we trigger\Nagain the invalid index array bug, but at
Dialogue: 0,0:43:08.78,0:43:13.92,Default,,0000,0000,0000,,this time on the slave ptmx device. I was\Nonly doing that on a master ptmx device,
Dialogue: 0,0:43:13.92,0:43:18.07,Default,,0000,0000,0000,,but in order to reach that write code path\Nthat I mentioned, you need to get on a
Dialogue: 0,0:43:18.07,0:43:24.08,Default,,0000,0000,0000,,slave ptmx device. So that's what happens\Nhere. And then you simply write to the
Dialogue: 0,0:43:24.08,0:43:29.83,Default,,0000,0000,0000,,corresponding descriptor and it just\Ndereferences this c_cs that you controlled
Dialogue: 0,0:43:29.83,0:43:33.86,Default,,0000,0000,0000,,and your end... and it writes with\Nwhatever you want to write. And what do I
Dialogue: 0,0:43:33.86,0:43:39.01,Default,,0000,0000,0000,,want to write? I want to write a new size\Nfor the vm_map_copy struct... for the
Dialogue: 0,0:43:39.01,0:43:42.84,Default,,0000,0000,0000,,kalloc size field of the vm... of the\Nneighboring vm_map_copy struct, so I can
Dialogue: 0,0:43:42.84,0:43:52.73,Default,,0000,0000,0000,,use the Dowd and Mandt technique. So,\Nputting everything together. So at that
Dialogue: 0,0:43:52.73,0:43:57.41,Default,,0000,0000,0000,,point I have a controlled corruption of a\Nvm_map_copy struct and I can use the
Dialogue: 0,0:43:57.41,0:44:04.00,Default,,0000,0000,0000,,primitives to get arbitrary... an\Narbitrary leak, so I can leak for example
Dialogue: 0,0:44:04.00,0:44:10.23,Default,,0000,0000,0000,,the KSLR-slide and I can do a heap\Noverflow. Again these are how you can use
Dialogue: 0,0:44:10.23,0:44:18.58,Default,,0000,0000,0000,,the primitives that Mandt and Dowd gave\Nus. Now I also know my location on the
Dialogue: 0,0:44:18.58,0:44:24.61,Default,,0000,0000,0000,,kernel heap, and remember that... that's\Nbasically... we found that on the stage...
Dialogue: 0,0:44:24.61,0:44:29.38,Default,,0000,0000,0000,,on the first... on the first of stages and\Nwe only... we use only that, like where
Dialogue: 0,0:44:29.38,0:44:36.58,Default,,0000,0000,0000,,that ptmx_ioctl struct was stored on the\Nkernel heap, that's the only thing we
Dialogue: 0,0:44:36.58,0:44:41.77,Default,,0000,0000,0000,,knew, that address, in order to\Nsuccessively build on it, in order to
Dialogue: 0,0:44:41.77,0:44:47.20,Default,,0000,0000,0000,,reach like a much more useful primitive.\NAnd the important... the interesting thing
Dialogue: 0,0:44:47.20,0:44:50.69,Default,,0000,0000,0000,,here is that everything up to this point\Nis data only, right? So you haven't
Dialogue: 0,0:44:50.69,0:44:55.09,Default,,0000,0000,0000,,injected any code, you haven't done\Nanything at all that you could be caught
Dialogue: 0,0:44:55.09,0:45:00.85,Default,,0000,0000,0000,,somehow by a kernel self-protection\Nmechanism or these kind of things,
Dialogue: 0,0:45:00.85,0:45:10.31,Default,,0000,0000,0000,,everything's data only. So once you reach\Nthat point, how do you get PC control? So
Dialogue: 0,0:45:10.31,0:45:18.40,Default,,0000,0000,0000,,since you can use Dowd's and and Mandt's\Ntechnique, you can basically do a heap
Dialogue: 0,0:45:18.40,0:45:23.48,Default,,0000,0000,0000,,overflow, so you can again do a heap\Narrangement, you can place IOKit objects
Dialogue: 0,0:45:23.48,0:45:31.00,Default,,0000,0000,0000,,next to vm_map_copy structs where you can\Noverflow from, and you can corrupt IOKit
Dialogue: 0,0:45:31.00,0:45:36.84,Default,,0000,0000,0000,,objects and from there you can have...\Nalso you can do an arbitrary write...
