Targeting the iOS Kernel
Although the iPhone user land is locked down very tightly, previous talks about iPhone security have concentrated on user land attacks only. Therefore demonstrated exploit payloads have been very limited in what they can do or cannot do. More complicated work like user land rootkits or the addition of ASLR protection therefore relied entirely on kernel exploitation help from the jailbreaking community.
This presentation will introduce the audience into finding security bugs in iOS kernelspace and how this is different from hunting kernel bugs in Mac OS X. Reverse engineering will be used to extract a lot of information from the kernelcache and then this information is used to enumerate the kernel's attack surface and the corresponding code is located. In addition to that the secrets of activating the iOS internal kernel debugger will be revealed and it will be demonstrated by debugging a previous disclosed iOS kernel exploit.
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
Talk from SyScan 2015 about Apple Security failing to patch vulnerabilities over and over again, because they have apparently no QA at all on security patches.
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
With the release of iOS6 Apple has cracked down on all published iOS exploitation information. It seems that nearly every trick and technique discussed in talks/papers or books of the last years has been taken care of by Apple in order to stop exploitation for jailbreaking or more malicious purposes.
This talk will tie in with the iOS6 Security talk by Azimuth Security that discussed various kernel hardenings performed by Apple, and discuss further security relevant changes in iOS 6.1 kernel affecting kernel exploitation and user space exploitation.
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPStefan Esser
With the release of OS X El Capitan Apple has introduced a new protection to the OS X kernel called System Integrity Protection (SIP). The purpose of this new mitigation is to lock down the system from attackers who have already gained root access.
In the first part of this session we will elaborate what exactly SIP tries to protect against and how its features are implemented and integrated into the kernel. In the second part of this presentation we will then dive into obvious shortcomings of this implementation and discuss design weaknesses and actual bugs that allow to bypass it. All weaknesses will be demoed to the audience.
BlackHat USA 2011 - Stefan Esser - iOS Kernel ExploitationStefan Esser
Exploiting the iOS Kernel
The iPhone user land is locked down very tightly by kernel level protections. Therefore any sophisticated attack has to include a kernel exploit in order to completely compromise the device. Because of this our previous session titled "Targeting the iOS Kernel" already discussed how to reverse the iOS kernel in order to find kernel security vulnerabilities. Exploitation of iOS kernel vulnerabilities has not been discussed yet.
This session will introduce the audience to kernel level exploitation of iPhones. With the help of previously disclosed kernel vulnerabilities the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows will be discussed.
Furthermore the kernel patches applied by iPhone jailbreaks will be discussed in order to understand how certain security features are deactivated. A tool will be released that allows to selectively de-activate some of these kernel patches for more realistic exploit tests.
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
iOS 8 specific security talk given at Ruxcon 2014 security conference. Includes description of kernel vulnerability used to break KASLR in Pangu 7.1 + TAIG 8.1.1 jailbreaks.
Pressetation about how to find vulnerabilities and do reversing to the iOS Operating System. The author is Steffan Esser and the talk was delivered in SyScan 2011 in Singapur
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickStefan Esser
During my talk at SyScan 2015 i promised to disclose among all the fail of Apple how their patches for "Patient ALPHA" actually killed a previously unknown 0-day incomplete code signing vulnerability that was just waiting to be used in the next jailbreak.
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
Talk from SyScan 2015 about Apple Security failing to patch vulnerabilities over and over again, because they have apparently no QA at all on security patches.
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
With the release of iOS6 Apple has cracked down on all published iOS exploitation information. It seems that nearly every trick and technique discussed in talks/papers or books of the last years has been taken care of by Apple in order to stop exploitation for jailbreaking or more malicious purposes.
This talk will tie in with the iOS6 Security talk by Azimuth Security that discussed various kernel hardenings performed by Apple, and discuss further security relevant changes in iOS 6.1 kernel affecting kernel exploitation and user space exploitation.
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPStefan Esser
With the release of OS X El Capitan Apple has introduced a new protection to the OS X kernel called System Integrity Protection (SIP). The purpose of this new mitigation is to lock down the system from attackers who have already gained root access.
In the first part of this session we will elaborate what exactly SIP tries to protect against and how its features are implemented and integrated into the kernel. In the second part of this presentation we will then dive into obvious shortcomings of this implementation and discuss design weaknesses and actual bugs that allow to bypass it. All weaknesses will be demoed to the audience.
BlackHat USA 2011 - Stefan Esser - iOS Kernel ExploitationStefan Esser
Exploiting the iOS Kernel
The iPhone user land is locked down very tightly by kernel level protections. Therefore any sophisticated attack has to include a kernel exploit in order to completely compromise the device. Because of this our previous session titled "Targeting the iOS Kernel" already discussed how to reverse the iOS kernel in order to find kernel security vulnerabilities. Exploitation of iOS kernel vulnerabilities has not been discussed yet.
This session will introduce the audience to kernel level exploitation of iPhones. With the help of previously disclosed kernel vulnerabilities the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows will be discussed.
Furthermore the kernel patches applied by iPhone jailbreaks will be discussed in order to understand how certain security features are deactivated. A tool will be released that allows to selectively de-activate some of these kernel patches for more realistic exploit tests.
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
iOS 8 specific security talk given at Ruxcon 2014 security conference. Includes description of kernel vulnerability used to break KASLR in Pangu 7.1 + TAIG 8.1.1 jailbreaks.
Pressetation about how to find vulnerabilities and do reversing to the iOS Operating System. The author is Steffan Esser and the talk was delivered in SyScan 2011 in Singapur
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickStefan Esser
During my talk at SyScan 2015 i promised to disclose among all the fail of Apple how their patches for "Patient ALPHA" actually killed a previously unknown 0-day incomplete code signing vulnerability that was just waiting to be used in the next jailbreak.
This document summarizes Stefan Esser's talk "iOS 6 - Exploitation 280 Days Later" given at CanSecWest 2013. It provides an overview of iOS security developments between 2012-2013, including new jailbreaks, security research, and the introduction of security features in iOS 6 like KASLR and kernel stack/heap cookies. The talk analyzes some of these new iOS 6 security features in more detail and notes potential weaknesses remaining, such as the large 2MB alignment of KASLR addresses.
I Want More Ninja – iOS Security TestingJason Haddix
The document provides instructions for setting up an iOS application testing lab, including recommended hardware, software, and tools for both MacBooks and PCs. It discusses jailbreaking iOS devices to gain root access, installing useful packages and utilities, and exploring application directories and data stores to find vulnerabilities like insecure data storage or client-side injection issues.
This document discusses iOS application penetration testing from the perspective of a penetration tester. It begins with an overview of iOS applications and the iOS monoculture, covering code signing, sandboxing, and encryption. It then discusses various techniques a penetration tester may use, including checking compile options, exploiting URL schemes, analyzing insecure data storage in databases, property lists, keyboard caches, image caches, and error logs. It also covers runtime analysis using tools like Clutch, Class-Dump-Z, and Cycript to decrypt binaries, dump classes, and interact with running apps. Examples are provided of potential attacks against apps that involve bypassing locks, extracting hardcoded keys, or injecting malicious code. Defense techniques are also briefly explained.
This document provides an overview of setting up an iOS penetration testing environment and common techniques for analyzing iOS applications. It discusses jailbreaking a device and installing useful tools. It also covers understanding the iOS file system and Objective-C runtime, using tools like Cycript and class-dump-z to enable runtime analysis and manipulation. The document describes insecure data storage techniques like plist files, NSUserDefaults, and CoreData that store unencrypted data. It also discusses analyzing network traffic and automated testing.
Prem Kumar is a senior security consultant who specializes in web, mobile, and network penetration testing. He has previously presented at security conferences and found vulnerabilities in applications from companies like Facebook, Apple, and Yahoo. The agenda for his talk covers topics like iOS architecture, application structures, types of iOS applications and distribution methods, iOS penetration testing techniques, jailbreaking, and setting up an iOS testing platform. He will demonstrate runtime analysis and penetration testing on real iOS applications.
Beyond the 'cript practical i os reverse engineering lasconNino Ho
The aim of this talk is to build a bridge between the mundane methodologies and vulnerabilities that everyone can find (and that are now being defended against), and a new approach that finds additional bugs that require assembly knowledge to discover.
The talk looks at the fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and ends with some real-world examples involving bypassing jailbreak detection.
