logo

Debug for Bug: Crack and Hack Apple Core by Itself - Fun and Profit to Debug and Fuzz Apple Kernel by lldb Script

Conference:  BlackHat USA 2019

2019-08-08

Summary

The presentation discusses hidden interfaces in graphic drivers and how they can be exploited for attacks. It also introduces an automatic measure to detect these interfaces.
  • Hidden interfaces in graphic drivers can be exploited for attacks
  • Automatic measure introduced to detect these interfaces
  • Shared memory can be used to map user space hardware into kernel
  • Process sideband power function can be a target for hidden interfaces
The presentation provides a pattern for identifying hidden service functions that refer to shared memory data and copy them into another object to call the cause hazard despair functions. The process sideband power function is an example of such a function.

Abstract

As we know for security researchers, almost every operation system vendor has highly raised the bar of security vulnerability credit or bonus criteria and lots of security mitigations such CFI on Android 9 or PAC based on hardware on iOS 12 have been integrated to vendor system.What is more, industrial standard fuzzers (typical as AFL, syzkaller based on code coverage feedback) have been deployed on large scale. The survival space of bug hunting left for security researchers seems to be much smaller. Code reviewing based on threat expert knowledge seems to be the only way but which is obvious time consuming and dummy effort.Any idea on how to break the deadlock now? As security researchers, maybe you could try our debug fuzzer for bug hunt. This method we pledged has been verified to be effective to find and expand new attack interface but also flexible, scalable and scriptable for vulnerability research utilities. Based on our fuzzing methodology, we found dozens of vulnerabilities, including double free, oob read/write etc. which we will provide a detailed analysis of. However, these 10 vulnerabilities is the only part of we found, others will be analyzed later and submitted to Apple.

Materials:

Tags: