SlideShare a Scribd company logo

Moony li pacsec-1.8

โ€ข
โ€ข
PacSecJP
PacSecJP

PacSec2016

Internet
1 of 55
Download to read offline
Fuzzing and Exploiting OSX Vulnerabilities for Fun and Profit Complementary Active & Passive Fuzzing
What We Will Cover โ€ขโ€ฏ Who We Are โ€ขโ€ฏ Passive Fuzzing Framework โ€ขโ€ฏ Exploit to Root
Moony Li -โ€ฏ @Flyic -โ€ฏ 7 years security -โ€ฏ Sandcastle -โ€ฏ Deep Discovery -โ€ฏ Exploit Detection -โ€ฏ Mac/Windows Kernel -โ€ฏ Android Vulnerability
Jack Tang -โ€ฏ @jacktang310 -โ€ฏ 10+ years security -โ€ฏ Browser -โ€ฏ Document -โ€ฏ Mac/Windows Kernel -โ€ฏ Virtualization Vulnerability
CVE-2015-3787, CVE-2015-5867, CVE-2015-7021,CVE-2015-7020, CVE-2016-1716,ZDI-CAN-3536,ZDI-CAN-3558, ZDI- CAN-3598,ZDI-CAN-3596,ZDI-CAN-3603,CVE-2015-7067, CVE-2015-7076,CVE-2015-7106,CVE-2015-7109,CVE-2016-1718, CVE-2016-1747,CVE-2016-1749,CVE-2016-1753, ZDI-CAN-3693, ZDI-CAN-3694, CVE-2016-1795, CVE-2016-1808, CVE-2016-1810, CVE-2016-1817, CVE-2016-1820, CVE-2016-1798, CVE-2016-1799, CVE-2016-1812, CVE-2016-1814, CVE-2016-1818, CVE-2016-1816, CVE-2016-4648๏ผŒ CVE-2016-4699๏ผŒCVE-2016-4700๏ผŒCVE-2016-4750 CVE Credits
Github Access h"ps:// github.com/ SilverMoonSecu rity
What We Will Cover โ€ขโ€ฏ Comparing Approaches โ€ขโ€ฏ Our Approach/ Consideration โ€ขโ€ฏ Implementation โ€ขโ€ฏ Best Practice
Methods Disadvantage Notes Tradi1onal Fuzz Choice the IOKit service name they want to test. Pour fuzzing data into the IOKit usermode API (e.g. IOConnectCallMethod) Call sequence dependency AppleCamIn (OpenDevice, PowerOnCameraโ€ฆ) Input data dependency AppleHDAEngineInput(input as user mode bu๏ฌ€er pointer) Timing dependency IOHDIXHDDriveOutKernel( mount dmg) Code Review Un-scalable Depend on Human experience Cost e๏ฌ€ort for Reverse Engineering so many IOKit services and userclient. Comparing Other Approaches
Our Approach|Consideration Interception & Poison
Are they similarJ Comparison River Dam Passive Fuzz Basic FuncHon Stream intercept ExecuNon intercept Up Stream User mode data Down Stream Kernel mode data Create Chaos Poisoning upstream Fuzzing user data Downstream ๏ฌsh die Kernel crash Track the poisonโ€™s origin Reproduce โ€ฆโ€ฆ โ€ฆโ€ฆ
Just Like This โ€ฆ
Origianl function Hooker IOAcceleratorFamily2.kext Targeted application from apple store Suspicious module/function manifest IOThunderboltFamily.kext IOUSBFamily.kext AppleGraphicsPowerManagement.kext AppleHDA.kext โ€ฆ โ€ฆ I. is_io_connect_method II. is_io_connect_async_method III. iokit_user_client_trap IV. IOMemoryDescriptor::createMappingInTask V. ipc_kmsg_get VI. ipc_kmsg_send VII. Copyio โ€ฆ... Conditon Checker Ring3 Ring0 Target drivers XNU/ IOKit Tamper StackFrame, Process, UserClient, MsgID, โ€ฆ... Context Matcher Implementation โ€“ Architecture Overview
TargetAPI(params): //Call Original_TargetAPI(params) if (matchWhitelistParameter(params)) goto _exit(); if !(matchStackFrame() && matchBlacklistParameter(params)) goto _exit; if (random()) {record(params); fuzz(params);} Call Original_TargetAPI(params); if (matchContext(params)) alert; Implementation โ€“ Pseudo Code
โ€ขโ€ฏHooker โ€ขโ€ฏ Directly accessible by user โ€ขโ€ฏ One hook for many processes โ€ขโ€ฏ Inline hook in kernel mode. โ€ขโ€ฏTamper โ€ขโ€ฏ Only fuzz buffer content accessible by user โ€ขโ€ฏ e.g. Inband_input, scalar_input, ool_input โ€ขโ€ฏ NOT size! (bypass getTargetAndMethodForIndex check) Implementation โ€“ Hook & Tamper
int, bool, Gen575TextureBuffer**) + 0x12e 0xffffff80c0c7b7c0 0xffffff7fa96f2bd5 AppleIntelHD3000Graphics`Gen6GLContext::process_token_BindTextures(VendorGLStreamInfo&) + 0x103 0xffffff80c0c7b7f0 0xffffff7fa96b6242 AppleIntelHD3000Graphics`IOIntelGLContext::processCommandBuffer(VendorCommandDescriptor*) + 0x12c 0xffffff80c0c7b820 0xffffff7fa96ec1eb AppleIntelHD3000Graphics`Gen6GLContext::processCommandBuffer(VendorCommandDescriptor*) + 0x7b 0xffffff80c0c7b900 0xffffff7fa96b540a AppleIntelHD3000Graphics`IOIntelGLContext::clientMemoryForType(unsigned int, unsigned int*, IOMemoryDescriptor**) + 0x5bc 0xffffff80c0c7b950 0xffffff7fa96b39c3 AppleIntelHD3000Graphics`IOIntelGLContext::submit_command_buffer(unsigned int, sIOGLGetCommandBuffer*) + 0x63 0xffffff80c0c7b980 0xffffff80276b9626 ::shim_io_connect_method_scalarI_structureO(IOExternalMethod *, IOService *, const io_user_scalar_t *, mach_msg_type_number_t, char *, IOByteCount *)((IOExternalMethod *) method = <>, , (IOService *) object = <>, , (const io_user_scalar_t *) input = <>, , (mach_msg_type_number_t) inputCount = <>, , (char *) output = <register r10 is not available>, , (IOByteCount *) outputCount = <register r11 is not available>, ) 0xffffff80c0c7b9e0 0xffffff80276baef0 IOUserClient::externalMethod(unsigned int, IOExternalMethodArguments*, IOExternalMethodDispatch*, OSObject*, void*)((IOUserClient *) this = <>, , (uint32_t) selector = <>, , (IOExternalMethodArguments *) args = 0xffffff80c0c7ba00, (IOExternalMethodDispatch *) dispatch = <>, , (OSObject *) target = <>, , (void *) reference = <>, ) 0xffffff80c0c7bb20 0xffffff80276b7f77 ::is_io_connect_method(io_connect_t, uint32_t, io_user_scalar_t *, mach_msg_type_number_t, char *, mach_msg_type_number_t, mach_vm_address_t, mach_vm_size_t, char *, mach_msg_type_number_t *, io_user_scalar_t *, mach_msg_type_number_t *, mach_vm_address_t, mach_vm_size_t *) ((io_connect_t) connection = 0xffffff80c0c7ba60, (uint32_t) selector = 16, (io_user_scalar_t *) scalar_input = <>, , (mach_msg_type_number_t) scalar_inputCnt = <>, , (char *) inband_input = <>, , (mach_msg_type_number_t) inband_inputCnt = 0, (mach_vm_address_t) ool_input = <>, , (mach_vm_size_t) ool_input_size = <no location, value may have been optimized out>, , (char *) inband_output = <no location, value may have been optimized out>, , (mach_msg_type_number_t *) inband_outputCnt = <no location, value may have been optimized out>, , (io_user_scalar_t *) scalar_output = <>, , (mach_msg_type_number_t *) scalar_outputCnt = <no location, value may have been optimized out>, , (mach_vm_address_t) ool_output = <>, , (mach_vm_size_t *) ool_output_size = <>, ) 0xffffff80c0c7bcd0 0xffffff7fa9cd34ab trampline_is_io_connect_method((io_connect_t) connection = 0xffffff8035637000, (uint32_t) selector = 16, (io_user_scalar_t *) scalar_input = 0xffffff80331a4dcc, (mach_msg_type_number_t) scalar_inputCnt = 1, (char *) inband_input = 0xffffff80331a4dd8 "", (mach_msg_type_number_t) inband_inputCnt = 0, (mach_vm_address_t) ool_input = 0, (mach_vm_size_t) ool_input_size = 0, (char *) inband_output = 0xffffff8035805600 "", (mach_msg_type_number_t *) inband_outputCnt = 0xffffff80358055fc, (io_user_scalar_t *) scalar_output = 0xffffff80c0c7bd30, (mach_msg_type_number_t *) scalar_outputCnt = 0xffffff80c0c7bd2c, (mach_vm_address_t) ool_output = 0, (mach_vm_size_t *) ool_output_size = 0xffffff80331a4df8) 0xffffff80c0c7bde0 0xffffff8027158750 _Xio_connect_method((mach_msg_header_t *) InHeadP = <>, , (mach_msg_header_t *) OutHeadP = 0xffffff80358055d0) Implementation โ€“ Hook & Tamper (Snippet โ€“ Unreported Crash)
โ€ขโ€ฏ (Driver interface)is_io_connect_method โ€ขโ€ฏ (Driver interface)is_io_connect_async_method โ€ขโ€ฏ (Kernel)iokit_user_client_trap โ€ขโ€ฏ (Kernel)IOMemoryDescriptor::createMappingInTas k โ€ขโ€ฏ (Mach Msg)ipc_kmsg_get โ€ขโ€ฏ (Mach Msg)ipc_kmsg_send โ€ขโ€ฏ (General IO)Copyio โ€ขโ€ฏโ€ฆ Implementation โ€“ Hook Summary
Implementation โ€“ Hook Summary Sinnpet
Keep fuzzing stable โ€ขโ€ฏ Get rid of noise oโ€ฏ busy call, black screen call, hung call, oโ€ฏ reproduced crashes Hunt according to vulnerability context โ€ขโ€ฏ Kernel heap address leak โ€ขโ€ฏ Map user data into kernel and read as buffer size โ€ขโ€ฏ โ€ฆ Implementation โ€“ Why Condition Checker๏ผŸ
โ€ขโ€ฏ &&, ||, *(wild match), white(black) โ€ขโ€ฏ Process โ€ขโ€ฏ User id (root/Non-root) โ€ขโ€ฏ Process Name (e.g. Safari, RCE, sandbox-evasion) โ€ขโ€ฏ Module โ€ขโ€ฏ Module Name โ€ขโ€ฏ Function โ€ขโ€ฏ Symbol Name/Address โ€ขโ€ฏ Offset range Implementation โ€“ Dimension of Condition 1/3
//Config for mac prodetail_control_entry_t g_white_listing_detail_control[] ={ // procName,uid,driverBundleName, driverClassName, selFunctionNO //"*", 0,"*","*",ANY_MATCH_INTEGER,#if 0 //Reported or collected yet: // {"*",PROCESS_UID_ANY_INTEGER,"*","AGPMClient",7312}, // {"*",PROCESS_UID_ANY_INTEGER,"*", "nvDeviceTesla", 5}, // {"*",PROCESS_UID_ANY_INTEGER,"*", "NV2DContextTesla", 17}, // {"*",PROCESS_UID_ANY_INTEGER,"*","IONVSurfaceTesla",10}, // {"*",PROCESS_UID_ANY_INTEGER,"*","IOHDIXHDDriveOutKernelUserClient",2}, {"*",PROCESS_UID_ANY_INTEGER,"*","IGAccelSharedUserClient",1},//crash-24 {"*",PROCESS_UID_ANY_INTEGER,"*","AccelSurface",16},//crash-23 {"*",PROCESS_UID_ANY_INTEGER,"*",OBJECT_CLASS_NAME_NO_FOUND,16}, {"*",PROCESS_UID_ANY_INTEGER,"*","HD",2},// crash-21 //"*",PROCESS_UID_ANY_INTEGER,"*","Accel",2,// crash-28 //"*",PROCESS_UID_ANY_INTEGER,"*","IG",2,// crash-28 //"*",PROCESS_UID_ANY_INTEGER,"*","Con",2,//crash-28 "*",PROCESS_UID_ANY_INTEGER,"*","IGAccelSharedUserClient",0,//crash-29 "*",PROCESS_UID_ANY_INTEGER,"*","IOThunderboltFamilyUserClient",22,// crash-30 //"*",PROCESS_UID_ANY_INTEGER,"*","IG",ANY_MATCH_INTEGER, //"*",PROCE SS_UID_ANY_INTEGER,"*","Accel",ANY_MATCH_INTEGER, //"vm",PROCESS_UID_ANY_INT EGER,"*","*",ANY_MATCH_INTEGER, //"*",PROCESS_UID_ANY_INTEGER,"*","vm",ANY_MA TCH_INTEGER, "sandbox",PROCESS_UID_ANY_INTEGER,"*","*",ANY_MATCH_INTEGER, "dog",PROCESS_UID_ANY_INTEGER,"*","*",ANY_MATCH_INTEGER, // {"WindowServer",PROCESS_UID_ANY_INTEGER,"*","AccelSurface",16},// crash-23 //"*",PROCESS_UID_ANY_INTEGER,"*","SMC",ANY_MATCH_INTEGER, //"window server",PROCESS_UID_ANY_INTEGER,"*","*",ANY_MATCH_INTEGER,}; Implementation โ€“ White Listing Sample
