Conference:  Defcon 31

Authors: Austin Emmitt Senior Security Researcher at Trellix Advanced Research Center

2023-08-01

In 2021 the FORCEDENTRY sandbox escape introduced the usage of NSPredicate in an iOS exploit. This new technique allowed attackers to sidestep codesigning, ASLR, and all other mitigations to execute arbitrary code on Apple devices. As a result, Apple put in place new restrictions to make NSPredicate less powerful and less useful for exploits. This presentation will cover new research showing that these added restrictions could be completely circumvented in iOS 16, and how NSPredicates could be exploited to gain code execution in many privileged iOS processes. This technical deep dive will be a rare instance of iOS security that anyone can comprehend without years of experience. After an overview of the classes involved, we will explore the full syntax of NSPredicate and cover how it can be used to script the Objective-C runtime and even call any C function. It will be shown that PAC can still be bypassed 100% reliably with NSPredicates in order to execute any function with arbitrary arguments. A new tool will be unveiled to help craft complex NSPredicates to execute arbitrary code and inject those predicates in any application. Additionally, a demonstration will be given which executes arbitrary code in the highly privileged Preferences app. Finally, the talk will cover a bypass of NSPredicateVisitor implementations which allows a malicious process to evaluate any NSPredicate within several system processes including coreduetd, appstored, OSLogService, and SpringBoard. Next there will be a live demo of exploiting SpringBoard to steal a user’s notifications and location data. The presentation will end with some discussion about what can still be done with NSPredicates now that these issues have been fixed, including bypassing App Store Review, and what app developers should know to keep their own apps safe.

Conference:  KubeCon + CloudNativeCon Europe 2022

Authors: Madhuri Yechuri, Zach Gray

2022-05-18

The presentation discusses the use of Kubernetes to manage Mac compute shapes on AWS for iOS builds, with a focus on Flare.build's experience and lessons learned.

• Flare.build is part of Google's Bazel Experts Program and offers value-added services for building and testing applications at scale using Bazel
• Nodeless Kubernetes, developed by Ilota, aims to provide compute that comes up and disappears according to application lifecycle, and can be used to manage Mac compute shapes on AWS
• The presentation discusses the challenges of unifying different compute types for distributed builds, and the benefits of using Kubernetes to manage Mac compute shapes on AWS
• The presenters share their experience evaluating manually-managed vs Kubernetes-managed Mac compute shapes on AWS, and suggest best practices for managing Mac compute shapes on Kubernetes