iOS Kernel PAC, One Year Later

Автор: Black Hat

Загружено: 2021-02-26

Просмотров: 6685

Описание:

In February 2019, I reported to Apple five ways to bypass kernel Pointer Authentication on the iPhone XS . My impression was that the design, while a dramatic improvement on the ARMv8.3 standard, had some fundamental issues when defending kernel control flow against attackers with kernel memory access. This talk will look at how PAC has (and hasn't) improved in the subsequent year, once again concluding with five new ways to bypass kernel PAC to obtain arbitrary kernel code execution on iOS 13.3.

By Brandon Azad
Full Abstract & Presentation Materials: https://www.blackhat.com/us-20/briefi...

iOS Kernel PAC, One Year Later

Доступные форматы для скачивания:

Скачать видео mp4

Информация по загрузке:

Скачать аудио mp3

Похожие видео

DEF CON 32 - From getting JTAG on the iPhone 15 to hacking Apple's USB-C Controller - Stacksmashing

DEF CON 32 - From getting JTAG on the iPhone 15 to hacking Apple's USB-C Controller - Stacksmashing

24C3: Inside the Mac OS X Kernel

24C3: Inside the Mac OS X Kernel

iPhone 17 — первый неубиваемый телефон?

iPhone 17 — первый неубиваемый телефон?

what if we just verified all the pointers?

what if we just verified all the pointers?

But How Does a Kernel Exploit Actually Work?

But How Does a Kernel Exploit Actually Work?

HEXACON2022 - Life and death of an iOS attacker by Luca Todesco

HEXACON2022 - Life and death of an iOS attacker by Luca Todesco

iOS Kernel Exploitation Heap Spray/Feng Shui Technique | Mach Message Spraying

iOS Kernel Exploitation Heap Spray/Feng Shui Technique | Mach Message Spraying

[0x05] Reversing Shorts :: iOS Kernel Demystified

[0x05] Reversing Shorts :: iOS Kernel Demystified

37C3 - Operation Triangulation: What You Get When Attack iPhones of Researchers

37C3 - Operation Triangulation: What You Get When Attack iPhones of Researchers

DEF CON 30 — Джозеф Равичандран — Атака PACMAN: Взлом PAC на Apple M1 с помощью аппаратных атак

DEF CON 30 — Джозеф Равичандран — Атака PACMAN: Взлом PAC на Apple M1 с помощью аппаратных атак

The Windows 11 Disaster That's Killing Microsoft

The Windows 11 Disaster That's Killing Microsoft

OffensiveCon23 - Stacksmashing- Inside Apple’s Lightning: JTAGging the iPhone for Fuzzing and Profit

OffensiveCon23 - Stacksmashing- Inside Apple’s Lightning: JTAGging the iPhone for Fuzzing and Profit

BlueHat IL 2019 — Лука Тодеско (@qwertyoruiop) — Жизнь в качестве iOS-злоумышленника

BlueHat IL 2019 — Лука Тодеско (@qwertyoruiop) — Жизнь в качестве iOS-злоумышленника

Что такое ядро в операционной системе?

Что такое ядро в операционной системе?

34C3 - iOS kernel exploitation archaeology

34C3 - iOS kernel exploitation archaeology

Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets

Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets

DEF CON 30 - stacksmashing - The Hitchhacker’s Guide to iPhone Lightning and JTAG Hacking

DEF CON 30 - stacksmashing - The Hitchhacker’s Guide to iPhone Lightning and JTAG Hacking

BlueHat IL 2020 — Лука Тодеско — Странный трюк, который ненавидит SecureROM

BlueHat IL 2020 — Лука Тодеско — Странный трюк, который ненавидит SecureROM

Mobile Espionage in the Wild: Pegasus and Nation-State Level Attacks

Mobile Espionage in the Wild: Pegasus and Nation-State Level Attacks

USENIX Security '23 - Demystifying Pointer Authentication on Apple M1

USENIX Security '23 - Demystifying Pointer Authentication on Apple M1