Bestand wählen
Merken

iOS kernel exploitation archaeology

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
and I'm not the
this we do in the the and now I want to introduce our first speaker and the topic he's talking about I always can l'exportation archeology a canon exploits from late 2013 early 2014 will be dict out and analyzed a proper archeology all the digging digging and analysis is don't the done by OJ being here to my left on the stage and giving a big round of applause and the stages your thanks to from but if so thank you all for a for being here as their that the person that it abducts told you this is going to be immaculate talk so I apologize in advance if it is not that interesting for you so we talk about the beat all the stuff rather than you finks what is a bit a few things about
myself and actually think from all these things the most important part the the fact papers right so they so yeah let's let's ignore the what
is so what I'm going to talk about I'm going to talk about the the phase and 7 can exploits now pervasive 7 was observed break it was released by the vague there's on the 22nd of December 2 thousand being IT support that I have 7 players 7 comma decimal 1 but 3 that's not their 7 comma decimal 1 stable release sites that's better and to support all devices at that time including the iPhone fibers with which was the 1st the 64 bit to devise a except their Apple TV so I decided to reverse-engineer the the mechanics little the deliberate folks just on that because I was really this is not not so much in the bike itself which was as we will see not very complicated but I was really the 2 to understand it was the exaltation techniques of their it there it is used so why I started the reversing the then I II understanding it and at some point I I just said go that's gonna do it implementation of the of the candidates for it so this book that is basically my notes on this whole process and of course not the day but equal rights and I'm going to to to specifically focus on on the various problems I I encountered during during this this this task and how I I overcome them and hopefully is going to give you some give him food takeaways for if you do but I scandalous users nowadays OK
so the the general outline is I'm going to say a few things about the 7 to to set up the the the states and I'm going to explain the kernel by itself and then I'm going to to talk length about my dividing souped up and I think that's a very important said that use only a full but the the books so X Wigderson books don't don't analyze up much of anything so the important part because was only a shaving here working the dividing so that is based in maybe about half that of of of doing that level exploited that I'm going to go to to talk about my limitation of the exploits and hopefully at the end we're gonna have some some things to to take way or maybe not said OK
so it was the move is a seven-day big was released about 4 years ago and that's the feculent title that's that's entities the right and if you were falling thirds anybody community you might remember this this huge I'll do this day breaking easily with their vote and that if he was planning notaries before the invaders and who he was planning to sell it to and some links discuss soon that he shared with some other she was offering money to to buy and do hope he was supposed to his his the because supposedly using some of some of the bugs they way there's were using so this this huge drama and then after the the pervasive seven-day breakthroughs like maybe few hours ago people realize that if you're a fall and hit the at is looking at the end of the debate was installing and not a piracy so that was basically a a 3rd party up that was taking it to an app store not buried by Apple but by tight had some pirated versions of the of the because some gaps and of course that that that goes a bit like a huge drama this practice but is also a
lot of things were said about that day break at that time and about the type of virus up so about 180 set up what was these 3 and the very importantly that of that I like about this is that it doesn't make sense so he says that we have decided to remotely disable the of Tigard sign of her father was a gives us so the piracy so know that that the whole thing doesn't make sense so you you you you do know what was happening you did bundle it break and are you going to disable it for new installations over and then what does remote you then mean exactly so what about the people over here the that that the piracy problem but how are you going to say that is that what promote you 1st do so that's what some excellent do the thing the OK so
some point after that there is a 7 day but it was is Zoho did that I tap on the use and part of it so so he he analyzed how they use part warped and he stopped at the point of gaining group and and basically he mentioned it to you humans and his add up that the efficient 7 on the the binary which basically what was the link their caramel exploit was was obfuscated and as we will see this was this was indeed the case and as far as I know that the 1st they break that used to be a bit of station the the reason I partly because party to heighten the the piracy absolute was bundled with it and maybe party to hide the the the by the candy bag but it but I'm not sure about the reasons and now both extremes are cool but found ourselves and all the body like the Carol Bott said today I double the kernel by that some guy from and she basically describes the bargain and he stops at the point where she gets it because look from 2 to be so it doesn't say anything about how how to exploit it what is so
after of all of these things that happened and I decided to reverse-engineer the that day the binary and understand that the traditional techniques and I was reading this thing to do to reverse advancing envelopes and that the readers were using it seemed like an idiot talents and but as I also mentioned yeah I I was really index with this interconnect so they were used that that was more important for me at the time and so on what is all the the debate was really is on December 2013 and I started doing that on February 2014 and I did this I did that while do while while having an dates of right so I was spending at most 2 days per week on the so what will my mind my