โ€ขโ€ฏ Data โ€ขโ€ฏ is_address_RWX โ€ขโ€ฏ Copy direction(in/out) โ€ขโ€ฏ Kernel or User space (SMAP noise) โ€ขโ€ฏ Call-Stack โ€ขโ€ฏ Function ret โ€ขโ€ฏ Stack Level (from bottom to top) โ€ขโ€ฏ Level range[,] Implementation โ€“ Dimension of Condition 2/3
stack_match_item_t stack_matcher_for_copyio[]={ //If any item in list match, then match //{routineName, cache}, routineAddress, offSetFrom, offsetTo, levelLow, levelHigh {{"_shim_io_connect_method_scalarI_scalarO",STACK_ANY_INTEGER},STACK_ANY_INTEGE R,0, 0xC120-0xB8B0, STACK_ALL_LEVEL_RANGE}, {{"_shim_io_connect_method_scalarI_structureO",STACK_ANY_INTEGER},STACK_ANY_INTE GER,0, 0xDB94-0xD5C0, STACK_ALL_LEVEL_RANGE}, {{"_shim_io_connect_method_scalarI_structureI",STACK_ANY_INTEGER},STACK_ANY_INTEG ER,0, 0xEA97-0xE490, STACK_ALL_LEVEL_RANGE}, {{"_shim_io_connect_method_structureI_structureO",STACK_ANY_INTEGER},STACK_ANY_IN TEGER,0, 0xF588-0xF270, STACK_ALL_LEVEL_RANGE}, {{"_is_io_connect_method",STACK_ANY_INTEGER},STACK_ANY_INTEGER,0, 0xb2a9-0xaf10,STACK_ALL_LEVEL_RANGE}, } Implementation โ€“ Stack Frame Sample
Dimension of condition 3/3 โ€ขโ€ฏ Misc โ€ขโ€ฏ Mach_msg โ€ขโ€ฏ msg subsystem idโ€ฆ โ€ขโ€ฏ Userclient โ€ขโ€ฏ serviceName,ClassName,selectorโ€ฆ
detail_control_entry_t g_white_listing_detail_control[] ={ // procName,uid,driverBundleName, driverClassName, selFunctionNO //{"*",PROCESS_UID_ANY_INTEGER,"*","AGPMClient",7312},, {"*",PROCESS_UID_ANY_INTEGER,"*","IGAccelSharedUserClient",1},//crash-24 {"*",PROCESS_UID_ANY_INTEGER,"*","AccelSurface",16},//crash-23 {"*",PROCESS_UID_ANY_INTEGER,"*",OBJECT_CLASS_NAME_NO_FOUND,16}, {"*",PROCESS_UID_ANY_INTEGER,"*","HD",2},//crash-21 {"*",PROCESS_UID_ANY_INTEGER,"*","IX",2},//crash-21 "*",PROCESS_UID_ANY_INTEGER,"*","AGPM",7312,//crash-11 "*",PROCESS_UID_ANY_INTEGER,"*","IGAccelGLContext",2,//crash-28 Implementation โ€“ UserClient Sample
#define KMSG_IOKIT_SUBSYSTEM_RANGE 0xAF0, 0x0B47 detail_control_entry_for_ipc_kmsg_send_t g_black_listing_detail_control_foripc_kmsg_send[] ={ //procName,uid,msg_id_from, msg_id_to, routineName, addr, addr_offset_from, addr_offset_to "chrome",PROCESS_UID_ANY_INTEGER, KMSG_IOKIT_SUBSYSTEM_RANGE,"__Xio_connect_method",KMSG_ADDR_OFFSET_ANY_RANGE, KMSG_LEAVING,}; โ€ขโ€ฏ #define KMSG_IOKIT_SUBSYSTEM_RANGE 0xAF0, 0x0B47 โ€ขโ€ฏ #define KMSG_MACH_VM_SUBSYSTEM_RANGE 0x12C0, 0x12D4 โ€ขโ€ฏ #define KMSG_MACH_PORT_SUBSYSTEM_RANGE 0xC80, 0x0CA4 โ€ขโ€ฏ #define KMSG_MACH_HOST_SUBSYSTEM_RANGE 0xC8, 0xE4 โ€ขโ€ฏ #define KMSG_HOST_PRIV_SUBSYSTEM_RANGE 0x190, 0x1AA โ€ขโ€ฏ โ€ฆโ€ฆ Implementation โ€“ Mach-msg Sample
โ€ขโ€ฏEnlightenment for code review โ€ขโ€ฏ Buggy module, interface for REโ€ฆโ€ฆ โ€ขโ€ฏThe Pattern accumulated in bug hunting activities โ€ขโ€ฏNo vulnerability but indicates suspicious vulnerability โ€ขโ€ฏImplemented through condition checker Implementation โ€“ What Is Context?
โ€ขโ€ฏ Some IOKit related memory corruption vulnerabilities may happen in the following context: โ€ขโ€ฏ Call IOMemoryDescriptor :: createMappingInTask to mapping user mode buffer space to kernel mode. โ€ขโ€ฏ Read a value from the buffer and use it as a size to read or write a buffer. โ€ขโ€ฏ Some kernel information leak vulnerability may happen in the following context: โ€ขโ€ฏ The output bufferโ€™s content has 0xFFFFFF prefix. Implementation โ€“ Context Sample
โ€ขโ€ฏ Fuzzing Source: โ€ขโ€ฏ Multiple applications โ€ขโ€ฏ AppStore (MMORPG games, FaceTime,USB hardisk, BlueTooth, Wifi, VM,DirectXโ€ฆ) โ€ขโ€ฏ Virus Total, Apple OpenSource UT, github sample code โ€ขโ€ฏ Combination of rich kind of fuzzing source โ€ขโ€ฏ Active fuzzing, Python watchdog, browsing WebGL โ€ขโ€ฏ Fuzzing Stability: โ€ขโ€ฏ Bypass active hang, black screen, reproduced cases using condition checker(nvTestlaSurfaceTesla, IGAccelGLContext, IGAccelSurfaceโ€ฆ) Best Practice โ€“ For Passive 1/3
โ€ขโ€ฏ Reproduction: โ€ขโ€ฏ Log through network โ€ขโ€ฏ Log to NVRAM? Log to memory and kdp_panic_dump callback? โ€ขโ€ฏ Core dump server โ€ขโ€ฏ sh-3.2# nvram boot-args=โ€pmuflags=1 debug=0xd44 kext-dev-mode=1 kcsuffix=development โ€“ v _panicd_ip=10.64.80.106โ€ โ€ขโ€ฏ Thunderbolt+fwkdp+lldb โ€ขโ€ฏ Automation โ€ขโ€ฏ kdp_panic_dump callback+dump+reboot? Best Practice โ€“ For Passive 2/3
