Targeting the iOS Kernel - Reverse Engineering Mac OS X

More documents

Recommendations

Info

Dumping Writeable Sysctl Variables com.apple.iokit.IOSCSIArchitectureModelFamily --------------------------------------------sysctl_register_oid() call at 80794e1c - struct at 80796a88 -> sysctl name: debug.SCSIArchitectureModel -> sysctl handler: 80794cd1 (sub_80794CD0) sysctl_register_oid() call at 80794ef0 - struct at 80796a88 -> sysctl name: debug.SCSIArchitectureModel -> sysctl handler: 80794cd1 (sub_80794CD0) com.apple.driver.AppleProfileThreadInfoAction --------------------------------------------sysctl_register_oid() call at 803f1c6e - struct at 803f2700 -> sysctl name: appleprofile.actions.threadinfo.default_continuous_buffer_size -> sysctl handler: 8017bfb9 (_sysctl_handle_int) -> var address: 803f2760 00000000 sysctl_register_oid() call at 803f1c72 - struct at 803f2730 -> sysctl name: appleprofile.actions.threadinfo.max_memory -> sysctl handler: 8017bfb9 (_sysctl_handle_int) -> var address: 803f281c 00000000 com.apple.security.sandbox -------------------------sysctl_register_oid() call at 8093647a - struct at 8093b57c -> sysctl name: security.mac.sandbox.debug_mode -> sysctl handler: 8017bfb9 (_sysctl_handle_int) -> var address: 8093b548 00000000 Stefan Esser • Targeting the iOS Kernel • April 2011 • 50
Attacking from User-Land: IOKit Drivers • IOKit drivers can also talk with user-space through their objects • all classes derived from IOUserClient can communicate with kernel • script can list all classes derived from IOUserClient • e.g. user-space baseband method calls will go through this method • AppleBasebandUserClient::externalMethod(unsigned int, IOExternalMethodArguments *, IOExternalMethodDispatch *, OSObject *, void *) Stefan Esser • Targeting the iOS Kernel • April 2011 • 51
Page 1 and 2: Targeting the iOS Kernel Stefan Ess
Page 3 and 4: Motivation • iPhone security heav
Page 5 and 6: Part I Introduction Stefan Esser
Page 7 and 8: Finding Vulnerabilities in the iOS
Page 9 and 10: Interesting Kernel Bugs - OS X OS X
Page 11 and 12: Part II The iOS Kernelcache Stefan
Page 13 and 14: Getting the iOS Kernelcache (II)
Page 15 and 16: Kernelcache is just a Mach-O Binary
Page 17 and 18: iOS Kernelcache vs. IDA • IDA can
Page 19 and 20: Helping IDA - Kernel Extensions •
Page 21 and 22: Helping IDA - findAndMarkKEXT.py St
Page 23 and 24: IOKit Driver Classes (I) • IOKit
Page 25 and 26: IOKit Object Hierarchy - Full View
Page 27 and 28: Part IV iOS Kernel Where Are your S
Page 29 and 30: Kernel Symbols - Manual Symbolizati
Page 31 and 32: Zynamic‘s BinDiff • Zynamic‘s
Page 33 and 34: Zynamic‘s BinDiff - Demo (II) Ste
Page 35 and 36: Using IOKit Class Hierarchy for Sym
Page 37 and 38: Exporting Symbols • IDA cannot ex
Page 39 and 40: iOS Kernel Attack Surface • simpl
Page 41 and 42: Finding and Marking the Syscall Tab
Page 43 and 44: Attacking through Network Protocols
Page 45 and 46: Attacking through Network Protocols
Page 47 and 48: Attacking through Devices (II) com.
Page 49: Dumping List of Sysctl Handlers mai
Page 53 and 54: iOS Kernel Debugging • no support
Page 55 and 56: iPhone Dock Connector (Pin-Out) PIN
Page 57 and 58: Ingredients (I) • 470 kΩ resisto
Page 59 and 60: Ingredients (III) • FT232RL Break
Page 61 and 62: Final USB and USB Serial Cable •
Page 63 and 64: KDP over serial • KDP over serial
Page 65 and 66: Using GDB... $ /Developer/Platforms
Page 67: Links • xpwntool - https://github

Targeting the iOS Kernel - Reverse Engineering Mac OS X

Create successful ePaper yourself

Delete template?

Save as template?