Eternal War in XNU Kernel Objects

Conference:  BlackHat EU 2018



The presentation discusses the x and yo'connell kernel of iOS and Mac OS and proposes a defense mechanism called xqp to protect the integrity of the kernel object. The effectiveness of xqp is evaluated through experiments.
  • The x and yo'connell kernel of iOS and Mac OS have mitigation techniques that make traditional exploit techniques ineffective
  • A new kind of attack called pukey leverages multiple IPC-pod cannot objects to bypass these mitigations
  • The xqp defense mechanism replaces the original code entry of the target system call into a trampoline and verifies the integrity of the target kernel object through four examiners
  • Experimental results show that xqp provides deterministic protection for kernel vulnerabilities and available exploits
The experimental results show that xqp was able to detect and block attempts to exploit the system, such as the Yalu exploit which used PID for task 2 to do the kernel memory and read first. However, xqp was unable to mitigate all kinds of pukey primitives, such as the clearing primitive which uses error return values to gain an extra source of information. The presenter also notes that modern kernels could be patched by pure data, making kernel memory read and write primitives enough for attackers to accomplish their goals.


Jailbreaking, in general, means breaking the device out of its "jail'." Apple devices (e.g., iPhone, iPad, Apple Watch) are the most famous "jail'' devices among the world. iOS, macOS, watchOS, and tvOS are operating systems developed by Apple Inc. and used in Apple devices. All systems deploy a same hybrid kernel structure called XNU. To jailbreak devices, attackers need to patch the kernel to disable corresponding security measures. An essential condition for a kernel patching is to gain a stable arbitrary kernel memory read and write ability through kernel vulnerabilities. But, it is a consensus in security that there is no system without flaws; therefore, the only thing Apple can do is add an increasing number of mitigations. However, "Villains can always outsmart," attackers can always find a way to bypass them.In this talk, we perform a systematic assessment of recently proposed mitigation strategies by Apple. We demonstrate that most of these defenses can be bypassed through corrupting unsafe kernel objects. We summarize this type of attack as ipc_port Kernel Object-Oriented Programming (PKOOP). More specifically, we show realistic attack scenarios to achieve full control of the latest XNU version. To defend against PKOOP attack, we propose XNU Kernel Object Protector (XKOP) to significantly reduce the number of possible targets for unprotected kernel objects. XKOP, a framework to hook related system, calls to check the integrity of risky kernel objects without system modification. We believe that our assessment and framework are curative contributions to the design and implementation of a secure XNU kernel.