iOS Kernel Heap Armageddon - Hakim
iOS Kernel Heap Armageddon - Hakim iOS Kernel Heap Armageddon - Hakim
Who am I? Stefan Esser • from Cologne / Germany • in information security since 1998 • PHP core developer since 2001 • Month of PHP Bugs and Suhosin • recently focused on iPhone security (ASLR, jailbreak) • Head of Research and Development at SektionEins GmbH Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 2
DISCLAIMER iOS 6 • is in beta => any information about it might change (tomorrow) • beta is only available to registered iOS developers under NDA • I do not have an iOS developer account = I don‘t break NDA • info is leaked = not first hand information • ... luckily there are close friends with devices running iOS 6 Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 3
- Page 1: http://www.sektioneins.de iOS Kerne
- Page 5 and 6: So what is this talk about? • zon
- Page 7 and 8: Some Kernel Zones $ zprint kalloc e
- Page 9 and 10: iOS Kernel Zone Allocator 101 • k
- Page 11 and 12: iOS Kernel Zone Allocator 101 • z
- Page 13 and 14: iOS Kernel Zone Allocator 101 • w
- Page 15 and 16: Exploiting the freelist in iOS 6
- Page 17 and 18: Overview Managers and Wrappers not
- Page 19 and 20: kalloc() • kalloc() is a wrapper
- Page 21 and 22: kfree() • kfree() is a bit specia
- Page 23 and 24: _MALLOC() • _MALLOC() is a wrappe
- Page 25 and 26: _MALLOC() in iOS 5.x void *_MALLOC(
- Page 27 and 28: What about kern_os_malloc(), new an
- Page 29 and 30: mcache / slab could and might fill
- Page 31 and 32: kernel_memory_allocate • “maste
- Page 33 and 34: Cross Zone Attacks • what is the
- Page 35 and 36: Visualization of Zone Page Allocati
- Page 37 and 38: Visualization of Zone Page Allocati
- Page 39 and 40: Visualization of Zone Page Allocati
- Page 41 and 42: Visualization of Zone Page Allocati
- Page 43 and 44: Visualization of Zone Page Allocati
- Page 45 and 46: Visualization of Zone Page Allocati
- Page 47 and 48: Visualization of Zone Page Allocati
- Page 49 and 50: Visualization of Zone Page Allocati
- Page 51 and 52: Visualization of Zone Page Allocati
DISCLAIMER<br />
<strong>iOS</strong> 6<br />
• is in beta => any information about it might change (tomorrow)<br />
• beta is only available to registered <strong>iOS</strong> developers under NDA<br />
• I do not have an <strong>iOS</strong> developer account = I don‘t break NDA<br />
• info is leaked = not first hand information<br />
• ... luckily there are close friends with devices running <strong>iOS</strong> 6<br />
Stefan Esser • <strong>iOS</strong> <strong>Kernel</strong> <strong>Heap</strong> <strong>Armageddon</strong> REVISITED • July 2012 •<br />
3
Change language