HackPac: Hacking Pointer Authentication in iOS User Space

Conference:  Defcon 27



The presentation discusses the design flaw in iOS user space authentication and how it can be exploited by hackers to launch attacks on system service demons.
  • Ponte authentication aids and how it works
  • Design flaw in iOS user space authentication that uses the same key in different user space processes
  • How hackers can leverage this flaw to launch Yogi attacks in user space demons and iOS
  • A real exploit to demonstrate the GOP attacks in college education protected processes
  • A tool to automatically find the GOP carries in Panos education protected generates
The presenter conducted experiments on two programs, A and B, developed by different developers, to check whether the pondered in program A can be correctly verified in program B. The results showed that the pondered is signed by the same key in different user space processes, indicating a design flaw in iOS user space authentication.


Pointer Authentication (in short, PAuth) is the latest security mechanism in iOS. It is proposed to protect the integrity of pointers with hardware-assisted encryption, thus eliminating the threats of code-reuse attacks. In PAuth, a cryptographic signature called PAC is calculated from a pointer value and inserted into the pointer. When the pointer is about to be used, the PAC is extracted and verified whether it is consistent with the original pointer value. In this way, PAuth is able to ensure that the pointers are not tampered. iOS deployed PAuth in user-space system services, protecting pointers that may affect the control flow and preventing code-reuse attacks like ROP and JOP. However, in our study, we found that a fatal flaw in the implementation of iOS PAuth makes user-space system services till vulnerable to code-reuse attacks. The flaw is: iOS uses the same signing key in different user-space processes. This flaw allows a signed pointer from a malicious process can be correctly verified in a system service, thus making it possible to launch JOP. In this talk, we will explain how we found the flaw and why it is inevitable. In advance, we will demonstrate how to leverage this flaw and launch JOP attacks in a PAuth-protected system service. Also, we will propose a new tool, PAC-gadget, to automatically find JOP gadgets in PAuth-protected binaries.