Miscellaneous Tips โ€ขโ€ฏ Occasional fuzz activities recommended โ€ขโ€ฏ Normal program running โ€“ sudden fuzz โ€ขโ€ฏ Keep OS version updated with latest KDK Best Practice โ€“ For Passive 3/3
Best Practice โ€“ How to complementary passive fuzzing๏ผŸ
Best Practice โ€“ For Active Fuzz 1/4 Active Fuzz Passive Fuzz Researcher [1]Provide more IOKit call [2]Suspicious moudle/function manifest [3]Context Pattern [2]Suspicious moudle/function manifest Code Reviewer
โ€ขโ€ฏ Statistical data from passive fuzz โ€ขโ€ฏ Accessible user client, non-root, non-sandbox, crash frequencies, crash types(UAF, OOB)โ€ฆ โ€ขโ€ฏ Contact API in lower level to bypass unnecessary checks (if possible) โ€ขโ€ฏ Resolve Mac-O format, find symbol, hard-code offset โ€ขโ€ฏ e.g. IOServiceGetMatchingServices(mach_port_t, CFDictionaryRef, io_iterator_t *) ->io_service_get_matching_services_bin(mach_port_t, char*,int, void*) Best Practice โ€“ For Active 1/4
โ€ขโ€ฏ Reproduce: โ€ขโ€ฏ No need to record your random call/random parameter - just record your pseudorandom number seed (E.g. Mt19937-64/Mt19937-32) โ€ขโ€ฏ The kernel crash is easily reproduced, no matter how randomly you call API and fuzz parameters Best Practice โ€“ For Active 2/4
seed = CrahsedCases[i] for(randomSelect every kernel module) for(randomSelect every interface) APICall( randomByte() ) Best Practice โ€“ For Active 2/4 Pseudo code for reproduce
for (every fuzz session) seed = generate() sendSeedOutside() for(randomSelect every kernel module) for(randomSelect every interface) APICall( randomByte() ) Best Practice โ€“ For Active 3/4 Pseudo code for active fuzzing
โ€ขโ€ฏ Reproduce: โ€ขโ€ฏ Web seed server for multiple connections โ€ขโ€ฏ One pseudorandom seed for a relatively short fuzz cycle Best Practice โ€“ For Active 4/4
What We Will Cover โ€ขโ€ฏ Security Mitigation ยงโ€ฏExploit Methods โ€ขโ€ฏ Exploit Practice
โ€ขโ€ฏ SIP (System Integrity Protection) โ€ขโ€ฏ KALSR(e.g. PEGASUS CVE-2016-4655) โ€ขโ€ฏ SMAP โ€ขโ€ฏ SMEP https://speakerdeck.com/marcograss/dont-trust-your-eye-apple- graphics-is-compromised Security Mitigation
โ€ขโ€ฏ Bypass KASLR โ€“โ€ฏUsing vulnerability to leak kernel code segment address in run time โ€“โ€ฏBuild up payload with leaked API (e.g. thread_exception_return) โ€ขโ€ฏ Bypass SMAP โ€“โ€ฏUsing vulnerability to leak kernel heap address โ€“โ€ฏBuild up ROP chain in kernel heap โ€“โ€ฏKernel heap address would be needed โ€ขโ€ฏ Bypass SMEP โ€“โ€ฏUsing vulnerability to execute RIP in kernel โ€“โ€ฏExecute ROP chain to disable SMEP/SMAP โ€“โ€ฏPayload execution Exploit Methods
โ€ขโ€ฏ The OSX/iOS hacking guru Stefan Esser (@i0n1c) propose OSUnserializeXML is a good way in SyScan 2012 h"ps://reverse.put.as/wp-content/uploads/2011/06/ SyScan2012_StefanEsser_iOS_Kernel_Heap_Armageddon.pdf Tips of Heap FengShui OSUnerializeXML()
โ€ขโ€ฏ In most cases, the OSDictionary allocated by OSUnserializeXML will be freed by OSObject::release in one system call ใ€‚ใ€‚ใ€‚ Howeverโ€ฆ
โ€ขโ€ฏ If the allocated object is referenced by another component, it will not be released even if call object::release to it. โ€ขโ€ฏ IORegistry is a good choice for Heap Fengshui โ€ขโ€ฏ So we find OSUnserializeXML invoking nearby IORegistry method calling โ€ฆ Howeverโ€ฆ
โ€ขโ€ฏ In IOKIT service IOMProotDomain , slector 7 (kPMSleepSystemOptions) RootDomainUserClient::secureSleepSystemOptions ใ€‚ใ€‚ใ€‚ Always an exceptionJ
We Exploit apple to root by bugs found and Heap Fengshui tips
โ€ขโ€ฏ CVE-2016-xxx : This is typical UAF vulnerability in AppleHDAEngineInput kernel module. โ€ขโ€ฏ CVE-2016-xxxx: Another bug in the Disk image module can leak an object address. The address exists in kernel heap. Bugs
payload Ring3 Ring0 kernel SMAP SMEP KASLR kslide Driver Memory address โ€“ Disk Address Call current_proc Call proc_ucred Call posix_cred_get Call thread_exception_return IOCommand Exploit App ROP Gadgets mov cr4 rax; ret Call payload StackPivot 0x68 Object 0x108 AppleHDAEngineInput IOHDIXHDDriveOutKernel vtable_addr +0 +8 call [vtable+0] [1]Leak kernel buffer IOCommand address [3]Spray freed IOCommand with OSData๏ผˆStackPivot๏ผ‰ [2]Free IOCommand [4]Free Object [5]Spray freed Object with OSData(leaked IOCommand and ROP) [0]Leak kslide to build up payload [6]Trigger execution by use Object Exploit Process 1/2
IOCommandStackPivot Object Exploit Apppayload +0 +8 Exploit Process 2/2
Demo
Thanks very much
Special thanks : Herry Li, @zenhumany Juwei Lin, @fuzzerDOTcn