BKK16-406 Ubuntu Core - a snappy platform for Embedded, IoT and 96boards!Linaro
During first part of this session, Alexander will give a technology perspective on the motivation, features and possibilities that Ubuntu's latest rendition has to offer for developers and product makers of smart embedded and IoT devices.
Alexander will walk the audience through the building blocks and core ingredients that make up a snappy solution and will show how snappy unifies concepts found in traditional binary distribution with those observed in modern consumer grade Linux products to make a platform for building modern, smart IoT device products.
During the second half of this session Ricardo Mendoza, lead architect behind snappy Ubuntu Core, will showcase snappy Ubuntu Core running on the 96boards Dragonboard 410c. The showcase will include a bottom-to-top image creation demo taking building blocks from the Ubuntu Core online store in real time, followed by a deployment of the image on the Dragonboard hardware, then a demo of available snaps for the platform.
In his part of the presentation, Ricardo will illustrate how well aligned the concepts behind 96boards and snappy Ubuntu Core are, to show how hand in hand they can become a very versatile platform for all IoT and embedded device manufacturers to quickly bring their products to market and benefit from an expanding ecosystem of applications through the Ubuntu Store.
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
This document summarizes a presentation on vulnerabilities found in Apple's graphics drivers. The researchers discovered race conditions and information leaks in the drivers that could allow bypassing sandbox protections and gaining kernel code execution. Specifically:
1) A race condition was found in the unmapping of graphics memory that could lead to use-after-free and double-free issues. This could be exploited to achieve kernel code execution.
2) Further auditing uncovered that other operations like mapping graphics memory were not properly locked, allowing similar race conditions.
3) An information leak was discovered that revealed details about the kernel address space layout randomization on macOS. This could help bypass protections on the kernel.
The researchers provided details
The document provides information about digital forensics workshops and tools for analyzing cellular devices. It discusses how to analyze data from iPhones using iTunes backups and the iPhone Analyzer tool. It also discusses how to perform logical acquisitions on Android devices using the AF-Logical tool in Santoku Linux by connecting the device via USB and using adb commands. The document provides tips for protecting personal data and security best practices when using public WiFi networks.
This presentation goes through an explanation of the architecture, new features and use cases behind Ubuntu Core 16, Ubuntu for IoT.
What you will learn:
★ Lessons learned by Ubuntu in IoT and the need for a new approach to security and software management
★ Choosing the right Operating System for your IoT devices, hardware choices and long-term maintainability
★ How Ubuntu Core is being used by various partners to build solutions across home gateways, industrial, building automation and digital signage
This document discusses web and wireless hacking techniques. It covers SQL injection, file inclusion, cross-site scripting (XSS), war driving to find wireless networks, and exploiting wireless networks. Specific hacking methods are demonstrated for SQL injection, file inclusion, XSS attacks, and cracking WEP encryption on wireless networks. Tools mentioned include Kismet, Aircrack-ng, AirSnort, and Wireshark for finding wireless networks and cracking WEP.
This document discusses Canonical and Ubuntu, focusing on innovations in security for internet of things (IoT) devices. It introduces Snappy Ubuntu Core, a new version of Ubuntu optimized for IoT with features like sandboxing, digital signatures, and over-the-air updates to provide maximum security. Snappy Ubuntu Core is targeted towards device manufacturers who want to focus on differentiating hardware and services rather than building a full operating system, with the goals of proven updates, data security, and leveraging an existing developer community. Examples are provided of how Snappy principles could prevent exploits seen in other IoT devices.
Ubuntu - Industrial Internet of Things IntroMaarten Ectors
What is the Internet of Things? How does it link to big data and cloud? What is the industrial IoT? How to put apps and app stores into smart devices? How to manage complex IoT solutions? Open Source IoT solutions
Toorcon 2010: IPhone Rootkits? There's an App for ThatEric Monti
The document discusses a presentation given by Eric Monti on weaponizing jailbreaks for iPhone rootkits. He begins by summarizing the JailbreakMe.com 2.0 exploit, which allowed remote jailbreaking of iPhones via the Safari browser using a PDF exploit. Monti then details his process of reversing the jailbreak code to remove security checks and notifications, allowing him to create a "stealth" rootkit. He demonstrates capturing audio, accessing private data like emails and location, and dumping process memory on a jailbroken iPhone.
Ubuntu Core gets snappy with a new transactional and isolated architecture. It uses "snaps" which are applications bundled with their dependencies to ensure reliable and secure updates. Snaps confine applications and provide easy installation across devices and cloud platforms.
PowerShell: A Language for the Internet of Things #ATLPUGTaylor Riggan
The August meeting of the Atlanta PowerShell Users Group. Discussion centered around the Microsoft IoT ecosystem, Windows 10 IoT Core, and Azure IoT Suite and Hub.
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
Dmitry Evdokimov presents an overview of analyzing iOS apps through blackbox testing techniques. The document outlines the iOS platform and architecture, common iOS vulnerabilities, and static and dynamic analysis tools that can be used to identify vulnerabilities in iOS apps without access to source code. The agenda includes topics on the iOS platform, Objective-C, app structure, common vulnerabilities, and static and dynamic testing techniques.
SyScan Singapore 2010 - Returning Into The PHP-InterpreterStefan Esser
The document discusses returning into the PHP interpreter through memory corruption exploits, focusing on exploiting a 0-day vulnerability in PHP's unserialize() function. It explains how unserialize() builds a variable table during deserialization to support references, and demonstrates how corrupting this process could allow returning into the PHP interpreter and gaining remote code execution. Potential attack vectors for returning into PHP functions, the bytecode executor, and zend_eval_string() are also outlined.
This document discusses Mac OS X security and provides demonstrations of security tools and techniques on Mac OS X including:
- Installing additional Unix tools like macports and homebrew
- Scanning networks using tools like whois, robtex, and nmap
- Social engineering exploits and bypassing Windows UAC protection
- Intelligence gathering using the Maltego tool
- Using Tor for anonymous browsing
- Cracking Lion password hashes by extracting them from the directory service
It also discusses the multi-user nature of Mac OS X and its Unix underpinnings.
El documento habla sobre la seguridad de datos e información. Explica que la seguridad de datos implica medidas para proteger la confidencialidad, integridad y disponibilidad de la información. También menciona algunas leyes venezolanas relacionadas como la Ley de Administración Pública, la Ley de Simplificación de Trámites Administrativos y la Ley Especial contra los Delitos Informáticos.
This document summarizes Stefan Esser's talk "iOS 6 - Exploitation 280 Days Later" given at CanSecWest 2013. It provides an overview of iOS security developments between 2012-2013, including new jailbreaks, security research, and the introduction of security features in iOS 6 like KASLR and kernel stack/heap cookies. The talk analyzes some of these new iOS 6 security features in more detail and notes potential weaknesses remaining, such as the large 2MB alignment of KASLR addresses.
I Want More Ninja – iOS Security TestingJason Haddix
The document provides instructions for setting up an iOS application testing lab, including recommended hardware, software, and tools for both MacBooks and PCs. It discusses jailbreaking iOS devices to gain root access, installing useful packages and utilities, and exploring application directories and data stores to find vulnerabilities like insecure data storage or client-side injection issues.
This document discusses iOS application penetration testing from the perspective of a penetration tester. It begins with an overview of iOS applications and the iOS monoculture, covering code signing, sandboxing, and encryption. It then discusses various techniques a penetration tester may use, including checking compile options, exploiting URL schemes, analyzing insecure data storage in databases, property lists, keyboard caches, image caches, and error logs. It also covers runtime analysis using tools like Clutch, Class-Dump-Z, and Cycript to decrypt binaries, dump classes, and interact with running apps. Examples are provided of potential attacks against apps that involve bypassing locks, extracting hardcoded keys, or injecting malicious code. Defense techniques are also briefly explained.
This document provides an overview of setting up an iOS penetration testing environment and common techniques for analyzing iOS applications. It discusses jailbreaking a device and installing useful tools. It also covers understanding the iOS file system and Objective-C runtime, using tools like Cycript and class-dump-z to enable runtime analysis and manipulation. The document describes insecure data storage techniques like plist files, NSUserDefaults, and CoreData that store unencrypted data. It also discusses analyzing network traffic and automated testing.
