iOS Kernel PAC, One Year Later

The presentation discusses the weaknesses and bypasses of Pointer Authentication Codes (PAC) in iOS 13 and the importance of thorough analysis in designing security models.

• PAC is a good exploit mitigation but still feels ad hoc and lacks a formal underlying security model
• Thorough analysis is crucial in designing security models and identifying low-level characteristics of code
• PAC has been successful in eliminating the exploitability of certain bug classes
• PAC bypasses are not as important as kernel hardening for end user security
• Apple needs to address underlying issues and look at compiler output to prevent PAC bypasses

The speaker demonstrated a short and deterministic code that hijacks control flow integrity using thread set state bypass techniques, showing the weaknesses of PAC. Despite PAC being a good mitigation, it still lacks a formal security model and thorough analysis is crucial in designing security models. Apple needs to address underlying issues and look at compiler output to prevent PAC bypasses. PAC bypasses are not as important as kernel hardening for end user security.

In February 2019, I reported to Apple five ways to bypass kernel Pointer Authentication on the iPhone XS . My impression was that the design, while a dramatic improvement on the ARMv8.3 standard, had some fundamental issues when defending kernel control flow against attackers with kernel memory access. This talk will look at how PAC has (and hasn't) improved in the subsequent year, once again concluding with five new ways to bypass kernel PAC to obtain arbitrary kernel code execution on iOS 13.3.