Recommended

DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
ย 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
fantasy zheng
ย 
Automatic Identification of Bug-Introducing Changes
Automatic Identification of Bug-Introducing ChangesAutomatic Identification of Bug-Introducing Changes
Automatic Identification of Bug-Introducing Changes
Thomas Zimmermann
ย 
Bsides
BsidesBsides
Bsides
m j
ย 
Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6
fisher.w.y
ย 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas Mac
ESET Latinoamรฉrica
ย 
[DefCon 2016] I got 99 Problems, but โ€จLittle Snitch ainโ€™t one!
[DefCon 2016] I got 99 Problems, but โ€จLittle Snitch ainโ€™t one![DefCon 2016] I got 99 Problems, but โ€จLittle Snitch ainโ€™t one!
[DefCon 2016] I got 99 Problems, but โ€จLittle Snitch ainโ€™t one!
Synack
ย 
HotSpot template interpreter memos
HotSpot template interpreter memosHotSpot template interpreter memos
HotSpot template interpreter memos
ytoshima
ย 

Recommended

DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
ย 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
fantasy zheng
ย 
Automatic Identification of Bug-Introducing Changes
Automatic Identification of Bug-Introducing ChangesAutomatic Identification of Bug-Introducing Changes
Automatic Identification of Bug-Introducing Changes
Thomas Zimmermann
ย 
Bsides
BsidesBsides
Bsides
m j
ย 
Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6
fisher.w.y
ย 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas Mac
ESET Latinoamรฉrica
ย 
[DefCon 2016] I got 99 Problems, but โ€จLittle Snitch ainโ€™t one!
[DefCon 2016] I got 99 Problems, but โ€จLittle Snitch ainโ€™t one![DefCon 2016] I got 99 Problems, but โ€จLittle Snitch ainโ€™t one!
[DefCon 2016] I got 99 Problems, but โ€จLittle Snitch ainโ€™t one!
Synack
ย 
HotSpot template interpreter memos
HotSpot template interpreter memosHotSpot template interpreter memos
HotSpot template interpreter memos
ytoshima
ย 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
ย 
Live Updating Swift Code
Live Updating Swift CodeLive Updating Swift Code
Live Updating Swift Code
Bartosz Polaczyk
ย 
Arduino
ArduinoArduino
Arduino
SHAWN GANGASINGH
ย 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112
Bordeaux I
ย 
JVM code reading -- C2
JVM code reading -- C2JVM code reading -- C2
JVM code reading -- C2
ytoshima
ย 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
ย 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
Synack
ย 
Notes for xx_use_serialgc
Notes for xx_use_serialgcNotes for xx_use_serialgc
Notes for xx_use_serialgc
ytoshima
ย 
Java bytecode Malware Analysis
Java bytecode Malware AnalysisJava bytecode Malware Analysis
Java bytecode Malware Analysis
Brian Baskin
ย 
Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooks
KarlFrank99
ย 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
ย 
Tactical Assassins
Tactical AssassinsTactical Assassins
Tactical Assassins
Prathan Phongthiproek
ย 
Verifikation - Metoder og Libraries
Verifikation - Metoder og LibrariesVerifikation - Metoder og Libraries
Verifikation - Metoder og Libraries
InfinIT - Innovationsnetvรฆrket for it
ย 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach Messages
Mikhail Sosonkin
ย 
Bitcoin, the Protocol
Bitcoin, the ProtocolBitcoin, the Protocol
Bitcoin, the Protocol
G-J van Rooyen
ย 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104
Bordeaux I
ย 
Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020
Sandesh Rao
ย 
OpenBot-Code
OpenBot-CodeOpenBot-Code
OpenBot-Code
Anshuman Dhar
ย 
Open bot
Open bot Open bot
Open bot
Anshuman Dhar
ย 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
Priyanka Aash
ย 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
PacSecJP
ย 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
ย 

More Related Content

What's hot

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
ย 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
ย 
Bitcoin, the Protocol
Bitcoin, the ProtocolBitcoin, the Protocol
Bitcoin, the Protocol
G-J van Rooyen
ย 
Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020
Sandesh Rao
ย 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
Priyanka Aash
ย 

What's hot (20)

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
ย 
Live Updating Swift Code
Live Updating Swift CodeLive Updating Swift Code
Live Updating Swift Code
ย 
Arduino
ArduinoArduino
Arduino
ย 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112
ย 
JVM code reading -- C2
JVM code reading -- C2JVM code reading -- C2
JVM code reading -- C2
ย 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
ย 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
ย 
Notes for xx_use_serialgc
Notes for xx_use_serialgcNotes for xx_use_serialgc
Notes for xx_use_serialgc
ย 
Java bytecode Malware Analysis
Java bytecode Malware AnalysisJava bytecode Malware Analysis
Java bytecode Malware Analysis
ย 
Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooks
ย 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
ย 
Tactical Assassins
Tactical AssassinsTactical Assassins
Tactical Assassins
ย 
Verifikation - Metoder og Libraries
Verifikation - Metoder og LibrariesVerifikation - Metoder og Libraries
Verifikation - Metoder og Libraries
ย 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach Messages
ย 
Bitcoin, the Protocol
Bitcoin, the ProtocolBitcoin, the Protocol
Bitcoin, the Protocol
ย 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104
ย 
Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020
ย 
OpenBot-Code
OpenBot-CodeOpenBot-Code
OpenBot-Code
ย 
Open bot
Open bot Open bot
Open bot
ย 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
ย 

Viewers also liked

Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
PacSecJP
ย 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
ย 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
PacSecJP
ย 
Anฤฑl kurmusฬง pacsec3
Anฤฑl kurmusฬง pacsec3Anฤฑl kurmusฬง pacsec3
Anฤฑl kurmusฬง pacsec3
PacSecJP
ย 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
ย 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
ย 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-final
PacSecJP
ย 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
PacSecJP
ย 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
PacSecJP
ย 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
ย 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
PacSecJP
ย 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2
PacSecJP
ย 
Marc schoenefeld grandmaโ€˜s old handbag_draft2
Marc schoenefeld grandmaโ€˜s old handbag_draft2Marc schoenefeld grandmaโ€˜s old handbag_draft2
Marc schoenefeld grandmaโ€˜s old handbag_draft2
PacSecJP
ย 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
PacSecJP
ย 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
PacSecJP
ย 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
PacSecJP
ย 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
PacSecJP
ย 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
PacSecJP
ย 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
PacSecJP
ย 