Prem Kumar is a senior security consultant who specializes in web, mobile, and network penetration testing. He has previously presented at security conferences and found vulnerabilities in applications from companies like Facebook, Apple, and Yahoo. The agenda for his talk covers topics like iOS architecture, application structures, types of iOS applications and distribution methods, iOS penetration testing techniques, jailbreaking, and setting up an iOS testing platform. He will demonstrate runtime analysis and penetration testing on real iOS applications.
Beyond the 'cript practical i os reverse engineering lasconNino Ho
The aim of this talk is to build a bridge between the mundane methodologies and vulnerabilities that everyone can find (and that are now being defended against), and a new approach that finds additional bugs that require assembly knowledge to discover.
The talk looks at the fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and ends with some real-world examples involving bypassing jailbreak detection.
BKK16-406 Ubuntu Core - a snappy platform for Embedded, IoT and 96boards!Linaro
During first part of this session, Alexander will give a technology perspective on the motivation, features and possibilities that Ubuntu's latest rendition has to offer for developers and product makers of smart embedded and IoT devices.
Alexander will walk the audience through the building blocks and core ingredients that make up a snappy solution and will show how snappy unifies concepts found in traditional binary distribution with those observed in modern consumer grade Linux products to make a platform for building modern, smart IoT device products.
During the second half of this session Ricardo Mendoza, lead architect behind snappy Ubuntu Core, will showcase snappy Ubuntu Core running on the 96boards Dragonboard 410c. The showcase will include a bottom-to-top image creation demo taking building blocks from the Ubuntu Core online store in real time, followed by a deployment of the image on the Dragonboard hardware, then a demo of available snaps for the platform.
In his part of the presentation, Ricardo will illustrate how well aligned the concepts behind 96boards and snappy Ubuntu Core are, to show how hand in hand they can become a very versatile platform for all IoT and embedded device manufacturers to quickly bring their products to market and benefit from an expanding ecosystem of applications through the Ubuntu Store.
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
This document summarizes a presentation on vulnerabilities found in Apple's graphics drivers. The researchers discovered race conditions and information leaks in the drivers that could allow bypassing sandbox protections and gaining kernel code execution. Specifically:
1) A race condition was found in the unmapping of graphics memory that could lead to use-after-free and double-free issues. This could be exploited to achieve kernel code execution.
2) Further auditing uncovered that other operations like mapping graphics memory were not properly locked, allowing similar race conditions.
3) An information leak was discovered that revealed details about the kernel address space layout randomization on macOS. This could help bypass protections on the kernel.
The researchers provided details
The document provides information about digital forensics workshops and tools for analyzing cellular devices. It discusses how to analyze data from iPhones using iTunes backups and the iPhone Analyzer tool. It also discusses how to perform logical acquisitions on Android devices using the AF-Logical tool in Santoku Linux by connecting the device via USB and using adb commands. The document provides tips for protecting personal data and security best practices when using public WiFi networks.
This presentation goes through an explanation of the architecture, new features and use cases behind Ubuntu Core 16, Ubuntu for IoT.
What you will learn:
★ Lessons learned by Ubuntu in IoT and the need for a new approach to security and software management
★ Choosing the right Operating System for your IoT devices, hardware choices and long-term maintainability
★ How Ubuntu Core is being used by various partners to build solutions across home gateways, industrial, building automation and digital signage
This document discusses web and wireless hacking techniques. It covers SQL injection, file inclusion, cross-site scripting (XSS), war driving to find wireless networks, and exploiting wireless networks. Specific hacking methods are demonstrated for SQL injection, file inclusion, XSS attacks, and cracking WEP encryption on wireless networks. Tools mentioned include Kismet, Aircrack-ng, AirSnort, and Wireshark for finding wireless networks and cracking WEP.
This document discusses Canonical and Ubuntu, focusing on innovations in security for internet of things (IoT) devices. It introduces Snappy Ubuntu Core, a new version of Ubuntu optimized for IoT with features like sandboxing, digital signatures, and over-the-air updates to provide maximum security. Snappy Ubuntu Core is targeted towards device manufacturers who want to focus on differentiating hardware and services rather than building a full operating system, with the goals of proven updates, data security, and leveraging an existing developer community. Examples are provided of how Snappy principles could prevent exploits seen in other IoT devices.
Ubuntu - Industrial Internet of Things IntroMaarten Ectors
What is the Internet of Things? How does it link to big data and cloud? What is the industrial IoT? How to put apps and app stores into smart devices? How to manage complex IoT solutions? Open Source IoT solutions
Toorcon 2010: IPhone Rootkits? There's an App for ThatEric Monti
The document discusses a presentation given by Eric Monti on weaponizing jailbreaks for iPhone rootkits. He begins by summarizing the JailbreakMe.com 2.0 exploit, which allowed remote jailbreaking of iPhones via the Safari browser using a PDF exploit. Monti then details his process of reversing the jailbreak code to remove security checks and notifications, allowing him to create a "stealth" rootkit. He demonstrates capturing audio, accessing private data like emails and location, and dumping process memory on a jailbroken iPhone.
Ubuntu Core gets snappy with a new transactional and isolated architecture. It uses "snaps" which are applications bundled with their dependencies to ensure reliable and secure updates. Snaps confine applications and provide easy installation across devices and cloud platforms.
PowerShell: A Language for the Internet of Things #ATLPUGTaylor Riggan
The August meeting of the Atlanta PowerShell Users Group. Discussion centered around the Microsoft IoT ecosystem, Windows 10 IoT Core, and Azure IoT Suite and Hub.
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
Dmitry Evdokimov presents an overview of analyzing iOS apps through blackbox testing techniques. The document outlines the iOS platform and architecture, common iOS vulnerabilities, and static and dynamic analysis tools that can be used to identify vulnerabilities in iOS apps without access to source code. The agenda includes topics on the iOS platform, Objective-C, app structure, common vulnerabilities, and static and dynamic testing techniques.
SyScan Singapore 2010 - Returning Into The PHP-InterpreterStefan Esser
The document discusses returning into the PHP interpreter through memory corruption exploits, focusing on exploiting a 0-day vulnerability in PHP's unserialize() function. It explains how unserialize() builds a variable table during deserialization to support references, and demonstrates how corrupting this process could allow returning into the PHP interpreter and gaining remote code execution. Potential attack vectors for returning into PHP functions, the bytecode executor, and zend_eval_string() are also outlined.
This document discusses Mac OS X security and provides demonstrations of security tools and techniques on Mac OS X including:
- Installing additional Unix tools like macports and homebrew
- Scanning networks using tools like whois, robtex, and nmap
- Social engineering exploits and bypassing Windows UAC protection
- Intelligence gathering using the Maltego tool
- Using Tor for anonymous browsing
- Cracking Lion password hashes by extracting them from the directory service
It also discusses the multi-user nature of Mac OS X and its Unix underpinnings.
El documento habla sobre la seguridad de datos e información. Explica que la seguridad de datos implica medidas para proteger la confidencialidad, integridad y disponibilidad de la información. También menciona algunas leyes venezolanas relacionadas como la Ley de Administración Pública, la Ley de Simplificación de Trámites Administrativos y la Ley Especial contra los Delitos Informáticos.
Relacion de la economia con otras cienciasCristo Antonio
Este documento resume las relaciones entre la economía y otras ciencias como la historia, las matemáticas, la lógica, la política, la geografía, la tecnología, la física, la química y la biología. Explica cómo cada una de estas ciencias se relaciona con la economía a través del intercambio de información, métodos y conceptos.
The document provides information about the Amur River, which is the 10th longest river in the world at 4,444 km long. It flows through Russia and China, and has been a source of disputes between the two countries over borders and islands. However, agreements in the 1990s established borders and opened ports for trade. The river is prone to major flooding that has caused extensive damage and evacuation of residents from its basin.
La autora siempre ha disfrutado de la creatividad y el diseño desde una edad temprana, lo que la llevó a estudiar Diseño Industrial en la universidad y luego realizar un máster en diseño de nuevos productos. Ahora trabaja como diseñadora gráfica e industrial mientras explora otras pasiones como la fotografía, la música y los viajes.
This document discusses Indonesia's economic development opportunities and challenges after 2014. Key points include:
1) Indonesia has experienced a successful democratic transition and political/social stability since 1997 but faces challenges in developing innovation and improving infrastructure.
2) Indonesia is on track to become the 11th largest economy by 2020, joining the emerging economies of Brazil, Russia, India, China, Turkey and Mexico (E7).
3) Rapid urbanization, growth of the middle class, and younger workforce present opportunities for economic growth but also challenges around infrastructure, education, and developing manufacturing outside of Java.