set up I had an iPhone 4 and if you know all about iPhone force they have a boot-room the booked on boggled library which this class allows you to to load arbitrary careless on science journals on the device and on them and that basically means that you should give you can very easily sort of gendered biking so in the silly I I I had the knife and for device with 7 comma decimal 0 point 0 comma decimal 6 I want to remind you that iPhone 4 is outfitted to right I also an iPhone 5 s with the same version of files and I I hear that in order to verify all my finding send all my my tests on now to to do my tests on on an atom 64 device and as I told you identify was at that time was only I'm 6 4 device Excellency when they're on the market of the movie there was another with some advice with 964 at that time so that serve exact version of events and 7 I was those are lies Inc and of course adapted to be allowed to be a novelist in this slide out the don't actually deferred something finding they actually meant something very painful and that goes a local flight the sleepless nights but I know you don't look we did a few things about the obfuscation
so I don't know though the functions of the 2 of them to the binary will skated a but some reporters or ones with and those that were the ones that will at the beginning the bike and they were actually doing can sit manipulation and and of all the other important things and now I have been building an insect that but even though that later versions and move that's cation but I'm not sure about the the human figure in that fighting and I already said my implementation down at that point so I wasn't that is to look at them so as
either may soon that kernel bond that the the the there's 7 out and then the binary was based on was found by positing and and basically as far as he says on that iPhone we debates she used up 6 line bus group Pfizer to find it as well as you can see basically creates devise nodes and with with with controlled arguments here like like a minor and major numbers now in order to to get to the point to create the devise nodes and you you basically need to be outside of the of the application son books so that exists on meiosis and your from the root privileges and that's that's what a 4 does the user long part of the business and binary and on under that would go over the world so I'm gonna start my analysis from that point on that that we have escaped the sandbox would've obtained through it and now would would go to to exclude the current bug
now that's that's cold from that over some of the exam you journal that the chip the bark now this speedy is the open function is called every time UserLand called open said the 50 MX device and then this begin next get basically L-functions called of important thing here is that this here is completely user-controlled and then response to this became excited function was not sex all right and then this speedier makes the diversity of function uses this to index in our with then at 6 so basically the bugs invalid indexing by price of streets and you can control that the input here whether I should hear the perfume excels stocked that they decide here is up so this state of here is global to the and this beast ScienceDaily least here is quantitative heap and it is an IRA a of proteome a city instructs and that's that became exist instructors and 2 and the important thing here is that I'm going to hurt again and again during the book is that it has appointed to to the White structure and as the 1st element of the destruction what
is so so we control the the the index to that so what can we do without so here as you can see to it that
epidemics that potamic next there still function that returns whatever whatever it indexes right
so as you can see here it is this not the size of this PTI viably and does all all kinds of in this and things a pity eyes controllable and did these controllable here as well after this deal friends here to some comparable value and I mean another call possibly care this is it this is called again and so so that there are a lot of things to to to to consider when when you you you know the bargain then you try to think about exploited but the 1 important thing here that I wanted to mention is that this x so that this function
here epidemics did to deal and it P
also does another keep them as the location of this spectr here of this the
white structure and that's important because
I'm going to to use for further on but and other
important thinking is that you basically you these but what allows you to do is you can control the size of
the set here so by can you
see that but it's a by repeatedly open that they've became makes device a Egerton girl this and you can go at it as you see it here but this girl go vector that's that's 16 but it doesn't matter what matters is that the the the size of this Saturday in bytes is controllable by by you the the the person who attract exploit this bike now out of parts of this notes from my from explode so if I if I did 1 other case if I give for the blind open of this that that the gimmicks device then decide was going into conic 64 of I was doing 17 this book Culleoka 1 8 at 128 thousand 33 opens here it is good to gallop 192 and so on and so forth so I could deciding which skull looks alone I could plays the that hidden local exhaust their basically we just think the Moza container cut you getting catalogs zones as containers foreign people objects on the care of sleep all of them can be of different types but they're all of them are of the same size right so can look 64 inches different structures of size 64 bytes but below the say 6 4 bytes all