Viewers also liked (20)

Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
ย 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
ย 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
ย 
Anฤฑl kurmusฬง pacsec3
Anฤฑl kurmusฬง pacsec3Anฤฑl kurmusฬง pacsec3
Anฤฑl kurmusฬง pacsec3
ย 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
ย 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
ย 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-final
ย 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
ย 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
ย 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
ย 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
ย 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
ย 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2
ย 
Marc schoenefeld grandmaโ€˜s old handbag_draft2
Marc schoenefeld grandmaโ€˜s old handbag_draft2Marc schoenefeld grandmaโ€˜s old handbag_draft2
Marc schoenefeld grandmaโ€˜s old handbag_draft2
ย 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
ย 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
ย 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
ย 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
ย 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
ย 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
ย 

Similar to Moony li pacsec-1.8

The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
Positive Hack Days
ย 
include ltiostreamgt include ltstringgt include .pdf
include ltiostreamgt include ltstringgt include .pdfinclude ltiostreamgt include ltstringgt include .pdf
include ltiostreamgt include ltstringgt include .pdf
contact32
ย 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
DefconRussia
ย 

Similar to Moony li pacsec-1.8 (20)

The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
ย 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
ย 
What Lies Beneath
What Lies BeneathWhat Lies Beneath
What Lies Beneath
ย 
Static analysis of C++ source code
Static analysis of C++ source codeStatic analysis of C++ source code
Static analysis of C++ source code
ย 
Static analysis of C++ source code
Static analysis of C++ source codeStatic analysis of C++ source code
Static analysis of C++ source code
ย 
include ltiostreamgt include ltstringgt include .pdf
include ltiostreamgt include ltstringgt include .pdfinclude ltiostreamgt include ltstringgt include .pdf
include ltiostreamgt include ltstringgt include .pdf
ย 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
ย 
Whose Stack Is It Anyway?
Whose Stack Is It Anyway?Whose Stack Is It Anyway?
Whose Stack Is It Anyway?
ย 
Sangam 2019 - The Latest Features
Sangam 2019 - The Latest FeaturesSangam 2019 - The Latest Features
Sangam 2019 - The Latest Features
ย 
Sysprog 13
Sysprog 13Sysprog 13
Sysprog 13
ย 
Interesting facts on c
Interesting facts on cInteresting facts on c
Interesting facts on c
ย 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
ย 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-Slides
ย 
3
33
3
ย 
C++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical ReviewerC++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical Reviewer
ย 
ไธบไป€ไนˆ rust-lang ๅธๅผ•ๆˆ‘๏ผŸ
ไธบไป€ไนˆ rust-lang ๅธๅผ•ๆˆ‘๏ผŸไธบไป€ไนˆ rust-lang ๅธๅผ•ๆˆ‘๏ผŸ
ไธบไป€ไนˆ rust-lang ๅธๅผ•ๆˆ‘๏ผŸ
ย 
HCE tutorial
HCE tutorialHCE tutorial
HCE tutorial
ย 
Managing console
Managing consoleManaging console
Managing console
ย 
Hypercritical C++ Code Review
Hypercritical C++ Code ReviewHypercritical C++ Code Review
Hypercritical C++ Code Review
ย 
Mach-O par Steฬphane Sudre
Mach-O par Steฬphane SudreMach-O par Steฬphane Sudre
Mach-O par Steฬphane Sudre
ย 

More from PacSecJP

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
ย 
Anฤฑl kurmusฬง pacsec3-ja
Anฤฑl kurmusฬง pacsec3-jaAnฤฑl kurmusฬง pacsec3-ja
Anฤฑl kurmusฬง pacsec3-ja
PacSecJP
ย 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
ย 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
PacSecJP
ย 
Marc schoenefeld grandmaโ€˜s old handbag_draft2_ja
Marc schoenefeld grandmaโ€˜s old handbag_draft2_jaMarc schoenefeld grandmaโ€˜s old handbag_draft2_ja
Marc schoenefeld grandmaโ€˜s old handbag_draft2_ja
PacSecJP
ย 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-corrected
PacSecJP
ย 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3
PacSecJP
ย 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
PacSecJP
ย 
Nishimura i os็‰ˆfirefoxใฎ่„†ๅผฑๆ€งใ‚’่ฆ‹ใคใ‘ๅ‡บใ™_jp
Nishimura i os็‰ˆfirefoxใฎ่„†ๅผฑๆ€งใ‚’่ฆ‹ใคใ‘ๅ‡บใ™_jpNishimura i os็‰ˆfirefoxใฎ่„†ๅผฑๆ€งใ‚’่ฆ‹ใคใ‘ๅ‡บใ™_jp
Nishimura i os็‰ˆfirefoxใฎ่„†ๅผฑๆ€งใ‚’่ฆ‹ใคใ‘ๅ‡บใ™_jp
PacSecJP
ย 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinal
PacSecJP
ย 

More from PacSecJP (10)

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
ย 
Anฤฑl kurmusฬง pacsec3-ja
Anฤฑl kurmusฬง pacsec3-jaAnฤฑl kurmusฬง pacsec3-ja
Anฤฑl kurmusฬง pacsec3-ja
ย 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
ย 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
ย 
Marc schoenefeld grandmaโ€˜s old handbag_draft2_ja
Marc schoenefeld grandmaโ€˜s old handbag_draft2_jaMarc schoenefeld grandmaโ€˜s old handbag_draft2_ja
Marc schoenefeld grandmaโ€˜s old handbag_draft2_ja
ย 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-corrected
ย 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3
ย 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
ย 
Nishimura i os็‰ˆfirefoxใฎ่„†ๅผฑๆ€งใ‚’่ฆ‹ใคใ‘ๅ‡บใ™_jp
Nishimura i os็‰ˆfirefoxใฎ่„†ๅผฑๆ€งใ‚’่ฆ‹ใคใ‘ๅ‡บใ™_jpNishimura i os็‰ˆfirefoxใฎ่„†ๅผฑๆ€งใ‚’่ฆ‹ใคใ‘ๅ‡บใ™_jp
Nishimura i os็‰ˆfirefoxใฎ่„†ๅผฑๆ€งใ‚’่ฆ‹ใคใ‘ๅ‡บใ™_jp
ย 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinal
ย 