Viridian Red World Trade Center Quad - Smart crafted modern spaces that bring comfort and style to elevate your lifestyle
Viridian Red World Trade Center Quad is a proud presentation by Viridian RED. The project has contemporary design and detailed planning which is a proof of high quality architecture. The suave residential project is located in Greater Noida, Noida.
A whirlwind tour of the modules that any perl hacker, from beginner to experienced, should use and why.
Handout: List of modules in the talk along with many more: https://sites.google.com/site/perlhercynium/TEPHT-List2.pdf?attredirects=0
Blogging, tweeting, sharing your work to reach policy makersTrish Groves
The document discusses using social media such as Twitter and blogs to disseminate research findings to policymakers. It provides examples of the Twitter and Facebook presence of academic journals. It also summarizes several studies that analyzed the relationship between social media activity like tweets and traditional citations and impact metrics. However, many researchers remain wary of using social media professionally due to concerns about compatibility with research, risks to careers, and unfamiliarity with the technologies. Guidelines from organizations like the GMC provide advice on using social media carefully and maintaining professional standards.
Drew Stone has pursued a career in the arts through various roles combining his artistic skills and interests with professional experience. He obtained degrees in media studies, ethics, and communication and has worked in IT, education, startups, and consulting. Stone emphasizes knowing oneself, being persistent, having boundaries, and trusting one's gut over just following money. He encourages connecting in interesting spaces and constantly building relationships to keep momentum in pursuing one's goals and dreams.
Austin Journal of Clinical Immunology is an open access, peer reviewed, scholarly journal dedicated to publish articles in all areas of immunology, asthma and allergy. The aim of the journal is to develop a knowledge sharing platform and an interactive network for immunologists, researchers, physicians, and other health professionals for exchange of scientific information in the areas of immunology.
Austin Journal of Clinical Immunology accepts original research articles, review articles, case reports, clinical images and rapid communication on all the aspects of immunology and immunotechnology.
Austin Journal of Clinical Immunology strongly supports the scientific upgradation and fortification in related scientific research community by enhancing access to peer reviewed scientific literary works. Austin Publishing Group also brings universally peer reviewed journals under one roof thereby promoting knowledge sharing, mutual promotion of multidisciplinary science.
Austin Journal of Clinical Immunology is an open access, peer reviewed, scholarly journal dedicated to publish articles in all areas of immunology, asthma and allergy.
This document discusses the timeline of iOS security from 2012-2013. It begins with Stefan Esser's talk at CanSecWest 2012 about iOS 5 exploitation. It then discusses the release of iOS 6 in September 2012 and the subsequent jailbreak within a day. The document outlines various talks and research related to analyzing the security of iOS 6. It concludes by discussing new security features introduced in iOS 6 like KASLR and kernel stack and heap cookies.
This document discusses exploiting the OS X El Capitan kernel using a vulnerability found in IOAcceleratorFamily. It describes how memory spraying can be used to leak kernel information despite mitigations like kASLR. It then provides a case study of exploiting CVE-2016-1815, an out-of-bounds write bug, to leak bytes from kernel memory and eventually gain kernel code execution. The exploitation technique involves spraying kernel memory with controlled data, overwriting a function pointer to point to that data, and using an information leak primitive to read bytes from the sprayed region and bypass kASLR.
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
This document summarizes Koan-Sin Tan's presentation on exploring Apple M1 devices using open source tools. Tan has experience using open source software on Unix systems dating back to the 1970s. The presentation covers how the macOS kernel is based on Mach and has some open source components. It also discusses using IOKit on macOS to access sensor data from devices, including temperature readings from an M1 MacBook Pro. Tan provides code examples for retrieving sensor data and details challenges in accessing private APIs and sensor data on iOS devices.
The document discusses the history and features of the iPhone. It describes the evolution of the iPhone models from 2007 to the present day. It also covers the iOS operating system, development tools like Xcode, and programming languages like Objective-C that are used to create apps for the iPhone.
This document discusses research into running iOS on the QEMU emulator. It covers:
- Past research by Worth Doing Badly that booted an iOS kernel on QEMU without patches.
- The current project's progress in booting the secure monitor and kernel, running a user app via launchd, and running bash interactively.
- Details on boot processes like loading the secure monitor and resolving issues with the kernel base address.
- Techniques used like modifying the trust cache and dynamic linker cache to run non-Apple binaries.
- Next steps involve improving hardware support, running more services via launchd, adding CPU/interrupt support, and continuing security research.
Solr at zvents 6 years later & still going stronglucenerevolution
Presented by Amit Nithianandan, Lead Engineer Search/Analytics New Platforms, Zvents/Stubhub
Zvents has been a user of Apache Solr since 2007 when it was very early. Since then, the team has made extensive use of the various features and most recently completed an overhaul of the search engine to Solr 4.0. We'll touch on a variety of development/operational topics including how we manage the build lifecycle of the search application using Maven, release the deployment package using Capistrano and monitor using NewRelic as well as the extensive use of virtual machines to simplify node management. Also, we’ll talk about application level details such as our unique federated search product, and the integration of technologies such as Hypertable, RabbitMQ, and EHCache to power more real-time ranking and filtering based on traffic statistics and ticket inventory.
Kernel Recipes 2019 - Faster IO through io_uringAnne Nicolas
io_uring provides a new asynchronous I/O interface in Linux that aims to address limitations with existing interfaces like aio and libaio. It uses a ring-based model for submission and completion queues to efficiently support asynchronous I/O operations with low latency and high throughput. Though initially skeptical, Linus Torvalds ultimately merged io_uring into the Linux kernel due to improvements in missing features, ease of use, and efficiency over alternatives.
[Srijan Wednesday Webinar] Easy Performance Wins for Your Rails AppSrijan Technologies
Speaker: Aaron Cruz
In today’s webinar, we take a look at a how to improve the performance of your rails app. Our speaker today takes you through how to identify performance bottlenecks and understand the issues involved. He’ll also share quick tricks to solve issues and supercharge your rails app.
This document discusses Linux performance analysis tools. It introduces tpoint, a tool for tracing Linux tracepoints. Some example one-liners are provided that demonstrate how to use tpoint to trace disk I/O and see the tasks and processes performing I/O. The document also summarizes ftrace, a Linux kernel tracing tool that can be used to analyze performance issues.
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
The document discusses the author's experience with return-oriented programming (ROP) exploitation techniques on Linux. It describes how the author introduced techniques like return-to-dl-resolve and JIT-ROP on Linux. The author tried to create a universal ROP chain for Linux like those that work on Windows, but was unable to due to differences in code/data layout and symbol version checks on x64 Linux. Overwriting the link_map pointer and patching it was required but deemed too complex for ROP. The talk serves as a retrospective on the author's ROP research journey.
In this session we will do a tour of the just released Isentris 4.0. We will see its enhanced visualization component, the new Isentris for Excel renderer, and how Pipeline Pilot can now be seamless called within Isentris, opening a wide set of opportunities to bring new functionalities to the end-users.
Q con shanghai2013-[黄舒泉]-[intel it openstack practice]Michael Zhang
This document summarizes an Intel IT presentation on their OpenStack practice. It discusses Intel's contributions to OpenStack projects, their converged OpenStack and IT platform, and their solutions for continuous delivery, deployment, Tempest testing automation, and improving the speed of OpenStack snapshots.
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
This document provides an introduction to iOS application penetration testing. It discusses setting up an iOS penetration testing environment, including jailbreaking a test device and installing necessary software tools. It also provides an overview of iOS and Objective-C, covering key security features of iOS like sandboxing, ASLR, code signing, and data encryption. Topics to be covered include assessing data security, binary analysis, runtime manipulation, and evaluating authentication, session management, and transport security.
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
The document provides an introduction to iOS application penetration testing. It discusses setting up a testing environment including jailbreaking a device and installing tools. It covers assessing data security issues like insecurely stored data and background snapshots. Topics to be covered include binary analysis, runtime manipulation, transport security, and other testing like authentication and sessions.
Intel is a semiconductor company founded in 1968 by Robert Noyce and Gordon Moore. It produces microprocessors that power most personal computers. Some key points:
- Intel's first product was a RAM chip in 1969 and it soon began producing memory and microprocessor chips.
- By the 1980s, Intel shifted its focus to microprocessors after IBM's success with personal computers. This made Intel the dominant microprocessor maker.
