| Tweetovi |
|
Brandon Azad
@_bazad
|
19. stu |
|
I'm presenting on KTRW at #36C3 this year. I'll take you along my journey discovering hardware debugging registers and discuss the challenges of writing a full-featured iOS kernel debugger usable with LLDB: halfnarp.events.ccc.de
|
||
|
|
||
|
Brandon Azad
@_bazad
|
28. lis |
|
KTRW was motivated by the desire to see better and more open tooling for security research on iPhones. Read about the journey to find the KTRR bypass: googleprojectzero.blogspot.com/2019/10/ktrw-j…
|
||
|
|
||
|
Brandon Azad
@_bazad
|
28. lis |
|
I built an iOS kernel debugger called KTRW based on a KTRR bypass for the iPhone X. It is capable of patching kernel __TEXT_EXEC, loading kernel extensions, and performing single-step kernel debugging with LLDB and IDA Pro over USB: github.com/googleprojectz…
|
||
|
|
||
|
Brandon Azad
@_bazad
|
7. svi |
|
I will be presenting "A study in PAC" at MOSEC 2019. The talk will cover my analysis of how Apple implemented (and improved on) Pointer Authentication on the A12 and look at 5 ways to bypass it.
|
||
|
|
||
|
Brandon Azad
@_bazad
|
8. ožu |
|
I'll be presenting the technical details of voucher_swap, a kernel exploit for CVE-2019-6225 on iOS 12.1.2, at @typhooncon this June. pic.twitter.com/Qic75gugXE
|
||
|
|
||
|
Brandon Azad
@_bazad
|
1. velj 2019. |
|
My analysis of Apple's implementation of PAC on the A12 (a substantial improvement over the ARM standard for protecting against kernel attackers): googleprojectzero.blogspot.com/2019/02/examin…
|
||
|
|
||
|
Brandon Azad
@_bazad
|
29. sij 2019. |
|
The A12, now with more kernel code execution; introducing voucher_swap: googleprojectzero.blogspot.com/2019/01/vouche…
|
||
|
|
||
|
Brandon Azad
@_bazad
|
22. sij 2019. |
|
If you're interested in bootstrapping iOS kernel security research (including the ability to forge PACs and call arbitrary kernel functions), keep an A12 research device on iOS 12.1.2.
|
||
|
|
||
|
Brandon Azad
@_bazad
|
21. ruj 2018. |
|
iOS full userspace compromise via malicious crashing: github.com/bazad/blanket. Versions up to 11.4 are vulnerable, but the exploit only targets 11.2.6. The writeup also discloses some new mitigation bypasses.
|
||
|
|
||
|
Brandon Azad
@_bazad
|
30. srp 2018. |
|
I'll be presenting "Crashing to root: How to escape the iOS sandbox using abort()" at @bevxcon this September. I'll show how to exploit CVE-2018-4280, fixed in iOS 11.4.1, by crashing maliciously in order to elevate privileges, defeat codesigning, and spawn a shell on iOS 11.2.6. pic.twitter.com/tRxLqD55fY
|
||
|
|
||
|
Brandon Azad
@_bazad
|
21. lip 2018. |
|
The ida_kernelcache analysis toolkit now supports the new iOS 12 kernelcache format, including untagging pointers to restore IDA's xrefs: github.com/bazad/ida_kern…
|
||
|
|
||
|
Brandon Azad
@_bazad
|
20. lip 2018. |
|
The iOS 12 kernelcache is changing. Here's my analysis on the new static pointer tagging found in the kernelcache: bazad.github.io/2018/06/ios-12…
|
||
|
|
||
|
Brandon Azad
@_bazad
|
29. tra 2018. |
|
This is a userspace-only exploit (no kernel vulnerabilities), but still gets you a shell. I'm submitting a talk about this work to a security conference. When the exploit becomes public will depend on when the issue gets fixed and whether the talk is accepted. pic.twitter.com/r6IEbz99xS
|
||
|
|
||
|
Brandon Azad
@_bazad
|
22. tra 2018. |
|
For those on iOS 11.2.6 or below, I'm working on a userspace security research platform. You'll be able to spawn pseudo-signed binaries to run as unsandboxed root with arbitrary entitlements (including task_for_pid-allow).
|
||
|
|
||