iOS Kernel Heap Armageddon - Hakim

More documents

Recommendations

Info

zprint vs. iOS 6 • zprint is based on the host_zone_info / mach_zone_info • in iOS 6 Apple has locked down this API with PE_I_can_haz_debugger • can only be used on jailbroken devices (or Apple‘s own debugging hardware) • no longer usable for kernel heap exploits Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 8
iOS Kernel Zone Allocator 101 • kernel heap is divided into so called zones • each zone starts with a first chunk of memory (usually 1 page) 0x000 0x1000 Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 9
Page 1 and 2: http://www.sektioneins.de iOS Kerne
Page 3 and 4: DISCLAIMER iOS 6 • is in beta =>
Page 5 and 6: So what is this talk about? • zon
Page 7: Some Kernel Zones $ zprint kalloc e
Page 11 and 12: iOS Kernel Zone Allocator 101 • z
Page 13 and 14: iOS Kernel Zone Allocator 101 • w
Page 15 and 16: Exploiting the freelist in iOS 6
Page 17 and 18: Overview Managers and Wrappers not
Page 19 and 20: kalloc() • kalloc() is a wrapper
Page 21 and 22: kfree() • kfree() is a bit specia
Page 23 and 24: _MALLOC() • _MALLOC() is a wrappe
Page 25 and 26: _MALLOC() in iOS 5.x void *_MALLOC(
Page 27 and 28: What about kern_os_malloc(), new an
Page 29 and 30: mcache / slab could and might fill
Page 31 and 32: kernel_memory_allocate • “maste
Page 33 and 34: Cross Zone Attacks • what is the
Page 35 and 36: Visualization of Zone Page Allocati
Page 59 and 60:
Visualization of Zone Page Allocati
Page 61 and 62:
Zone Page Allocation Distribution (
Page 63 and 64:
Cross Memory Allocator Attacks •
Page 65 and 66:
iOS Kernel C++ • iOS kernel‘s l
Page 67 and 68:
OSObject Memory Layout 0x00 0x04 vt
Page 69 and 70:
Overwriting an OSObject in Memory
Page 71 and 72:
OSArray Memory Layout and Overwriti
Page 73 and 74:
“Generic“ Technique to control
Page 75 and 76:
Heap Feng Shui / Heap Massage / ...
Page 77 and 78:
OSUnserializeXML() • deserializat
Page 79 and 80:
How does the parser work? (II) •
Page 81 and 82:
How does the parser work? (IV) •
Page 83 and 84:
How does the parser work? (VI) •
Page 85 and 86:
How does the parser work? (VIII)
Page 87 and 88:
Heap Spraying (Remember?) • alloc
Page 89 and 90:
Heap Spraying • allocate repeated
Page 91 and 92:
Heap Spraying • allocate repeated
Page 93 and 94:
Fill Arbitrary Sized Memory Blocks
Page 95 and 96:
Poking Holes into Allocated Data
Page 97 and 98:
Extra: Keeping Data Allocated • s
show all

iOS Kernel Heap Armageddon - Hakim

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?