- Today, Intel manufactures microprocessors under brands like Celeron, Pentium, Core i3/i5/i7, and Xeon for desktops, laptops, servers, and other devices.
- Intel aims to expand in Bangladesh by providing price
Multithreading and Parallelism on iOS [MobOS 2013]Kuba Břečka
This document summarizes an overview of parallelism and multithreading on iOS. It covers key topics like parallelism terminology, why parallelization is important, and how it can be achieved through multiple processes, threads, high-level abstractions like Grand Central Dispatch and operation queues, and instruction-level parallelism. It also discusses challenges like race conditions and synchronization issues that must be addressed with techniques like locks and mutexes when working with threads.
Ceph is a open source , software defined storage excellent and the only ( i would say ) storage backend as a cloud storage. Ceph is the Future of Storage. In this presentation i am explaining ceph and openstack briefly , you would definitely enjoy it.
This document outlines strategies for optimizing iOS applications to improve performance and user experience. It discusses measuring performance using tools like NSLog and Instruments to identify optimization opportunities. Specific techniques covered include optimizing for animation, Objective-C code, C/ARM code generation, and frameworks like Accelerate and Grand Central Dispatch. The document also addresses optimizing for memory usage to avoid crashes and improving energy efficiency by reducing network, location services, and sensor usage.
Similar to SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel (20)
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
2. Who am I?
Stefan Esser
• from Cologne/Germany
• Information Security since 1998
• PHP Core Developer since 2001
• Suhosin / Hardened-PHP 2004
• Month of PHP Bugs 2007 / Month of PHP Security 2010
• ASLR for jailbroken iPhones 2010 / untethered jailbreak for iOS 4.3.1/2
• Head of Research & Development at SektionEins GmbH
Stefan Esser • Targeting the iOS Kernel • April 2011 • 2
3. Motivation
• iPhone security heavily relies on kernel level protections
• code signing / sandboxing
• NX / ASLR
• public iPhone exploit payloads are very limited in what they can do
• security researchers have relied on the jailbreakers to provide kernel pwnage
• this session is an introduction to finding bugs in the iOS kernel
Stefan Esser • Targeting the iOS Kernel • April 2011 • 3
4. Agenda
• Introduction
• How to get the iOS kernelcache
• Analysing the content of the kernelcache
• Trying to get some kernel symbols
• Using the kernelcache to determine attack surface
• Learning how to use the iOS kernel debugger
• Exploitation is not covered in this session - contact me to discuss this topic
Stefan Esser • Targeting the iOS Kernel • April 2011 • 4
6. Finding Vulnerabilities in the iOS Kernel (I)
• For OS X Apple provides
• the source code for the latest OS X version (XNU)
• the source code of some OS X kernel extensions
• symbols for the binary kernel and some extension (in DebugKit)
• For iOS Apple provides neither
Stefan Esser • Targeting the iOS Kernel • April 2011 • 6
7. Finding Vulnerabilities in the iOS Kernel (II)
• because iOS is also XNU based the public source is partly useable
• however the kernel of OS X and iOS are very out of sync
• kernel vulnerabilities that are only interesting for iOS are not fixed in OS X
• auditing XNU will reveal a bunch of vulnerabilities already fixed in iOS
• interesting parts like the ASLR are not yet in any public XNU release
Stefan Esser • Targeting the iOS Kernel • April 2011 • 7
8. Finding Vulnerabilities in the iOS Kernel (III)
• source code of kernel extensions is less likely to be desync
• however only a small subset of kernel extensions have source code available
• finding vulnerabilities in iOS kernel extension requires binary analysis
Stefan Esser • Targeting the iOS Kernel • April 2011 • 8
9. Interesting Kernel Bugs - OS X
OS X Kernel
• user-land dereference bugs are not exploitable
• privilege escalation to root usually highest goal
• memory corruptions or code exec in kernel nice but usually not required
• kernel exploits only triggerable as root are not interesting
Stefan Esser • Targeting the iOS Kernel • April 2011 • 9
10. Interesting Kernel Bugs - iOS
iOS Kernel
• user-land dereference bugs are partially exploitable
• privilege escalation to root just a starting point
• memory corruptions or code exec in kernel always required
• kernel exploits only triggerable as root are interesting
Stefan Esser • Targeting the iOS Kernel • April 2011 • 10
11. Part II
The iOS Kernelcache
Stefan Esser • Targeting the iOS Kernel • April 2011 • 11
13. Getting the iOS Kernelcache (II)
• kernelcache is a packed and encrypted IMG3 file
• can be decrypted and unpacked with xpwntool
• decryption IV + KEY can only be generated with exploited devices
• but can be found on the internet or inside redsn0w
00000000 33 67 6d 49 84 aa 5e 00 70 aa 5e 00 38 a2 5e 00 |3gmI..^.p.^.8.^.|
00000010 6c 6e 72 6b 45 50 59 54 20 00 00 00 04 00 00 00 |lnrkEPYT .......|
00000020 6c 6e 72 6b 00 00 00 00 00 00 00 00 00 00 00 00 |lnrk............|
00000030 00 00 00 00 41 54 41 44 2c a1 5e 00 16 a1 5e 00 |....ATAD,.^...^.|
00000040 04 59 a3 f2 af f3 29 69 38 f4 2f bb dd 7f 41 ae |.Y....)i8./...A.|
00000050 13 49 fa 56 4a cd bd 46 09 2c 77 6f 03 8c cc eb |.I.VJ..F.,wo....|
00000060 95 29 39 c2 2f 68 4f 18 5a c3 7d 5b 9c 12 8c ac |.)9./hO.Z.}[....|
00000070 8c f9 75 76 db a5 85 70 8d 90 7a ed 7b 94 b2 b3 |..uv...p..z.{...|
00000080 7b dc 95 5f de aa e6 0d 0b ad d6 94 ba dd 7e fe |{.._..........~.|
00000090 a8 aa e9 44 da b2 62 41 3a df dd 5e 24 f3 8a 76 |...D..bA:..^$..v|
000000a0 f2 3b 12 3f ab 7f da 60 d3 db ad 92 5c f3 90 ef |.;.?...`.......|
Stefan Esser • Targeting the iOS Kernel • April 2011 • 13
14. Getting the iOS Kernelcache (III)
• decrypting and unpacking reveals an ARMv7 MACH-O binary
• all MACH-O tools will work out of the box with the kernelcache
• this includes IDA but also otool and MachOView
00000000 ce fa ed fe 0c 00 00 00 09 00 00 00 02 00 00 00 |................|
00000010 0b 00 00 00 d8 07 00 00 01 00 00 00 01 00 00 00 |................|
00000020 d0 01 00 00 5f 5f 54 45 58 54 00 00 00 00 00 00 |....__TEXT......|
00000030 00 00 00 00 00 10 00 80 00 d0 27 00 00 00 00 00 |..........'.....|
00000040 00 d0 27 00 05 00 00 00 05 00 00 00 06 00 00 00 |..'.............|
00000050 00 00 00 00 5f 5f 74 65 78 74 00 00 00 00 00 00 |....__text......|
00000060 00 00 00 00 5f 5f 54 45 58 54 00 00 00 00 00 00 |....__TEXT......|
00000070 00 00 00 00 00 20 00 80 dc 00 21 00 00 10 00 00 |..... ....!.....|
00000080 0c 00 00 00 00 00 00 00 00 00 00 00 00 04 00 80 |................|
00000090 00 00 00 00 00 00 00 00 5f 5f 63 73 74 72 69 6e |........__cstrin|
000000a0 67 00 00 00 00 00 00 00 5f 5f 54 45 58 54 00 00 |g.......__TEXT..|
Stefan Esser • Targeting the iOS Kernel • April 2011 • 14
15. Kernelcache is just a Mach-O Binary
Stefan Esser • Targeting the iOS Kernel • April 2011 • 15
16. Part III
Analysing the Kernelcache
Stefan Esser • Targeting the iOS Kernel • April 2011 • 16
17. iOS Kernelcache vs. IDA
• IDA can load the iOS kernelcache as an ARMv7 Mach-O binary
• however the autoanalysis will fail completely
• large parts not analysed
• code recognized as data and vice versa
• functions not marked as functions
• IDA clearly needs help
Stefan Esser • Targeting the iOS Kernel • April 2011 • 17
18. Helping IDA - Pointerlists
• pointerlists
• __constructor and __destructor contain pointers to code
• __sysctl_set is a pointerlist to sysctl_oid structs
• second __data section contains only pointers
• can be changed with an IDAPython script easily
Stefan Esser • Targeting the iOS Kernel • April 2011 • 18
19. Helping IDA - Kernel Extensions
• __PRELINK_TEXT seems to
contains Mach-O files
• these files are loaded KEXT
• more than 130 of them
• IDA cannot handle this by default
• need a IDAPython script that finds all KEXT and adds their segments
Stefan Esser • Targeting the iOS Kernel • April 2011 • 19
20. Helping IDA - findAndMarkKEXT.py
• IDAPython script that
• scans the __PRELINK_TEXT segment for Mach-O files
• adds new segments for each KEXT section
• marks code segments as THUMB code
• handles __destructor and __constructor
• adds kmod_info to sqlite database
• shows a list of KEXT
Stefan Esser • Targeting the iOS Kernel • April 2011 • 20
21. Helping IDA - findAndMarkKEXT.py
Stefan Esser • Targeting the iOS Kernel • April 2011 • 21
22. Functions and Code
• after performing previous fixups IDA is already a lot better
• however a lot of functions are not recognized
• script that scans for code outside of functions and creates functions
• many cases still require manual work
Stefan Esser • Targeting the iOS Kernel • April 2011 • 22
23. IOKit Driver Classes (I)
• IOKit drivers are implemented in a subset of C++
• classes and their method tables can be found in kernelcache
• main kernel IOKit classes even come with symbols
Stefan Esser • Targeting the iOS Kernel • April 2011 • 23
24. IOKit Driver Classes (II) - MetaClass
• most iOS IOKit classes come without symbols
• however IOKit defines for almost all classes a so called MetaClass
• MetaClass contains runtime information about the original object
• constructors of MetaClass‘es leak name and parent objects
R1 = Object Name
R2 = Parent‘s MetaClass
R3 = Methods of MetaClass
Stefan Esser • Targeting the iOS Kernel • April 2011 • 24
25. IOKit Object Hierarchy - Full View
all MetaClasses can be found
through xrefs of
__ZN11OSMetaClassC2EPKcPKS_j
allows to determine the names of
almost all IOKit classes (around 760)
and allows to build the
IOKit object hierarchy tree
Stefan Esser • Targeting the iOS Kernel • April 2011 • 25
26. IOKit Object Hierachy - Zoomed
Stefan Esser • Targeting the iOS Kernel • April 2011 • 26
27. Part IV
iOS Kernel Where Are your Symbols?