Recently uploaded

ๅœจ็บฟๅˆถไฝœ็บฆๅ…‹ๅคงๅญฆๆฏ•ไธš่ฏ๏ผˆyuๆฏ•ไธš่ฏ๏ผ‰ๅœจ่ฏป่ฏๆ˜Ž่ฎค่ฏๅฏๆŸฅ
ๅœจ็บฟๅˆถไฝœ็บฆๅ…‹ๅคงๅญฆๆฏ•ไธš่ฏ๏ผˆyuๆฏ•ไธš่ฏ๏ผ‰ๅœจ่ฏป่ฏๆ˜Ž่ฎค่ฏๅฏๆŸฅๅœจ็บฟๅˆถไฝœ็บฆๅ…‹ๅคงๅญฆๆฏ•ไธš่ฏ๏ผˆyuๆฏ•ไธš่ฏ๏ผ‰ๅœจ่ฏป่ฏๆ˜Ž่ฎค่ฏๅฏๆŸฅ
ๅœจ็บฟๅˆถไฝœ็บฆๅ…‹ๅคงๅญฆๆฏ•ไธš่ฏ๏ผˆyuๆฏ•ไธš่ฏ๏ผ‰ๅœจ่ฏป่ฏๆ˜Ž่ฎค่ฏๅฏๆŸฅ
ydyuyu
ย 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
ย 
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
nirzagarg
ย 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
ย 
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort ServiceBusty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Delhi Call girls
ย 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
SUHANI PANDEY
ย 
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
ย 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
ย 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
SUHANI PANDEY
ย 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
ย 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
SUHANI PANDEY
ย 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
roncy bisnoi
ย 
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort ServiceCall Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
ย 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
ย 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
ย 
( Pune ) VIP Baner Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | Girls Are Re...
nilamkumrai
ย 

Recently uploaded (20)

ๅœจ็บฟๅˆถไฝœ็บฆๅ…‹ๅคงๅญฆๆฏ•ไธš่ฏ๏ผˆyuๆฏ•ไธš่ฏ๏ผ‰ๅœจ่ฏป่ฏๆ˜Ž่ฎค่ฏๅฏๆŸฅ
ๅœจ็บฟๅˆถไฝœ็บฆๅ…‹ๅคงๅญฆๆฏ•ไธš่ฏ๏ผˆyuๆฏ•ไธš่ฏ๏ผ‰ๅœจ่ฏป่ฏๆ˜Ž่ฎค่ฏๅฏๆŸฅๅœจ็บฟๅˆถไฝœ็บฆๅ…‹ๅคงๅญฆๆฏ•ไธš่ฏ๏ผˆyuๆฏ•ไธš่ฏ๏ผ‰ๅœจ่ฏป่ฏๆ˜Ž่ฎค่ฏๅฏๆŸฅ
ๅœจ็บฟๅˆถไฝœ็บฆๅ…‹ๅคงๅญฆๆฏ•ไธš่ฏ๏ผˆyuๆฏ•ไธš่ฏ๏ผ‰ๅœจ่ฏป่ฏๆ˜Ž่ฎค่ฏๅฏๆŸฅ
ย 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
ย 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
ย 
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
ย 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
ย 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
ย 
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort ServiceBusty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
ย 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
ย 
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
ย 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
ย 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
ย 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
ย 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
ย 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
ย 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
ย 
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort ServiceCall Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
ย 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
ย 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
ย 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
ย 
( Pune ) VIP Baner Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | Girls Are Re...
ย 