day so I I dividing the event that the binary in user that's how I started so in the same I was using to be being and that I found out that nothing worked with 2 to B 8 was at that point out we was starting to move from 2 to be tailored to be so of them and maybe others there isn't it it wasn't this since it was at this so when I say nothing water I mean that I was pleased breakpoint and they weren't heating K and I was signed like stepping in it was continued execution and stuff like that sometimes I couldn't even a parts the by so that mostly to Beate and I lived to be about the boxer and things were much whether know while I was experimenting stiII from from just with UserLand abiding my in my from 4 devise went to include recovery you and I wasn't able to to get out of it so I I was forced to to do with a team that is that of the device and the problem was at about that time only a 7 comma decimal 1 was signed by Upland so I couldn't install a version of files that had the kernel that had the body that I was in this and to to look up but on the other hand that wouldn't notice some devised that was only was a device ahead of the bundle of could generally the biting wit so I I did my was 7 comma decimal 1 and as I said this so the sample of point 1 edition of every original to the to his bike that so what I
wanted to do was basically to bullet and now I a 7 comma decimal 1 device with a 7 comma decimal 0 point 6 kernel and in order to do that I could use the land to their landing bag development whatever arbitrary care nose and they did to to to do that was that's no alright the problem was the presence snow always supported up to Iose serves 6 and it was that they didn't have support for prior 7 so I II level the other things I was doing an ethyl diverse and that's no police and how it worked and it's no and if you don't know it's it was work there and the closed-source right so I as the diverse and that this how it worked in order to support probe for me to help but the party to to binary positive support for our 7 and I spent like a little maybe a month without and then I realize that it was it was a leading me anywhere and I couldn't understand a lot of things about tolerance was implemented so I I stopped doing that and at that point I I found open snow wits was and therefore by we sand to implement it snores open source
show it seemed to have support for I A 7 and that was good like this that and it was it was working now my problem was that I couldn't have arbitrarily end up with 30 length of blue dots blurred so that the argument that you possibly generally when it boots and they're really important denials because by passing certain Botox to the care no you can disable signed 6 you can now and they begin dividing so it's really important to be a bit pass out of her links with dots and I a simple and 1 was using up 39 characters so that was there is an open so couldn't support more so what I ended up doing was II parts by bank which is basically the that the lord dose of the kernel right possible there to the kennel when it boots and basically I II IoT saints there that pointer to the blue dot some other place that that it much more space so at that point that I was able to pass 138 like Botoxed my turn
so where we are at last so I had an I an iPhone 4 device with high of 7 comma decimal 1 and I was using open snow to Buchter the 7 comma decimal 0 point 6 kernel that had the but that I was in this to to exploit no 1 on side note here is that father was doing that and I was trying to tool out 2 opposite to open snow of the parties to the Carrollton they begin and abiding I was addressing caregivers and 7 as well now there is a set of binary was strangled so to it exploited the kernel it was patented to enable generally dividing but so so was the scoping the parts either Navigant snow but idealize at some point that the some some before that the bug enabled viable and wasn't really working so this is it was it was established and it seems like it was working but if you try to actually use the there can be the to be the carrier bags up from 2 2 blocks like that as the budget at the kernel and to whatever like plays a breakpoint or step then to be just those so I added to the another another possibly is required and that what is so generally buying at last
but that's that's not really what I haven't because you know breakpoints points didn't always work so you're replacing a big point and it if it wasn't he think when execution was it's in there and you were trying to step instructions and the execution just continue so words that you were sitting 1 it starts and it was just like you were typing continue and if you were taking too long to type Eleanor lived to be commodity to be frozen and you had to restart your device this stub is securely by Jean Carra session and and assets from 0 and if you took a much too fast than it did before is again so you have 3 with again it was amazing is great time and now I did similar of 0 6 and I I I I I distinctly remember those months 0 and carried by your work much better and in the that counts the to evidence mind that does that is do Ople engineers reuse KDB for afforded by the Iisten or or do you something else know what case so now I could the divide their evidence about that binary both from that user bone from a user outside and from the carrier side and that was good because I was analyzing get out of downtime and at the same time I was reversing hitting the data so so the deal schism who added that we did much faster snow was I was thinking his from runtime and so Iike at that point think something and fast and they quickly found that it was abusing the data by structure to obtain needed to directors physical mentally I mean that's that's it was in this thing to me but I was expecting something else that was I was expecting something like what they did in I saw in the ways of 6 debate that they did like a lot of shit manipulation and that book that the let's find should tradition
so at that point I decided to stop a reversing and people the exploit the way that I wanted to do it so obviously that that wasn't were from scratch it was from everything that I have stood up to that point and what I really wanted to use was that the be aspects of cyclic by doesn't want to and I'm going to explain that in the following slides how it works for this other point I had the idea then the barber worded walls and but should the zona idea like about how to exploit it and I mean if you down but you know all that it detects a lot of pen and paper like ideas you you develop paper that you go test them and they don't work and then you deserve them again and then again in the FAT and you despair and the new so you have an idea and you spend like of like 2 nights' stay up until you 5 in the morning distinct being sent to the domed law can then be despair again and the but eventually you get