Stefan Esser • Targeting the iOS Kernel • April 2011 • 27
28. iOS Kernel Symbols ???
• iOS kernel contains around 4000 symbols
• but more than 30000 functions and many more variables
• Apple won‘t help us (at least willingly)
• need to combine several methods to get more symbols
Stefan Esser • Targeting the iOS Kernel • April 2011 • 28
29. Kernel Symbols - Manual Symbolization
Manual Symbolization will only take forever...
Stefan Esser • Targeting the iOS Kernel • April 2011 • 29
30. Little Helpers
• porting all symbols manually will take forever
• we can automate porting common structs
• pointer list
• arrays of structs
• special helper for porting sysctl_set
Stefan Esser • Targeting the iOS Kernel • April 2011 • 30
31. Zynamic‘s BinDiff
• Zynamic‘s BinDiff is a great tool
• not only to find differences in binaries
• but also to port symbols
• even cross platform
• Using BinDiff to diff OS X kernel against iOS 4.3.2
• works but initally gives bad results
• other ways to add symbols are required
• BinDiff can then be repeated
Stefan Esser • Targeting the iOS Kernel • April 2011 • 31
32. Zynamic‘s BinDiff - Demo (I)
Stefan Esser • Targeting the iOS Kernel • April 2011 • 32
33. Zynamic‘s BinDiff - Demo (II)
Stefan Esser • Targeting the iOS Kernel • April 2011 • 33
34. Using IOKit Class Hierarchy for Symbols
• most IOKit classes are without symbols
• however they are derived from base IOKit classes with symbols
• we can create symbols for overloaded methods
Some Methods from AppleBasebandUserClient
__const:8043A270 DCD __ZN9IOService12tellChangeUpEm+1
__const:8043A274 DCD __ZN9IOService16allowPowerChangeEm+1
__const:8043A278 DCD __ZN9IOService17cancelPowerChangeEm+1
__const:8043A27C DCD __ZN9IOService15powerChangeDoneEm+1
__const:8043A280 DCD loc_80437D80+1
__const:8043A284 DCD __ZN12IOUserClient24registerNotificationPortEP8ipc_portmy+1
__const:8043A288 DCD __ZN12IOUserClient12initWithTaskEP4taskPvmP12OSDictionary+1
__const:8043A28C DCD __ZN12IOUserClient12initWithTaskEP4taskPvm+1
__const:8043A290 DCD sub_80437D5C+1
__const:8043A294 DCD __ZN12IOUserClient10clientDiedEv+1
__const:8043A298 DCD __ZN12IOUserClient10getServiceEv+1
__const:8043A29C DCD __ZN12IOUserClient24registerNotificationPortEP8ipc_portmm+1
__const:8043A2A0 DCD __ZN12IOUserClient24getNotificationSemaphoreEmPP9semaphore+1
Stefan Esser • Targeting the iOS Kernel • April 2011 • 34
35. Using IOKit Class Hierarchy for Symbols
Same Methods from IOUserClient
• most IOKit classes are without symbols
__const:80270100 DCD __ZN9IOService12tellChangeUpEm+1
__const:80270104 DCD __ZN9IOService16allowPowerChangeEm+1
• __const:80270108 DCD __ZN9IOService17cancelPowerChangeEm+1
however they are derived from base IOKit classes with symbols
__const:8027010C DCD __ZN9IOService15powerChangeDoneEm+1
__const:80270110 DCD __ZN12IOUserClient14externalMethodEjP25IOExternalMet...
__const:80270114 DCD __ZN12IOUserClient24registerNotificationPortEP8ipc_portmy+1
• we can create symbols for overloaded methods
__const:80270118 DCD __ZN12IOUserClient12initWithTaskEP4taskPvmP12OSDictionary+1
__const:8027011C DCD __ZN12IOUserClient12initWithTaskEP4taskPvm+1
__const:80270120 DCD __ZN12IOUserClient11clientCloseEv+1
__const:80270124 DCD __ZN12IOUserClient10clientDiedEv+1
__const:80270128 DCD __ZN12IOUserClient10getServiceEv+1
__const:8027012C DCD __ZN12IOUserClient24registerNotificationPortEP8ipc_portmm+1
Some Methods from AppleBasebandUserClient
__const:80270130 DCD __ZN12IOUserClient24getNotificationSemaphoreEmPP9semaphore+1
__const:8043A270 DCD __ZN9IOService12tellChangeUpEm+1
__const:8043A274 DCD __ZN9IOService16allowPowerChangeEm+1
__const:8043A278 DCD __ZN9IOService17cancelPowerChangeEm+1
__const:8043A27C DCD __ZN9IOService15powerChangeDoneEm+1
__const:8043A280 DCD loc_80437D80+1
__const:8043A284 DCD __ZN12IOUserClient24registerNotificationPortEP8ipc_portmy+1
__const:8043A288 DCD __ZN12IOUserClient12initWithTaskEP4taskPvmP12OSDictionary+1
__const:8043A28C DCD __ZN12IOUserClient12initWithTaskEP4taskPvm+1
__const:8043A290 DCD sub_80437D5C+1
__const:8043A294 DCD __ZN12IOUserClient10clientDiedEv+1
__const:8043A298 DCD __ZN12IOUserClient10getServiceEv+1
__const:8043A29C DCD __ZN12IOUserClient24registerNotificationPortEP8ipc_portmm+1
__const:8043A2A0 DCD __ZN12IOUserClient24getNotificationSemaphoreEmPP9semaphore+1
Stefan Esser • Targeting the iOS Kernel • April 2011 • 35
36. Using IOKit Class Hierarchy for Symbols
➡ borrowing from the parent class we get
• AppleBasebandUserClient::externalMethod(unsigned int, IOExternalMethodArguments *,
IOExternalMethodDispatch *, OSObject *, void *)
• AppleBasebandUserClient::clientClose(void)