Dialogue: 0,0:45:36.84,0:45:43.47,Default,,0000,0000,0000,,read/write, so you can... by the arbitrary\Nread you can read the vtables of the IOKit
Dialogue: 0,0:45:43.47,0:45:48.65,Default,,0000,0000,0000,,objects so you know the KSLR-slide\Nand you can corrupt it in order to get PC
Dialogue: 0,0:45:48.65,0:45:55.50,Default,,0000,0000,0000,,control. Of course getting to a whole\Njailbreak from that point is out of the
Dialogue: 0,0:45:55.50,0:46:01.03,Default,,0000,0000,0000,,scope of this talk, and... but is not that\Nhard actually from that point on. And
Dialogue: 0,0:46:01.03,0:46:09.55,Default,,0000,0000,0000,,okay, so after doing all that how close\Nwas that exploit to the evasi0n... to the
Dialogue: 0,0:46:09.55,0:46:15.66,Default,,0000,0000,0000,,real evasi0n7 kernel exploiter? I'd say it\Nwas pretty far off, but I mean it wasn't
Dialogue: 0,0:46:15.66,0:46:22.04,Default,,0000,0000,0000,,my point to recreate it like completely,\Nbut it was my point to play with the heap
Dialogue: 0,0:46:22.04,0:46:29.26,Default,,0000,0000,0000,,and to try to do complex heap arrangements\Nand to see how much I understand the iOS
Dialogue: 0,0:46:29.26,0:46:36.73,Default,,0000,0000,0000,,kernel heap, that was the point of this\Nwhole exercise for me. Okay, so some
Dialogue: 0,0:46:36.73,0:46:44.29,Default,,0000,0000,0000,,lessons learned. So the real surprising\Nthing for me at that point was that I
Dialogue: 0,0:46:44.29,0:46:52.76,Default,,0000,0000,0000,,couldn't believe that Apple does kernel\Ndebugging by KDB. It was very flaky, it
Dialogue: 0,0:46:52.76,0:46:57.63,Default,,0000,0000,0000,,was very unstable as I told you. If you\Ntype commands too fast it froze, if you
Dialogue: 0,0:46:57.63,0:47:03.43,Default,,0000,0000,0000,,type commands very slowly it had like a\Ngo-stop timer and froze, I think.
Dialogue: 0,0:47:03.43,0:47:08.28,Default,,0000,0000,0000,,there was a claim of something like that\Nand it's unbeliev... I couldn't believe
Dialogue: 0,0:47:08.28,0:47:14.67,Default,,0000,0000,0000,,that the Apple engineers were using this\Ninterface to do kernel debugging. So it
Dialogue: 0,0:47:14.67,0:47:23.73,Default,,0000,0000,0000,,was really hard to do anything on the\Nkernel side of idevices. But of course I
Dialogue: 0,0:47:23.73,0:47:27.28,Default,,0000,0000,0000,,don't really mean that you shouldn't mess\Nwith these things, right? I mean, these
Dialogue: 0,0:47:27.28,0:47:31.94,Default,,0000,0000,0000,,devices are really interesting and it's\Nreally becoming harder to hack them, but I
Dialogue: 0,0:47:31.94,0:47:37.07,Default,,0000,0000,0000,,think it's much more fun and I think the\Nonly takeaway may be that you shouldn't
Dialogue: 0,0:47:37.07,0:47:41.31,Default,,0000,0000,0000,,report bugs to Apple at all and if you\Nneed street cred you should just report
Dialogue: 0,0:47:41.31,0:47:48.06,Default,,0000,0000,0000,,white elephant bugs now. I mean that's\Nalways good. And I mean this very... this
Dialogue: 0,0:47:48.06,0:47:52.22,Default,,0000,0000,0000,,is getting very esoteric, right, there are\Nnot a lot of information and Apple keeps
Dialogue: 0,0:47:52.22,0:47:55.69,Default,,0000,0000,0000,,changing stuff and everything is closed\Nsource, I mean, all the important parts
Dialogue: 0,0:47:55.69,0:48:01.11,Default,,0000,0000,0000,,are closed source... and I mean, I really\Nthink people that work on that things
Dialogue: 0,0:48:01.11,0:48:08.24,Default,,0000,0000,0000,,should share notes as much as possible.\NOkay, so these are some of the people I
Dialogue: 0,0:48:08.24,0:48:15.19,Default,,0000,0000,0000,,was talking to while doing all this and I\Nwant to mention them, and basically that's
Dialogue: 0,0:48:15.19,0:48:21.57,Default,,0000,0000,0000,,all of the material I have and I'm open to\Nany questions you might have.