some work so let's let's look about the traditional now the a few things to to refresh your memory about the bog so as I said it was invited exceed bog this piece bursitis opinions vary was on the he and I could control in with catalogs only to you can go I can go it but once I go attack out of sync it back now that's that's called from that it makes get still function so what basically what it does it allocates a new became sensitive structural through and then it uses the Index that you provided at the DuPont troll to store of Addison on that now these helicase and here this fact here goes into Palop 88 and that's that's use would work for the next parts what a few things
about the technique I wanted to use above exclude this antic encoded used so the the the the up proper technique it was proposed by Deligne Monod and basically they were staying with the with these facts here of the via mockups tracts and assuming you have like some weird caught up to this rock that stayed on the if you tend not all that I this take that path element here then basically what you hear of is and the League of can memory of the adjacent like next to the kid that whatever is the lower ball the kid that up pointer out of it if you put whatever this you want in there by by overwriting the color size of elements here and then fleeing that the start of this year you put a dialogs on along the zone and basically when you allocated back since you put it on on a different size their zone you can you can have a powerful so that's that's a general overview of this technique so that you go this fact and you get a payment exclude there's something OK
so what what was the idea I should've upon the
idea was to use the this bursitis
appear index bog to go up the sky that
appointed here and to have through the search of the relative error led to vehicle theft of generalized memory and that would be my my 1st step toward exploiting the bug Of
course the end goal is to shave 103 the diet right and of course it was justifies at that point in a lot so was the goal but when you study the bargainers to the different code paths and tell that the things you you affected are used and then you should have some maybe not completely conquered things my but you know that it is extreme happen so that that's what I had at that point OK so let's let's talk about that
through this phase is no so what's the 1 ice parade that the kernel feud with them up corpus obstructs and I decided to do work on the color to this 2 5 6 zone and the reason Ruggles completely arbitrary was because the health the kernel the biking and then up to this point of this at the binary I saw that this guy looks zone was was not to be used up months either by the kernel or by whatever that exploit was doing to so that's that's good because it means that you can you as an exploit their gift of Mott's Musbah their control over the can and should be there on the part of the 2 other things at play zinc allocations on the on the solute you you work such it is the color of a 6 I voted of course color create for because the TTY spectra going there and that would be a mess up my mind he but I arrangements and so the 1st the Linux you know OK so
what what I wanted to do was to do so the in the city use but the sheep with him up corpus tracts and DuPont or both the size and the contents the com the the mother at this point so just the size mother so I I stay with 2 5 6 bytes them up corpus trucks and then I 3 every other 2nd 1 and they create this kind of pattern like Veeam up properly and a free slot of him up copying the face and I I got all that will be a safe secure least that I did 2 2 5 6 bytes and then it goes into 1 of these free slots here the now the cold
for for doing that looks something like that so what this basically does is it creates this the so if you see here they're out of line mark methods is as basically this dream up obstructs and and their sizes 2 5 6 at that buffer doesn't mother at this point and he just send them like send methods and
then after he died he stayed with them then you you via every every 2nd 1 here with this group here so in order to make this very slow to just received this market all out out of line messages that would correspond to review mop-tops threats and after you created the laws you basically good all that 2 2 5 6 bytes how do you do that as Emerson the here you open the deputy x devised a number of times from times and does mother like a specific number of times the price I mentioned
earlier him notice that goes at 2 5 6
bytes so that's that's that energy cannot talk about 4 states OK so the 2nd
states is is done on color creed on the Cocody its own so I spent a again with the up trucks and this time I make them 88 bytes go to the collocated zone and then I could it again calls and then I II 3 do the bog with vised index value and the number that we needed to get the bug epidemics isocost vectors allocated and this goes to colocated but because Intellipedia tech attitude to this pattern of fight usefully usefully goes into or 1 of the 3 slots so have epidemics ICT as acting out and 1 of my free slots and I don't know I don't know where that is but I know that it goes into the park and right so I think of the Bodkin and
remember that basically you control the Syndics right so this is a control
the index I pointed to the the up to their teed-up element of the view him up a perspective than always below the that the flea so that that it went into I don't know that that's right they get put like another is there but I can I know all their very Latif's and that a lot of discussing bytes because I created the the part and the the ship