Symbolized Methods from AppleBasebandUserClient
__const:8043A270 DCD __ZN9IOService12tellChangeUpEm+1
__const:8043A274 DCD __ZN9IOService16allowPowerChangeEm+1
__const:8043A278 DCD __ZN9IOService17cancelPowerChangeEm+1
__const:8043A27C DCD __ZN9IOService15powerChangeDoneEm+1
__const:8043A280 DCD __ZN23AppleBasebandUserClient14externalMethodEjP25IOExtern...
__const:8043A284 DCD __ZN12IOUserClient24registerNotificationPortEP8ipc_portmy+1
__const:8043A288 DCD __ZN12IOUserClient12initWithTaskEP4taskPvmP12OSDictionary+1
__const:8043A28C DCD __ZN12IOUserClient12initWithTaskEP4taskPvm+1
__const:8043A290 DCD __ZN23AppleBasebandUserClient11clientCloseEv+1
__const:8043A294 DCD __ZN12IOUserClient10clientDiedEv+1
__const:8043A298 DCD __ZN12IOUserClient10getServiceEv+1
__const:8043A29C DCD __ZN12IOUserClient24registerNotificationPortEP8ipc_portmm+1
__const:8043A2A0 DCD __ZN12IOUserClient24getNotificationSemaphoreEmPP9semaphore+1
Stefan Esser • Targeting the iOS Kernel • April 2011 • 36
37. Exporting Symbols
• IDA cannot export symbols back into Mach-O files
• no easy way to use symbols with GDB
• little helper IDAPython symbol exporter was developed
Stefan Esser • Targeting the iOS Kernel • April 2011 • 37
38. Part V
iOS Kernel Attack Surface
Stefan Esser • Targeting the iOS Kernel • April 2011 • 38
39. iOS Kernel Attack Surface
• simple rule you can only attack the kernel where it interfaces with
• user space code
• the network
• the hardware
• the filesystem
Stefan Esser • Targeting the iOS Kernel • April 2011 • 39
40. Attacking from User Space - Syscalls
• syscalls are directly callable from user space
• for all OS X syscalls source code is available
• however iOS has 8 additional syscalls
• after syscall table is found syscall handlers can be audited
Stefan Esser • Targeting the iOS Kernel • April 2011 • 40
41. Finding and Marking the Syscall Table
• Apple removed symbols _sysent and _nsysent
• however the syscall table is still easy to find
➡ _nsysent = _kdebug_enable - 4
➡ _sysent = _nsysent - (*_nsysent * 36)
Stefan Esser • Targeting the iOS Kernel • April 2011 • 41
42. Attacking from User Space - Mach-Traps
• Mach-traps are the “syscalls“ of the mach subsystem
• harder to find because no symbols nearby
• best solution is to search for string references
• interesting string is “kern_invalid mach trap“
• function “kern_invalid“ will be repeatedly referenced
from mach trap handler table
Stefan Esser • Targeting the iOS Kernel • April 2011 • 42
43. Attacking through Network Protocols
• network protocols are added by net_add_proto()
• script scanning for xrefs can find all defined network protocols
• dumping content of protosw and domain structures
• interesting for vulnerability research are
• setsockopt handler
• network packet parser
Stefan Esser • Targeting the iOS Kernel • April 2011 • 43
44. Attacking through Network Protocols (II)
main kernel
-----------
net_add_proto() call at 800eb3c6
type: 0 - protocol: 00000000 - domain: internet
type: DGRAM - protocol: 00000011 - domain: internet
-> setsockopt handler at 800f8e95
-> packet parser at 800f9001
type: STREAM - protocol: 00000006 - domain: internet
-> setsockopt handler at 800f7a95
-> packet parser at 800ef249
type: RAW - protocol: 000000ff - domain: internet
-> setsockopt handler at 800edfc1
-> packet parser at 800ee28d
type: RAW - protocol: 00000001 - domain: internet
-> setsockopt handler at 800edfc1
-> packet parser at 800e8fa5
Stefan Esser • Targeting the iOS Kernel • April 2011 • 44
45. Attacking through Network Protocols (III)
net_add_proto() call at 8027ce2c
type: STREAM - protocol: 00000000 - domain: unix
-> setsockopt handler at 8019e7b5
type: DGRAM - protocol: 00000000 - domain: unix
-> setsockopt handler at 8019e7b5
com.apple.nke.ppp
-----------------
net_add_proto() call at 808179ca
type: RAW - protocol: 00000001 - domain: PPP
com.apple.nke.pptp
------------------
net_add_proto() call to complex for this script at 80a84774
---
com.apple.nke.lttp
------------------
net_add_proto() call to complex for this script at 8081f714
Stefan Esser • Targeting the iOS Kernel • April 2011 • 45
46. Attacking through Devices
• character and block devices added by the functions
• cdevsw_add()
• cdevsw_add_with_bdev()
• bdevsw_add()
• script scanning for xrefs can find all defined devices
• interesting for vulnerability research are the ioctl handlers
Stefan Esser • Targeting the iOS Kernel • April 2011 • 46
47. Attacking through Devices (II)
com.apple.driver.AppleOnboardSerial
-----------------------------------
com.company.driver.modulename
_cdevsw_add() call at 8042842a
-----------------------------
-> ioctl handler at 804282e1
_cdevsw_add() call at 80490a08
-> ioctl handler at 8049184d
com.apple.driver.AppleReliableSerialLayer
_cdevsw_add() call at 8049118c
-----------------------------------------
-> ioctl handler at 8049184d
_cdevsw_add() call at 8043373e
-> ioctl handler at 80432525
_bdevsw_add() call at 804909ee
-> ioctl handler at 80492201
com.apple.iokit.IO80211Family
_bdevsw_add() call at 80491172
-----------------------------
-> ioctl handler at 80492201
_cdevsw_add() call at 8057252c
-> ioctl handler at 80571ab9
com.apple.iokit.IOCryptoAcceleratorFamily
-----------------------------------------
com.apple.driver.AppleSerialMultiplexer
_cdevsw_add() call at 805410d0
---------------------------------------
-> ioctl handler at 80540529
_cdevsw_add() call at 80456e26
-> ioctl handler at 80455d2d
_cdevsw_add() call at 80542014
-> ioctl handler at 805419a9
_cdevsw_add() call at 8045cbd4
-> ioctl handler at 8018243d
Stefan Esser • Targeting the iOS Kernel • April 2011 • 47
48. Attacking from User-Land: Sysctl
• sysctl is interface that gives user-land access to kernel variables
• sysctl variables get added by the functions
• sysctl_register_oid()
• sysctl_register_set() / sysctl_register_all()
• script scanning for xrefs can find all defined sysctl variables
• interesting for vulnerability research are
• sysctl handlers
• writeable variables
Stefan Esser • Targeting the iOS Kernel • April 2011 • 48
49. Dumping List of Sysctl Handlers
main kernel
-----------
sysctl handler at 8017a805 (sub_8017A804)
sysctl handler at 8017c015 (_sysctl_handle_quad)
sysctl handler at 8017ae21 (sub_8017AE20)
sysctl handler at 80089625 (sub_80089624)
com.apple.iokit.AppleProfileFamily
sysctl handler at 8017b2b1 (sub_8017B2B0)
----------------------------------
sysctl handler at 8019ce29 (sub_8019CE28)
sysctl handler at 8039ef51 (sub_8039EF50)
sysctl handler at 8017c231 (sub_8017C230)
sysctl handler at 8017e23d (sub_8017E23C)
com.apple.driver.AppleD1815PMU
sysctl handler at 8017a1b5 (sub_8017A1B4)
------------------------------
sysctl handler at 8017a441 (sub_8017A440)
sysctl handler at 807b513d
sysctl handler at 800f4445 (sub_800F4444)
sysctl handler at 8011cc49 (sub_8011CC48)
com.apple.iokit.IOUSBFamily
sysctl handler at 8017a84d (sub_8017A84C)
---------------------------
sysctl handler at 8008c051 (sub_8008C050)
sysctl handler at 803cd165 (sub_803CD164)
sysctl handler at 8017e1b9 (sub_8017E1B8)
...