Dialogue: 0,0:48:21.57,0:48:32.85,Default,,0000,0000,0000,,{\i1}applause{\i0}\NHerald: Thank you, argp, for the talk. So
Dialogue: 0,0:48:32.85,0:48:42.83,Default,,0000,0000,0000,,we have prepared microphones 1, 2, 3 and 4\Nin the room and we have a Signal Angel, I
Dialogue: 0,0:48:42.83,0:48:50.87,Default,,0000,0000,0000,,think. You... when you have questions, you\Ncan give me a hand sign, but I
Dialogue: 0,0:48:50.87,0:48:58.05,Default,,0000,0000,0000,,think we start with microphone 2 here in\Nthe front. And please ask questions and no
Dialogue: 0,0:48:58.05,0:49:01.51,Default,,0000,0000,0000,,comments, there's time after the talk.\NOkay, go ahead.
Dialogue: 0,0:49:01.51,0:49:03.83,Default,,0000,0000,0000,,Q: Thanks for the awesome talk.\Nargp: Thanks.
Dialogue: 0,0:49:03.83,0:49:11.96,Default,,0000,0000,0000,,Q: I have a question about heap spraying.\NWas your heap spraying really stable? If
Dialogue: 0,0:49:11.96,0:49:17.08,Default,,0000,0000,0000,,it is not successful, did it crash the\Ndevice?
Dialogue: 0,0:49:17.08,0:49:21.85,Default,,0000,0000,0000,,argp: Yeah. So I haven't mentioned it\Nhere, but it was pretty stable I think.
Dialogue: 0,0:49:21.85,0:49:25.13,Default,,0000,0000,0000,,It was something like... because I did a\Nlot of tests for that because it was
Dialogue: 0,0:49:25.13,0:49:31.48,Default,,0000,0000,0000,,really interesting for me to know. It was\Nmaybe something like 90%, so 9 out of 10
Dialogue: 0,0:49:31.48,0:49:35.14,Default,,0000,0000,0000,,times it worked, but if it didn't work -\Nyeah, then... yes it crashed the kernel
Dialogue: 0,0:49:35.14,0:49:40.25,Default,,0000,0000,0000,,and crashed the device, yeah.\NQ: And did you try to return heap into
Dialogue: 0,0:49:40.25,0:49:44.99,Default,,0000,0000,0000,,some kind of initial state to start your\Nexploit from scratch?
Dialogue: 0,0:49:44.99,0:49:50.23,Default,,0000,0000,0000,,argp: Yeah, that's true I haven't included\Nthat, but you're right. So the initial
Dialogue: 0,0:49:50.23,0:49:56.86,Default,,0000,0000,0000,,step on every spray that I mentioned here\Nwas to spray a lot of objects of the
Dialogue: 0,0:49:56.86,0:50:01.74,Default,,0000,0000,0000,,specific size you were targeting in order\Nto get basically a new page of the kalloc
Dialogue: 0,0:50:01.74,0:50:07.12,Default,,0000,0000,0000,,zone, right? So you... so even if as I\Ntold you the kalloc 256 zone wasn't
Dialogue: 0,0:50:07.12,0:50:11.22,Default,,0000,0000,0000,,that busy, it's still... there were still\Nallocations going on it, right? So if you
Dialogue: 0,0:50:11.22,0:50:16.39,Default,,0000,0000,0000,,did a lot of initial spraying, you were\Nmaking sure that when you're... the
Dialogue: 0,0:50:16.39,0:50:21.69,Default,,0000,0000,0000,,allocations that mattered to you we're\Nmade, were on a new page that weren't...
Dialogue: 0,0:50:21.69,0:50:24.11,Default,,0000,0000,0000,,wasn't too much noise from other\Nallocations from the kernel. So yeah,
Dialogue: 0,0:50:24.11,0:50:26.93,Default,,0000,0000,0000,,you're right I haven't included that, but\Nyeah, that happened.