so let's go through OK so it looks like that so that's my 1st stage right the rim up coping and this is the same part and on the calibrated zone when he did give the bike this became still stuff is allocated to is goes into 1 of the 3 slots right and then there very the body itself which is what we see here is remembered you control the index so this is the new allocation that went here and then it goes as far as the at this address within the expensive stores sorry but remember that this is control and we control that so what I do I point this year and elective to the to the neighboring beam up corpus that the kid not the feet right so in this day that the the here although the up corpus fact I should all this of this so that's that's the that scholarship looks like I share the cold it's very similar
to the 1st there's a display with there with the up corpus exercise 88 marks and methods right and
then you see that the 2nd 1 you create the the holes on the 88 zone and they need to give the bug here right this invite the bricks so number of that here is basically
what points relatively here the so I have now they're God this of this began makes became excessive the let Skype which is another rests on the collocate on that he would only give them on the Kay that the field is the amount of stock here
so what I do I can send you receive these methods and in its in its content I can see that the rest of the all of that slope on the guy at the its own
so that's that's a good to do that a sinuous ceived all of the all the messages and so on that's my others
OK so got to this point
I only what I only have is this out this year right item that is of this ship slope so at that point as have
juking of other cold that this value the index what other variables is about that's what where was influenced sink and I found it told us that will actually did were giving clues giving me and I and but in order to it that too it's that they needed to survive several differences and what they only knew it was just that color critique others right nothing else so now walk you through everything that that give it gave me this this fight and so actually not they it cannot by 6 zone and played again with him up proper succinctly cos exactly like the preview so that of the 1st states and again next to the pier since I use it daily use that I had a I of corpus tract but that at this time ii in all of the the the the up corpus I put it a yield of the of this fake became accessibility this and remember that the 1st element of the PTM exist this fact is a is a pointer to to do I and I can use I can I can use the leaked others I have for for this point the the at at the lower half I did know were to point to
so the next step was to clean up the color creative zone spirit again and again I started with the corpus stocks but at this summit the payload to I I can put in all the fake TTY struck that the people that that hit the excite of subtract its highest is pointing to and the problem of the point was that and the the 2 ways that by 6 bytes and look at it is the slaughter only 80 bytes so I couldn't just with their elements of the of the dust with a frustated by 2 elements I couldn't get to the past that was giving the right so is to find some other way to and to host might might affect it why stopped so
remember that I could work on any other gallops zone or anywhere else because what I only knew it was there that that colocated zone up I should nothing has to be done so at that point I I I started doing too much more much more complicated to balance and so instead of spinning just once think I was praying to I was going to create a part of and the pattern of 2 controlled things now I couldn't use the up corpus sex for both of these slots because the the October sex is a shared the right so it would mess up my my fake TTY stopped so by a leading guy on makes the Karen alone a heap X with this a slides I II III IV Elizer that could spray this year with excimer properties of link radiates from the top exhibit the driver and at plays as a 2nd control to cover after the up corpus this this excellent properties without comparator-controlled in in in content and I propose the 2nd part of the 2 2 ways that there I mean this is the not to 5 6 bytes but what it gives me is that we use rival differences to its there that I thought I was in this city and OK so
if you think about the the TTY starts so that's that's what they want I wanted to create on the color pretty it's is right so that's the the 2 I stopped that a pretty much here I still 6 comma decimal 2 now what what basically I wanted to do here is and I wanted to born the final thing was due to use this series 1st structure control this element here of C underscore CS and other struggling buffer for the 2 2 y 2 to give me an arbitrary right so to give me control the right that I started playing a bit with to use it to do arbitrarily right but they found that I wasn't able to do it because of a later states some other parts of the to the ways that would need that that I wasn't able controls so I only had to an 88 to slopes to host my fixed it was stopped so that was a Sabres' I only I was only using that to do with an elective right so we use to the cold literally go
to the to the Chablis out so that's that's the there the states again remember I spread the color to by 6 on with the up proper sex these just plays might be at the I a dealer at least Friday next to the up corpus factor remember that I control the com the sodium up copyright so placed in the buffer of of the up copy this became a became excited city others that I know and I pointing inviting index that I controlled to this became access still this this this they put here and what is this this is not unique about is that I got in the previous states It's points to to the colocated and what's that is about collocated so is as I told you the up Gopi followed by an XML properties via albeit somewhere over this and and all this course this fake TTY starts at of these are the same I just explained here how how it looks like so at this point the K. Dutta elements here and then estimate for the rest of the all all of this is basically the the fixity ways that like the the bottom of the VM up copy and the following the maximal contents of this lecture politicians and would like to do this C underscore cis . the told you that I that I wondered ponder would like point I pointed the relative you get allowing Abbas's but they can put it relatively science and all that that's a created these this and she and I can put it the relatively to the size of the catalog size of the neighboring via mockups tract and why do I need this because I want to to use the the copy the Kaneko by my and build that I that they mentioned earlier so that's that's that's stands the end goal so what's the code looks