com.apple.iokit.IOUSBMassStorageClass
-------------------------------------
sysctl handler at 808dd019
com.apple.driver.AppleARMPlatform
---------------------------------
sysctl handler at 8036ecf1 (sub_8036ECF0)
com.apple.iokit.IOSCSIArchitectureModelFamily
---------------------------------------------
sysctl handler at 80794cd1 (sub_80794CD0)
Stefan Esser • Targeting the iOS Kernel • April 2011 • 49
50. Dumping Writeable Sysctl Variables
com.apple.iokit.IOSCSIArchitectureModelFamily
---------------------------------------------
sysctl_register_oid() call at 80794e1c - struct at 80796a88
-> sysctl name: debug.SCSIArchitectureModel
-> sysctl handler: 80794cd1 (sub_80794CD0)
sysctl_register_oid() call at 80794ef0 - struct at 80796a88
-> sysctl name: debug.SCSIArchitectureModel
-> sysctl handler: 80794cd1 (sub_80794CD0)
com.apple.driver.AppleProfileThreadInfoAction
---------------------------------------------
sysctl_register_oid() call at 803f1c6e - struct at 803f2700
-> sysctl name: appleprofile.actions.threadinfo.default_continuous_buffer_size
-> sysctl handler: 8017bfb9 (_sysctl_handle_int)
-> var address: 803f2760 00000000
sysctl_register_oid() call at 803f1c72 - struct at 803f2730
-> sysctl name: appleprofile.actions.threadinfo.max_memory
-> sysctl handler: 8017bfb9 (_sysctl_handle_int)
-> var address: 803f281c 00000000
com.apple.security.sandbox
--------------------------
sysctl_register_oid() call at 8093647a - struct at 8093b57c
-> sysctl name: security.mac.sandbox.debug_mode
-> sysctl handler: 8017bfb9 (_sysctl_handle_int)
-> var address: 8093b548 00000000
Stefan Esser • Targeting the iOS Kernel • April 2011 • 50
51. Attacking from User-Land: IOKit Drivers
• IOKit drivers can also talk with user-space through their objects
• all classes derived from IOUserClient can communicate with kernel
• script can list all classes derived from IOUserClient
• e.g. user-space baseband method calls will go through this method
• AppleBasebandUserClient::externalMethod(unsigned int, IOExternalMethodArguments *,
IOExternalMethodDispatch *, OSObject *, void *)
Stefan Esser • Targeting the iOS Kernel • April 2011 • 51
52. Part VI
iOS Kernel Debugging
Stefan Esser • Targeting the iOS Kernel • April 2011 • 52
53. iOS Kernel Debugging
• no support for kernel level debugging by iOS SDK
• developers are not supposed to do kernel work anyway
• strings inside kernelcache indicate the presence of debugging code
• boot arg “debug“ is used
• and code of KDP seems there
Stefan Esser • Targeting the iOS Kernel • April 2011 • 53
54. KDP on iOS 4
• the OS X kernel debugger KDP is obviously inside the iOS kernel
• but KDP does only work via ethernet or serial interface
• how to communicate with KDP?
• the iPhone / iPad do not have ethernet or serial, do they?
Stefan Esser • Targeting the iOS Kernel • April 2011 • 54
55. iPhone Dock Connector (Pin-Out)
PIN Desc
1,2 GND
3 Line Out - R+
4 Line Out - L+
5 Line In - R+
6
8
Line In - L+
Video Out
iPhone Dock Connector has PINs for
9 S-Video CHR Output
10
11
S-Video LUM Output
GND
- Line Out / In
12 Serial TxD
13
14
Serial RxD
NC
- Video Out
15,16 GND
17 NC - USB
18 3.3V Power
19,20 12V Firewire Power
21 Accessory Indicator/Serial Enable - FireWire
22 FireWire Data TPA-
23 USB Power 5 VDC
24 FireWire Data TPA+ - Serial
25 USB Data -
26 FireWire Data TPB-
27 USB Data +
28 FireWire Data TPB+
29,30 GND
Stefan Esser • Targeting the iOS Kernel • April 2011 • 55
56. USB Serial to iPhone Dock Connector
2 x mini-USB-B to USB-A cable
470kΩ resistor
Breakout Board
FT232RL USB to Serial
PodGizmo Connector
Stefan Esser • Targeting the iOS Kernel • April 2011 • 56
57. Ingredients (I)
• 470 kΩ resistor
• used to bridge pin 1 and 21
• activates the UART
• costs a few cents
Stefan Esser • Targeting the iOS Kernel • April 2011 • 57
58. Ingredients (II)
• PodBreakout
• easy access to dock connector pins
• some revisions have reversed pins
• even I was able to solder this
• about 12 EUR
Stefan Esser • Targeting the iOS Kernel • April 2011 • 58
59. Ingredients (III)
• FT232RL Breakout Board
• USB to Serial Convertor
• also very easy to solder
• about 10 EUR
Stefan Esser • Targeting the iOS Kernel • April 2011 • 59
60. Ingredients (IV)
• USB cables
• type A -> mini type B
• provides us with wires and
connectors
• costs a few EUR
Stefan Esser • Targeting the iOS Kernel • April 2011 • 60
61. Final USB and USB Serial Cable
• attaching a USB type A connector to the USB pins is very usefull
• we can now do SSH over USB
• and kernel debug via serial line at the same time
Stefan Esser • Targeting the iOS Kernel • April 2011 • 61
62. GDB and iOS KDP
• GDB comming with the iOS SDK has ARM support
• it also has KDP support
• however it can only speak KDP over UDP
• KDP over serial is not supported
Stefan Esser • Targeting the iOS Kernel • April 2011 • 62
63. KDP over serial
• KDP over serial is sending fake ethernet UDP over serial
• SerialKDPProxy by David Elliott is able to act as serial/UDP proxy
$ SerialKDPProxy /dev/tty.usbserial-A600exos
Opening Serial
Waiting for packets, pid=362
^@AppleS5L8930XIO::start: chip-revision: C0
AppleS5L8930XIO::start: PIO Errors Enabled
AppleARMPL192VIC::start: _vicBaseAddress = 0xccaf5000
AppleS5L8930XGPIOIC::start: gpioicBaseAddress: 0xc537a000
AppleARMPerformanceController::traceBufferCreate: _pcTraceBuffer: 0xcca3a000 ...
AppleS5L8930XPerformanceController::start: _pcBaseAddress: 0xccb3d000
AppleARMPerformanceController configured with 1 Performance Domains
AppleS5L8900XI2SController::start: i2s0 i2sBaseAddress: 0xcb3ce400 i2sVersion: 2
...
AppleS5L8930XUSBPhy::start : registers at virtual: 0xcb3d5000, physical: 0x86000000
AppleVXD375 - start (provider 0x828bca00)
AppleVXD375 - compiled on Apr 4 2011 10:19:48
Stefan Esser • Targeting the iOS Kernel • April 2011 • 63
64. Activating KDP on the iPhone
• KDP is only activated if the boot-arg “debug“ is set
• boot-args can be set with special version of redsn0w / syringe
• or faked with a custom kernel
• patch your kernel to get into KDP anytime (e.g. breakpoint in unused syscall)
Name Value Meaning
DB_HALT 0x01 Halt at boot-time and wait for debugger attach.
DB_KPRT 0x08 Send kernel debugging kprintf output to serial port.
... ... Other values might work but might be complicated to use.
Stefan Esser • Targeting the iOS Kernel • April 2011 • 64
65. Using GDB...
$ /Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/gdb -arch armv7
kernelcache.iPod4,1_4.3.2_8H7.symbolized
GNU gdb 6.3.50-20050815 (Apple version gdb-1510) (Fri Oct 22 04:12:10 UTC 2010)
...
(gdb) target remote-kdp
(gdb) attach 127.0.0.1
Connected.
(gdb) i r
r0 0x0
0
r1 0x1
1
r2 0x0
0
r3 0x1
1
r4 0x0
0
r5 0x8021c814 -2145269740
r6 0x0
0
r7 0xc5a13efc -979288324
r8 0x0
0
r9 0x27 39
r10 0x0
0
r11 0x0
0
r12 0x802881f4 -2144828940
sp 0xc5a13ee4 -979288348
lr 0x8006d971 -2147034767
pc 0x8006e110 -2147032816
Stefan Esser • Targeting the iOS Kernel • April 2011 • 65
66. Thank you for listening...
QUESTIONS ?
Stefan Esser • Targeting the iOS Kernel • April 2011 • 66
67. Links
• xpwntool - https://github.com/iH8sn0w/xpwn
• SerialKDPProxy - http://tgwbd.org/svn/Darwin/SerialKDPProxy/trunk/
• IDA Scripts used during presentation soon at - http://antid0te.com/idaiostoolkit/
Stefan Esser • Targeting the iOS Kernel • April 2011 • 67