|
Samuel Groß
@
5aelo
Zürich, Switzerland
|
|
Works at Google Project Zero. Personal account.
|
|
|
548
Tweetovi
|
427
Pratim
|
14.533
Osobe koje vas prate
|
| Tweetovi |
|
Samuel Groß
@5aelo
|
12. sij |
|
Great to hear, thanks! :)
|
||
|
|
||
|
Samuel Groß
@5aelo
|
10. sij |
|
whoa thanks Mark! :)
|
||
|
|
||
|
Samuel Groß
@5aelo
|
10. sij |
|
Thanks Ned!
|
||
|
|
||
|
Samuel Groß
@5aelo
|
9. sij |
|
The README and various code comments hopefully also help explain how the PoC exploit works: bugs.chromium.org/p/project-zero… and also twitter.com/5aelo/status/1…
|
||
|
|
||
|
Samuel Groß
@5aelo
|
9. sij |
|
I'm very excited to share my blogpost series (including PoC code) about a remote, interactionless iPhone exploit over iMessage: googleprojectzero.blogspot.com/2020/01/remote…
|
||
|
|
||
| Samuel Groß proslijedio/la je tweet | ||
|
Tim Willis
@itswillis
|
7. sij |
|
At Google Project Zero, the team spends a *lot* of time discussing and evaluating vulnerability disclosure policies and their consequences. It's a complex and controversial topic!
Here's P0's policy changes for 2020 (with our rationale for the changes):
googleprojectzero.blogspot.com/2020/01/policy…
|
||
|
|
||
|
Samuel Groß
@5aelo
|
28. pro |
|
Yeah there was quite a bit omitted :'D the step is basically using -[CNFileServices dlsym::] to get signed C func pointers, then using -[NSInvocation invokeUsingIMP] to call them, R/W necessary to bridge stuff into JS and construct more fake NSInvocations
|
||
|
|
||
|
Samuel Groß
@5aelo
|
27. pro |
|
Slides + recording of my #36c3 talk: saelo.github.io/presentations/… media.ccc.de/v/36c3-10497-m… had to omit many details, but blogpost coming soon!
|
||
|
|
||
|
Samuel Groß
@5aelo
|
27. pro |
|
Thanks! =)
|
||
|
|
||
|
Samuel Groß
@5aelo
|
27. pro |
|
Yes and the recording and hopefully very soon a blog post :)
|
||
|
|
||
|
Samuel Groß
@5aelo
|
27. pro |
|
My talk on iMessage exploitation (fahrplan.events.ccc.de/congress/2019/…) starts in two hours. You can watch it in room Ada or on streaming.media.ccc.de/36c3 #36c3
|
||
|
|
||
|
Samuel Groß
@5aelo
|
28. stu |
|
No :) more like if you have limited resources, it is possible that implementing a new mitigation isn’t the best use of those
|
||
|
|
||
|
Samuel Groß
@5aelo
|
28. stu |
|
Well now we are slowly getting into the discussion of how useful mitigations are at all and I would rather not do that now :D instead I would say that the same is true for clearly beneficial somethings such as attack surface reductions and sandboxing
|
||
|
|
||
|
Samuel Groß
@5aelo
|
28. stu |
|
So to that and @bkth_ 's point, I'd argue that the reason for e.g. JSC's Structure ID randomization and the Gigacage was precisely that people kept using that same exploit technique *publicly* for years, eventually causing someone to think about a solution
|
||
|
|
||
|
Samuel Groß
@5aelo
|
28. stu |
|
it's hard to know for sure, but we are pretty certain that it did. Anyway, it's a bit complicated... we can chat in person some time :) Coming to 36C3 by any chance?
|
||
|
|
||
|
Samuel Groß
@5aelo
|
28. stu |
|
The problem is that vendors will often somewhat happily spotfix single bugs, but won't make any systematic improvements (attack surface reduction, mitigations, ...) afterwards. twitter.com/5aelo/status/1… Likely only happened because @natashenka and I made that research public
|
||
|
|
||
|
Samuel Groß
@5aelo
|
28. stu |
|
Hmmm I would argue that we would probably have a lot less exploit mitigations (or none at all?) today had no one ever published an exploit? But maybe I'm not getting your point...
|
||
|
|
||
|
Samuel Groß
@5aelo
|
28. stu |
|
Yeah we are talking about somewhat different threat models I guess. Anyway, I think we can agree that improving patch rollout times would be helpful here in any case
|
||
|
|
||
|
Samuel Groß
@5aelo
|
28. stu |
|
My point was that regardless of whether a researcher publishes a PoC after the bug has been fixed, attackers can bindiff/patchdiff after a fix has been implemented but before it's shipped to users and basically get a "free" 0day for some time
|
||
|
|
||
|
Samuel Groß
@5aelo
|
28. stu |
|
See other reply. Re. mitigations: that's also where releasing exploits helps as it shows where those mitigations fail and how they can be improved or new ones added
|
||
|
|
||