like again of the spraying of 2 5 6 and have since you've got a lot of times then
we have the the theories wait no
that's all the so that's allocations so
that person that's yet I don't have the fisher because the don't matter because we have seen it before so what I have here is the Sperry of the colocated zone and the port of thing here is that what I wanted to show you that is about at every step I took 2 other cases 1 is the the up copy structure here the them up pops factor here with the marks and methods and the 2nd part is the X-mode properties with cer of spade ownership when you open the the device driver that builds a victory and what what other contents of uptick similar properties their basic developed fake the 2nd part of the fake TTY struck that have the control to see underscore C is point of that would you know the right so if you see here that have this set
of functions that up fake TTY the basically creates stocks images by will the
time and so we have a lot of 2nd states here and basically what you can see here is the creation of the of the fake TTY struck right so that's a different elements of the fake TTY as was saw from the cold and that's that's that Eitel said I wanted to that but pointed to the to to dictate other fields enabling the mop-top stock so again
that's that's the of her troops like in in this paper OK so after that after
which violence the action which arise in this way we we begin again the inviting index side a bag but at this lamin sleepy gimmicks device I was only doing that on on on Mustard epidemics devise but in order to its that that i'd gold buffer they mention you unit on asleep to gimmicks device so that's that's what happens here and then you simply that I to the corresponding discrete good and adjust the oppressors is this underscore C S that you control and you end in it dicey whatever you want to write and what I want to I don't like the new size for the VM up corpus stocked fall further color size field of the view of it would be mop-tops toxic and I can use the Dalton on technique
so putting everything together and so at that point I shiver controlled got up some of the the mop-tops striped IT use though the primitives to get out of it the and not with very exciting I can leak for example the the case the last slide and I can ship overflow again these are how how you can use the payment is up to the I cannot give us there now I also known my lectures on on the turn of the sheep and remember that's that's basically we found that on the state on the 1st on the 1st 2 stages and we only use only that like where that I epidemics us at the Struct was was stored only care noted that they all thing we knew that address in order to to successive EB donate in order to to it's like it that much more useful painted and the importance their in this think here is that everything up to this point is that all right so you haven't excellent cold you shouldn't done anything at all that that you could be called somehow and by by economists protection mechanism or or this kind of things everything's though only
so once you disappoint how how do you get this a controlled so but since since you can use Donaldson months technique you can basically Bishop Overflow should attend again do where it's about it's Mentadent plays I have to build 6 next to the up property stocks who where you can overflow from and you can bought out by 2 builds extend from that interval also you can do it number 3 right that he died right so you can but advocated you can read that every table of like adults excision all diesel last slide it court update in order to to get this to control of course did include to to hold tribute from that point there is is out of the scope of this book and but that is not the product you from that point on and all this other doing all that how close it was that that exploits to to their visit to the area of is that 7 Canucks without sees was picked a fight off but I mean it was my point to a created flight completely but it was my point a tool to play with a sheep and to try to do complex he punishments and to see how much I understand the the there's scanning the so that was the point of this whole exercise for me what is so some lessons learned so I did the hell surprising thing for me at that point was that I couldn't believe that op you does care of by invited to be it was very flaky was very unstable ill Izard told you if you typed commands to foster to flows of EPO commands very slow it had like what's up by flows I think if there was a chemist of about and it's on the it's I got couldn't believe that uplands Nyhus we're using this this in the face of the chemical binding so it was it was really hard to do anything on the camera side of of 4 or 5 devices both was I I believe me that you shouldn't use mess with these things right in this device the reading this think and it's it's really becoming harder to crack them but I think it's much more fun and so I think the only take away maybe is that in the port thought let those antigen a streetcar the use of just about whether from bucks that's that's always good and in this vein for this is that this is getting there is a big right there about model the formation and up it keeps changing staff and everything is closed source and the important parts of closed source and I mean I really I really think people that were about things should certain knowledge of Cosmos portion because these are some of the people I was looking to world doing all of this and I won't mention them
