A Brief History of Mitigation: The Path to EL1 in iOS 11

The speaker discusses the importance of taking iOS exploitation seriously and the need for real organizational and process changes from Apple. The speaker also calls on Apple to follow through on their bug bounty program and donate the bounties found to charity.

• Targeted exploitation is widespread and easily abused
• The bar for iOS exploitation is lower than expected
• Organizational change is needed from the top to improve security
• Bug bounty program should be taken seriously and bounties should be donated to charity
• Over 150 bugs have been reported to Apple, but little momentum has been seen in fixing them

The speaker presents 30 bugs that were reported to Apple, totaling a potential corporate donation of $2.45 million. The speaker calls on Apple to follow through on their bug bounty program and donate the bounties found to charity.

In December last year, I released the async_wake exploit for iOS 11.1.2. In this talk, I'll cover how each step of the exploit worked and discuss in depth each mitigation which was defeated along the way.I'll focus on what was supposed to make exploitation hard, what techniques other public exploits would have used in earlier iOS versions, and what mitigations we might see in iOS 12 and beyond (and how to break those too!).