Twitter | Pretraživanje | |
Tweetovi
Brandon Azad 19. stu
I'm presenting on KTRW at this year. I'll take you along my journey discovering hardware debugging registers and discuss the challenges of writing a full-featured iOS kernel debugger usable with LLDB:
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 28. lis
Odgovor korisniku/ci @_bazad
KTRW was motivated by the desire to see better and more open tooling for security research on iPhones. Read about the journey to find the KTRR bypass:
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 28. lis
I built an iOS kernel debugger called KTRW based on a KTRR bypass for the iPhone X. It is capable of patching kernel __TEXT_EXEC, loading kernel extensions, and performing single-step kernel debugging with LLDB and IDA Pro over USB:
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 7. svi
I will be presenting "A study in PAC" at MOSEC 2019. The talk will cover my analysis of how Apple implemented (and improved on) Pointer Authentication on the A12 and look at 5 ways to bypass it.
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 8. ožu
I'll be presenting the technical details of voucher_swap, a kernel exploit for CVE-2019-6225 on iOS 12.1.2, at this June.
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 1. velj 2019.
My analysis of Apple's implementation of PAC on the A12 (a substantial improvement over the ARM standard for protecting against kernel attackers):
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 29. sij 2019.
The A12, now with more kernel code execution; introducing voucher_swap:
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 22. sij 2019.
If you're interested in bootstrapping iOS kernel security research (including the ability to forge PACs and call arbitrary kernel functions), keep an A12 research device on iOS 12.1.2.
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 21. ruj 2018.
iOS full userspace compromise via malicious crashing: . Versions up to 11.4 are vulnerable, but the exploit only targets 11.2.6. The writeup also discloses some new mitigation bypasses.
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 30. srp 2018.
I'll be presenting "Crashing to root: How to escape the iOS sandbox using abort()" at @bevxcon this September. I'll show how to exploit CVE-2018-4280, fixed in iOS 11.4.1, by crashing maliciously in order to elevate privileges, defeat codesigning, and spawn a shell on iOS 11.2.6.
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 21. lip 2018.
The ida_kernelcache analysis toolkit now supports the new iOS 12 kernelcache format, including untagging pointers to restore IDA's xrefs:
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 20. lip 2018.
The iOS 12 kernelcache is changing. Here's my analysis on the new static pointer tagging found in the kernelcache:
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 29. tra 2018.
Odgovor korisniku/ci @_bazad
This is a userspace-only exploit (no kernel vulnerabilities), but still gets you a shell. I'm submitting a talk about this work to a security conference. When the exploit becomes public will depend on when the issue gets fixed and whether the talk is accepted.
Reply Retweet Označi sa "sviđa mi se"
Brandon Azad 22. tra 2018.
For those on iOS 11.2.6 or below, I'm working on a userspace security research platform. You'll be able to spawn pseudo-signed binaries to run as unsandboxed root with arbitrary entitlements (including task_for_pid-allow).
Reply Retweet Označi sa "sviđa mi se"