Dialogue: 0,0:50:26.93,0:50:29.90,Default,,0000,0000,0000,,Q: Thanks, great.\Nargp: Thanks.
Dialogue: 0,0:50:29.90,0:50:36.20,Default,,0000,0000,0000,,Herald: Then microphone 1, please.\NQ: Also thank you for your awesome talk
Dialogue: 0,0:50:36.20,0:50:37.71,Default,,0000,0000,0000,,again.\Nargp: Thanks.
Dialogue: 0,0:50:37.71,0:50:43.61,Default,,0000,0000,0000,,Q: My question was nowadays it's way\Nharder to use vm_copy I think Apple truly
Dialogue: 0,0:50:43.61,0:50:49.48,Default,,0000,0000,0000,,deprecated it, it's not possible anymore\Nthat due to security. Do you see hope in
Dialogue: 0,0:50:49.48,0:50:54.56,Default,,0000,0000,0000,,reconstructing some function that does the\Nsame or is it totally dead now?
Dialogue: 0,0:50:54.56,0:50:57.78,Default,,0000,0000,0000,,argp: Oh, you mean the vm_map_copy\Ntechnique?
Dialogue: 0,0:50:57.78,0:51:00.74,Default,,0000,0000,0000,,Q: Yes.\Nargp: No, I think it's completely dead
Dialogue: 0,0:51:00.74,0:51:03.94,Default,,0000,0000,0000,,now.\NQ: All right. And I recently saw on the
Dialogue: 0,0:51:03.94,0:51:10.31,Default,,0000,0000,0000,,iOS logs vulnerabilities that again a\Nvulnerability in AppleJPEGDriver was
Dialogue: 0,0:51:10.31,0:51:15.06,Default,,0000,0000,0000,,found. Do you think... have you looked\Ninto it or...
Dialogue: 0,0:51:15.06,0:51:20.05,Default,,0000,0000,0000,,argp: Well, Apple... the AppleJPEGDriver\Nis one of the 4, I think, IOkit drivers
Dialogue: 0,0:51:20.05,0:51:25.82,Default,,0000,0000,0000,,that you can reach from the container\Nsandbox, right? So that means it's very
Dialogue: 0,0:51:25.82,0:51:31.26,Default,,0000,0000,0000,,fast by everyone, Apple included, and\Nvery audited. So I'm not saying that there
Dialogue: 0,0:51:31.26,0:51:36.17,Default,,0000,0000,0000,,aren't many... there aren't things there,\Nlike interesting findings, but if there
Dialogue: 0,0:51:36.17,0:51:38.64,Default,,0000,0000,0000,,are they're not going to live much longer,\NI think.
Dialogue: 0,0:51:38.64,0:51:41.68,Default,,0000,0000,0000,,Q: Okay, thank you.\NHerald: Thanks for your question and now
Dialogue: 0,0:51:41.68,0:51:45.00,Default,,0000,0000,0000,,from the Signal Angel a question from the\NInternet.
Dialogue: 0,0:51:45.00,0:51:48.65,Default,,0000,0000,0000,,Signal Angel: Yes, I have a question from\Nthe internet. How long did this research
Dialogue: 0,0:51:48.65,0:51:52.80,Default,,0000,0000,0000,,take you? You said two weeks in the\Nbeginning, but from begin to end, how many
Dialogue: 0,0:51:52.80,0:51:55.43,Default,,0000,0000,0000,,hours about? Because you also said it was\Nduring work?
Dialogue: 0,0:51:55.43,0:51:59.75,Default,,0000,0000,0000,,argp: No, it didn't it didn't take two\Nweeks, no. It took like maybe close to
Dialogue: 0,0:51:59.75,0:52:05.03,Default,,0000,0000,0000,,three months or two months and something\Nlike that. So I spent... as I mentioned I
Dialogue: 0,0:52:05.03,0:52:09.19,Default,,0000,0000,0000,,spent like a complete month, I think, like\N- maybe three weeks, maybe not a complete
Dialogue: 0,0:52:09.19,0:52:16.56,Default,,0000,0000,0000,,month just on reversing redsn0w and trying\Nto get redsn0w to play with iOS7. So I
Dialogue: 0,0:52:16.56,0:52:21.79,Default,,0000,0000,0000,,wouldn't count this month in the exploit\Npart of it, right? So if you're interested
Dialogue: 0,0:52:21.79,0:52:29.00,Default,,0000,0000,0000,,just in the kernel exploit part I would\Nsay something like maybe seven weeks,
Dialogue: 0,0:52:29.00,0:52:36.17,Default,,0000,0000,0000,,something like that. But just with 2 maybe\N3 days per week right, not complete weeks.