hand and basically that's not so they wanted relative and I'm I'm open to 20 questions what have thank you for all the talk so we have prepared microphones 1 2 3 and 4 in the room and yeah we have a signal and I think you when you have questions you can give me as can find but I think we start with microphone to here the front and please ask questions and no comments this time after the talk OK go things were wasn't talk thinks I I have a question about a sheep's brain and I it was yes it's frame really stable you fit he is not successful albeit crash the VAD device yeah so I haven't mentioned it here but it was pretty stable I think it was something like because I did a lot of tests for part because of the universe and for me to know it was maybe something like 90 per cent so 9 9 and oftentimes it worked but he did it will be up that yes it because the kernel and cuss advice you and do you try to return seep into some grain of the initial state dual-stack you're exploit from scratch yep that's that's so item included that but the your you're right so the in the sense that never spray that I mentioned here was to stay a lot of old 604 off as the specific size you you would targeting in order to get basically a new page of the car looks on right so you so even if I as I told you the color to 5 6 wasn't that these it's the there were the other cases going on it right so if you did a lot of fun in the cell spraying you're making so that when you're delicate that not there to to you were made were on a new page that wouldn't wasn't too much noise from other workers from the currents of yeah you're right I haven't to that but the at the top of the subtree thanks then microphone 1
kiss I also thank you for all some talk against thing my question was nowadays it's where harder to use the copy often coupled to read replicated addresses not possible anymore due to security the UC hope and reconstructing some function that does the same or is it totally dead now all you need to the corpora technique and yes no I think it's right and I recently saw on the I was lots of vulnerabilities that again of information from the ability and Apple Chevette driver was formed do you think have you looked into it all will often of the opposite the diver is 1 of the 4 I think I diversity gender it's from the container some books right social science that means it's a very very fast by popular included in very audited so I'm not saying that there many there are 2 things they're like this findings but if they're are there they're not going to much longer think of thank you thanks to aggressive and now from the signal and question from the Internet's yes I have a question from the internet how long did this research takes you use that 2 weeks in the beginning but from beginning to end how many hours about users said it was during work no no he didn't even take 2 weeks to glide may be close to 3 months of 2 months in something like that so I spent on a as as I mentioned the spent like a complete month I think like maybe 3 which are below the complete Mumford just a liver cigarettes snow and trying to to get today that it's not to play with fire 7 so I wouldn't count this month in the in the exploit part of it right so if you hear this just McCarroll expert but I would say something like maybe 7 weeks something of but that just with 2 2 maybe 3 days per per week right and not complete weeks OK then microphone 1 please congratulations you thought it was really interesting I like it a lot and my question these is that that you use a address appointed below which tools in the best vestibule annually BSD as well on no I mean the via mop corpus that doesn't exist anywhere else except the extended Journal but I think the indistinct take away so that you didn't do complex pirates and see if you understand the victory metabolic it right so this this this process i.e. I described by we creating Coulson may be converted to other cases in order to host fake structures that durable than to use to get expectation primitives than that's a peak 11 were right thank you OK then we go to microphone Q again please so high salt now 1 sentence just not scary part what just onto part of the box I I would like to understand you're thinking behind because I think this is really important for a companies to know this box that they've made and yeah making the products that are and this is sleeping official forests are a tropical as for example able they pay a lot of money for the box what's but he added he must they say that apart from if you follow the box of tricks and you will be able to do this kind of work and it's no fun so have much of an incident sorry i in the event interest no comment OK the signal and you do we have another question from the internet OK then please a big round of applause for our be they
in in this work we we the I think you know that each CPU if you go to to
Kernel <Informatik>
Bit
Schwebung
Gibbs-Verteilung
Unrundheit
Analysis
Kernel <Informatik>
Kraftfahrzeugmechatroniker
Web Site
Stabilitätstheorie <Logik>
Bit
Punkt
Prozess <Physik>
Implementierung
Computer
Exploit
Task
Differenzkern
Rechter Winkel
Fokalpunkt
Mereologie
Computersicherheit
Softwareschwachstelle
Kontrollstruktur
Strom <Mathematik>
Urbild <Mathematik>
Phasenumwandlung
Implementierung
Speicherverwaltung
Kernel <Informatik>
App <Programm>
Dicke
Bit
Softwarepiraterie
Versionsverwaltung
Binder <Informatik>
Exploit
Programmfehler
Kernel <Informatik>
Übergang
Font
Mereologie
Inverser Limes
Speicher <Informatik>
Softwarepiraterie
Aggregatzustand
Kernel <Informatik>
Computervirus
Bit
Punkt
Default
Softwarepiraterie
Warping
Binder <Informatik>
Kernel <Informatik>
Wurzel <Mathematik>
Vorzeichen <Mathematik>
Datentyp
Mereologie
Arbeitsplatzcomputer
Kontrollstruktur
Extreme programming
Softwarepiraterie
Softwaretest
Binärcode
Kernel <Informatik>
Punkt
Klasse <Mathematik>
Versionsverwaltung
Elektronische Publikation
Ereignishorizont
Quick-Sort
Rechenschieber
Forcing
Automatische Indexierung
Rechter Winkel
Geschlecht <Mathematik>
Parametersystem
Programmbibliothek
Ordnung <Mathematik>
Punkt
Hyperbelverfahren
Versionsverwaltung
Gruppenkeim
Zahlenbereich
Implementierung
Kartesische Koordinaten
Binärcode
Eins
Kernel <Informatik>
Knotenmenge
Wurzel <Mathematik>
Figurierte Zahl
Gerade
Analysis
Lineares Funktional
Parametersystem
Programmfehler
Funktion <Mathematik>
Wurzel <Mathematik>
Mereologie
Gamecontroller
Bus <Informatik>
Ordnung <Mathematik>
Versionsverwaltung
Verkehrsinformation
Lineares Funktional
Fahne <Mathematik>
Automatische Indexierung
Endogene Variable
Strebe
Speicherverwaltung
Element <Mathematik>
Ein-Ausgabe
Datenstruktur
TLS
Programmfehler
Aggregatzustand
Inklusion <Mathematik>
Lineares Funktional