Dialogue: 0,0:52:36.17,0:52:40.24,Default,,0000,0000,0000,,Herald: Okay, then microphone 1,\Nplease.
Dialogue: 0,0:52:40.24,0:52:45.74,Default,,0000,0000,0000,,Q: Congratulations on your talk which was\Nreally interesting, I liked it a lot and
Dialogue: 0,0:52:45.74,0:52:51.09,Default,,0000,0000,0000,,my question is if the technique you used\Nto exploit the bug was in FreeBSD or any
Dialogue: 0,0:52:51.09,0:52:56.32,Default,,0000,0000,0000,,other BSD as well?\Nargp: Oh no, no. I mean, the vm_map_copy
Dialogue: 0,0:52:56.32,0:53:02.90,Default,,0000,0000,0000,,struct doesn't exist anywhere else except\Nthe XNU kernel. But I think the
Dialogue: 0,0:53:02.90,0:53:06.92,Default,,0000,0000,0000,,interesting takeaway is that you can do\Ncomplex heap arrangements if you
Dialogue: 0,0:53:06.92,0:53:13.96,Default,,0000,0000,0000,,understand the kernel heep allocator,\Nright? So this process I described by
Dialogue: 0,0:53:13.96,0:53:18.74,Default,,0000,0000,0000,,creating holes and maybe controlling 2\Nallocations in order to host fake
Dialogue: 0,0:53:18.74,0:53:24.63,Default,,0000,0000,0000,,structures that you are able then to use\Nto get exploitation primitives then that's
Dialogue: 0,0:53:24.63,0:53:30.74,Default,,0000,0000,0000,,applicable everywhere, right?\NHerald: Okay, then we go to microphone 2
Dialogue: 0,0:53:30.74,0:53:35.81,Default,,0000,0000,0000,,again, please.\NQ: So I saw one sentence, just not report
Dialogue: 0,0:53:35.81,0:53:42.83,Default,,0000,0000,0000,,or... just don't report the bugs. I would\Nlike to understand your thinking behind,
Dialogue: 0,0:53:42.83,0:53:48.98,Default,,0000,0000,0000,,because I think this is really important\Nfor companies to know the bugs that they
Dialogue: 0,0:53:48.98,0:53:54.80,Default,,0000,0000,0000,,made and yeah, make the products better\Nand this is really beneficial for
Dialogue: 0,0:53:54.80,0:54:00.95,Default,,0000,0000,0000,,researcher because for example Apple they\Npay a lot of money for the bugs. What...
Dialogue: 0,0:54:00.95,0:54:07.05,Default,,0000,0000,0000,,argp: Okay, yeah, I don't have much to say\Non that. I mean, apart from: if all the
Dialogue: 0,0:54:07.05,0:54:11.03,Default,,0000,0000,0000,,bugs are fixed then you won't be able to\Ndo this kind of work and it's no fun.
Dialogue: 0,0:54:11.03,0:54:17.76,Default,,0000,0000,0000,,Sorry, I don't have anything else to say\Non that. Sorry, I don't have anything
Dialogue: 0,0:54:17.76,0:54:23.14,Default,,0000,0000,0000,,else, no comment.\NHerald: Okay. Signal Angel, do we have
Dialogue: 0,0:54:23.14,0:54:31.31,Default,,0000,0000,0000,,another question from the internet? Okay,\Nthen please a big round of applause for
Dialogue: 0,0:54:31.31,0:54:33.54,Default,,0000,0000,0000,,our speaker!\Nargp: Thanks.
Dialogue: 0,0:54:33.54,0:54:35.23,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:54:35.23,0:54:39.86,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:54:39.86,0:54:57.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!