Verschlingung
Fahne <Mathematik>
Automatische Indexierung
Gamecontroller
Systemaufruf
Oval
Subtraktion
Online-Katalog
Vektorraum
Zeitzone
Objekt <Kategorie>
Menge
Fahne <Mathematik>
Rechter Winkel
Offene Menge
Mereologie
Strebe
URL
Datenstruktur
Schnitt <Graphentheorie>
Kernel <Informatik>
Punkt
Open Source
Wasserdampftafel
Versionsverwaltung
Patch <Software>
Elektronische Publikation
Binärcode
Ereignishorizont
Wiederherstellung <Informatik>
Übergang
Kernel <Informatik>
Open Source
Fundamentalsatz der Algebra
Task
Loop
Rechter Winkel
Offene Menge
Stichprobenumfang
Mereologie
Wiederherstellung <Informatik>
Booten
Softwareentwickler
Ordnung <Mathematik>
Faserbündel
Kernel <Informatik>
Bit
Punkt
Patch <Software>
Binärcode
Raum-Zeit
Kernel <Informatik>
Spezialrechner
Computersicherheit
Booten
Zeiger <Informatik>
Parametersystem
Dicke
Booten
Freier Ladungsträger
Raum-Zeit
Ideal <Mathematik>
Internet der Dinge
p-Block
Zeiger <Informatik>
Binder <Informatik>
Programmfehler
Inverser Limes
Skalarprodukt
Menge
Rechter Winkel
Mereologie
ATM
Softwaretest
Binärcode
Kernel <Informatik>
Punkt
Freier Ladungsträger
Fuzzy-Logik
Leistungsbewertung
Rechenzeit
ROM <Informatik>
Gesetz <Physik>
Rechenschieber
Softwaretest
Dämpfung
Funktion <Mathematik>
Datenstruktur
Datentyp
Wort <Informatik>
Datenstruktur
Leck
Kernel <Informatik>
Automatische Indexierung
Lineares Funktional
Kontrollstruktur
Element <Mathematik>
Machsches Prinzip
Indexberechnung
Online-Katalog
Element <Mathematik>
Codec
Zeitzone
Synchronisierung
Message-Passing
Automatische Indexierung
Festspeicher
Adressraum
Mereologie
Kantenfärbung
Speicher <Informatik>
Objektorientierte Programmiersprache
Zeitzone
Betriebsmittelverwaltung
Leck
Kernel <Informatik>
Subtraktion
Punkt
Element <Mathematik>
Machsches Prinzip
Indexberechnung
Oval
Zeiger <Informatik>
ROM <Informatik>
Code
Message-Passing
Automatische Indexierung
Fehlerschranke
Rechter Winkel
Festspeicher
Objektorientierte Programmiersprache
Zeitzone
Betriebsmittelverwaltung
Betriebsmittelverwaltung
Managementinformationssystem
Stellenring
Punkt
Programm/Quellcode
Güte der Anpassung
E-Mail
Zeitzone
Kernel <Informatik>
Adressraum
Mereologie
Gamecontroller
Kantenfärbung
Zeitzone
Hacker
Phasenumwandlung
Punkt
Programm/Quellcode
Mustersprache
Indexberechnung
COM
Inhalt <Mathematik>
Umwandlungsenthalpie
Stellenring
Punkt
Programm/Quellcode
Machsches Prinzip
Gruppenkeim
Zahlenbereich
Benutzerfreundlichkeit
E-Mail
Gesetz <Physik>
Puffer <Netzplantechnik>
Adressraum
Ordnung <Mathematik>
Gerade
Message-Passing
Kontrollstruktur
Machsches Prinzip
Indexberechnung
Zahlenbereich
Euler-Winkel
Vektorraum
Zeitzone
Programmfehler
Energiedichte
Automatische Indexierung
Rechter Winkel
Adressraum
Mustersprache
Kantenfärbung
Zeitzone
Betriebsmittelverwaltung
Aggregatzustand
Betriebsmittelverwaltung
Content Syndication
Sichtenkonzept
Kontrollstruktur
Adressraum
Indexberechnung
Element <Mathematik>
Zeitzone
Perspektive
Automatische Indexierung
Rechter Winkel
Adressraum
Mereologie
Gamecontroller
Zeitzone
Betriebsmittelverwaltung
Objekt <Kategorie>
Stellenring
Punkt
Datensichtgerät
Programm/Quellcode
Machsches Prinzip
Soundverarbeitung
Indexberechnung
Zahlenbereich
Benutzerfreundlichkeit
E-Mail
Zeitzone
Schlussregel
Programmfehler
OISC
Datenfeld
Adressraum
Grundsätze ordnungsmäßiger Datenverarbeitung
Hill-Differentialgleichung
Kernel <Informatik>
Subtraktion
Punkt
Indexberechnung
Element <Mathematik>
Zeiger <Informatik>
Zeitzone
Gerichteter Graph
Wurm <Informatik>
Pufferspeicher
Message-Passing
Variable
Automatische Indexierung
Code
Adressraum
Inhalt <Mathematik>
Kantenfärbung
Zeiger <Informatik>
Ordnung <Mathematik>
Zeitzone
Term
Message-Passing
Aggregatzustand
Offene Menge
Subtraktion
Punkt
Kategorie <Mathematik>
Wurm <Informatik>
Element <Mathematik>
Binder <Informatik>
Zeitzone
Wurm <Informatik>
Rechenschieber
Temperaturstrahlung
Druckertreiber
Körper <Physik>
Rechter Winkel
Code
Mereologie
Mustersprache
Gamecontroller
Kantenfärbung
Inhalt <Mathematik>
Speicherverwaltung
Druckertreiber
Zeitzone
Bit
Reihe
Benutzerfreundlichkeit
Element <Mathematik>
E-Mail
Puffer <Netzplantechnik>
Mailing-Liste
Körper <Physik>
Entscheidungsmodell
Rechter Winkel
Mereologie
Gamecontroller
Kantenfärbung
Datenstruktur
Aggregatzustand
Punkt
Kategorie <Mathematik>
Indexberechnung
Online-Katalog
Element <Mathematik>
E-Mail
Teilbarkeit
Code
Automatische Indexierung
Minimum
COM
Inhalt <Mathematik>
Kantenfärbung
PCMCIA
Aggregatzustand
Betriebsmittelverwaltung
Punkt
Kategorie <Mathematik>
Ähnlichkeitsgeometrie
Zeitzone
Hoax
Physikalische Theorie
Teilbarkeit
Sinusfunktion
Physikalisches System
Task
Druckertreiber
F-Test
Menge
Rechter Winkel
Adressraum
Mereologie
Gamecontroller
Inhalt <Mathematik>
Datenstruktur
Netzwerktopologie
Puffer <Netzplantechnik>
Lineares Funktional
Sichtenkonzept
Datenfeld
Automatische Indexierung
Gruppenoperation
Indexberechnung
Kantenfärbung
Element <Mathematik>
Ordnung <Mathematik>
Bildgebendes Verfahren
Aggregatzustand
Objekt <Kategorie>
Kernel <Informatik>
Explosion <Stochastik>
Punkt
Kontrollstruktur
Stab
Adressraum
Zahlenbereich
Abgeschlossene Menge
Informationsmodellierung
Primitive <Informatik>
Tabelle <Informatik>
Kraftfahrzeugmechatroniker
Schnelltaste
Kategorie <Mathematik>
Quellcode
Biprodukt
Datenfluss
Rechenschieber
Flächeninhalt
Rechter Winkel
Pufferüberlauf
Mereologie
Ordnung <Mathematik>
Tabelle <Informatik>
Aggregatzustand
Lesen <Datenverarbeitung>
Prozess <Physik>
Rahmenproblem
Quader
Adressraum
Geräusch
Zellularer Automat
Systemzusammenbruch
Unrundheit
Zählen
Inzidenzalgebra
Internetworking
Kernel <Informatik>
Homepage
Erwartungswert
Dämpfung
Primitive <Informatik>
Datenstruktur
Softwaretest
Expertensystem
Lineares Funktional
Wald <Graphentheorie>
Computersicherheit
Biprodukt
Ereignishorizont
Druckertreiber
Geschlecht <Mathematik>
Softwareschwachstelle
Rechter Winkel
Mereologie
Information
Kantenfärbung
Ordnung <Mathematik>
Aggregatzustand
Hypermedia
Medianwert
Systemprogrammierung
Zentraleinheit

Metadaten

Formale Metadaten

Titel iOS kernel exploitation archaeology
Serientitel 34th Chaos Communication Congress
Autor Argyroudis, Patroklos
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34931
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik

Ähnliche Filme

Loading...
Feedback