Moony li pacsec-1.8

  • 1. Fuzzing and Exploiting OSX Vulnerabilities for Fun and Profit Complementary Active & Passive Fuzzing
  • 2. What We Will Cover โ€ขโ€ฏ Who We Are โ€ขโ€ฏ Passive Fuzzing Framework โ€ขโ€ฏ Exploit to Root
  • 3.
  • 4. Moony Li -โ€ฏ @Flyic -โ€ฏ 7 years security -โ€ฏ Sandcastle -โ€ฏ Deep Discovery -โ€ฏ Exploit Detection -โ€ฏ Mac/Windows Kernel -โ€ฏ Android Vulnerability
  • 5. Jack Tang -โ€ฏ @jacktang310 -โ€ฏ 10+ years security -โ€ฏ Browser -โ€ฏ Document -โ€ฏ Mac/Windows Kernel -โ€ฏ Virtualization Vulnerability
  • 6.
  • 7. CVE-2015-3787, CVE-2015-5867, CVE-2015-7021,CVE-2015-7020, CVE-2016-1716,ZDI-CAN-3536,ZDI-CAN-3558, ZDI- CAN-3598,ZDI-CAN-3596,ZDI-CAN-3603,CVE-2015-7067, CVE-2015-7076,CVE-2015-7106,CVE-2015-7109,CVE-2016-1718, CVE-2016-1747,CVE-2016-1749,CVE-2016-1753, ZDI-CAN-3693, ZDI-CAN-3694, CVE-2016-1795, CVE-2016-1808, CVE-2016-1810, CVE-2016-1817, CVE-2016-1820, CVE-2016-1798, CVE-2016-1799, CVE-2016-1812, CVE-2016-1814, CVE-2016-1818, CVE-2016-1816, CVE-2016-4648๏ผŒ CVE-2016-4699๏ผŒCVE-2016-4700๏ผŒCVE-2016-4750 CVE Credits
  • 9.
  • 10. What We Will Cover โ€ขโ€ฏ Comparing Approaches โ€ขโ€ฏ Our Approach/ Consideration โ€ขโ€ฏ Implementation โ€ขโ€ฏ Best Practice
  • 11. Methods Disadvantage Notes Tradi1onal Fuzz Choice the IOKit service name they want to test. Pour fuzzing data into the IOKit usermode API (e.g. IOConnectCallMethod) Call sequence dependency AppleCamIn (OpenDevice, PowerOnCameraโ€ฆ) Input data dependency AppleHDAEngineInput(input as user mode bu๏ฌ€er pointer) Timing dependency IOHDIXHDDriveOutKernel( mount dmg) Code Review Un-scalable Depend on Human experience Cost e๏ฌ€ort for Reverse Engineering so many IOKit services and userclient. Comparing Other Approaches
  • 13. Are they similarJ Comparison River Dam Passive Fuzz Basic FuncHon Stream intercept ExecuNon intercept Up Stream User mode data Down Stream Kernel mode data Create Chaos Poisoning upstream Fuzzing user data Downstream ๏ฌsh die Kernel crash Track the poisonโ€™s origin Reproduce โ€ฆโ€ฆ โ€ฆโ€ฆ
  • 14. Just Like This โ€ฆ
  • 15. Origianl function Hooker IOAcceleratorFamily2.kext Targeted application from apple store Suspicious module/function manifest IOThunderboltFamily.kext IOUSBFamily.kext AppleGraphicsPowerManagement.kext AppleHDA.kext โ€ฆ โ€ฆ I. is_io_connect_method II. is_io_connect_async_method III. iokit_user_client_trap IV. IOMemoryDescriptor::createMappingInTask V. ipc_kmsg_get VI. ipc_kmsg_send VII. Copyio โ€ฆ... Conditon Checker Ring3 Ring0 Target drivers XNU/ IOKit Tamper StackFrame, Process, UserClient, MsgID, โ€ฆ... Context Matcher Implementation โ€“ Architecture Overview
  • 16. TargetAPI(params): //Call Original_TargetAPI(params) if (matchWhitelistParameter(params)) goto _exit(); if !(matchStackFrame() && matchBlacklistParameter(params)) goto _exit; if (random()) {record(params); fuzz(params);} Call Original_TargetAPI(params); if (matchContext(params)) alert; Implementation โ€“ Pseudo Code
  • 17. โ€ขโ€ฏHooker โ€ขโ€ฏ Directly accessible by user โ€ขโ€ฏ One hook for many processes โ€ขโ€ฏ Inline hook in kernel mode. โ€ขโ€ฏTamper โ€ขโ€ฏ Only fuzz buffer content accessible by user โ€ขโ€ฏ e.g. Inband_input, scalar_input, ool_input โ€ขโ€ฏ NOT size! (bypass getTargetAndMethodForIndex check) Implementation โ€“ Hook & Tamper
  • 18. int, bool, Gen575TextureBuffer**) + 0x12e 0xffffff80c0c7b7c0 0xffffff7fa96f2bd5 AppleIntelHD3000Graphics`Gen6GLContext::process_token_BindTextures(VendorGLStreamInfo&) + 0x103 0xffffff80c0c7b7f0 0xffffff7fa96b6242 AppleIntelHD3000Graphics`IOIntelGLContext::processCommandBuffer(VendorCommandDescriptor*) + 0x12c 0xffffff80c0c7b820 0xffffff7fa96ec1eb AppleIntelHD3000Graphics`Gen6GLContext::processCommandBuffer(VendorCommandDescriptor*) + 0x7b 0xffffff80c0c7b900 0xffffff7fa96b540a AppleIntelHD3000Graphics`IOIntelGLContext::clientMemoryForType(unsigned int, unsigned int*, IOMemoryDescriptor**) + 0x5bc 0xffffff80c0c7b950 0xffffff7fa96b39c3 AppleIntelHD3000Graphics`IOIntelGLContext::submit_command_buffer(unsigned int, sIOGLGetCommandBuffer*) + 0x63 0xffffff80c0c7b980 0xffffff80276b9626 ::shim_io_connect_method_scalarI_structureO(IOExternalMethod *, IOService *, const io_user_scalar_t *, mach_msg_type_number_t, char *, IOByteCount *)((IOExternalMethod *) method = <>, , (IOService *) object = <>, , (const io_user_scalar_t *) input = <>, , (mach_msg_type_number_t) inputCount = <>, , (char *) output = <register r10 is not available>, , (IOByteCount *) outputCount = <register r11 is not available>, ) 0xffffff80c0c7b9e0 0xffffff80276baef0 IOUserClient::externalMethod(unsigned int, IOExternalMethodArguments*, IOExternalMethodDispatch*, OSObject*, void*)((IOUserClient *) this = <>, , (uint32_t) selector = <>, , (IOExternalMethodArguments *) args = 0xffffff80c0c7ba00, (IOExternalMethodDispatch *) dispatch = <>, , (OSObject *) target = <>, , (void *) reference = <>, ) 0xffffff80c0c7bb20 0xffffff80276b7f77 ::is_io_connect_method(io_connect_t, uint32_t, io_user_scalar_t *, mach_msg_type_number_t, char *, mach_msg_type_number_t, mach_vm_address_t, mach_vm_size_t, char *, mach_msg_type_number_t *, io_user_scalar_t *, mach_msg_type_number_t *, mach_vm_address_t, mach_vm_size_t *) ((io_connect_t) connection = 0xffffff80c0c7ba60, (uint32_t) selector = 16, (io_user_scalar_t *) scalar_input = <>, , (mach_msg_type_number_t) scalar_inputCnt = <>, , (char *) inband_input = <>, , (mach_msg_type_number_t) inband_inputCnt = 0, (mach_vm_address_t) ool_input = <>, , (mach_vm_size_t) ool_input_size = <no location, value may have been optimized out>, , (char *) inband_output = <no location, value may have been optimized out>, , (mach_msg_type_number_t *) inband_outputCnt = <no location, value may have been optimized out>, , (io_user_scalar_t *) scalar_output = <>, , (mach_msg_type_number_t *) scalar_outputCnt = <no location, value may have been optimized out>, , (mach_vm_address_t) ool_output = <>, , (mach_vm_size_t *) ool_output_size = <>, ) 0xffffff80c0c7bcd0 0xffffff7fa9cd34ab trampline_is_io_connect_method((io_connect_t) connection = 0xffffff8035637000, (uint32_t) selector = 16, (io_user_scalar_t *) scalar_input = 0xffffff80331a4dcc, (mach_msg_type_number_t) scalar_inputCnt = 1, (char *) inband_input = 0xffffff80331a4dd8 "", (mach_msg_type_number_t) inband_inputCnt = 0, (mach_vm_address_t) ool_input = 0, (mach_vm_size_t) ool_input_size = 0, (char *) inband_output = 0xffffff8035805600 "", (mach_msg_type_number_t *) inband_outputCnt = 0xffffff80358055fc, (io_user_scalar_t *) scalar_output = 0xffffff80c0c7bd30, (mach_msg_type_number_t *) scalar_outputCnt = 0xffffff80c0c7bd2c, (mach_vm_address_t) ool_output = 0, (mach_vm_size_t *) ool_output_size = 0xffffff80331a4df8) 0xffffff80c0c7bde0 0xffffff8027158750 _Xio_connect_method((mach_msg_header_t *) InHeadP = <>, , (mach_msg_header_t *) OutHeadP = 0xffffff80358055d0) Implementation โ€“ Hook & Tamper (Snippet โ€“ Unreported Crash)
  • 19. โ€ขโ€ฏ (Driver interface)is_io_connect_method โ€ขโ€ฏ (Driver interface)is_io_connect_async_method โ€ขโ€ฏ (Kernel)iokit_user_client_trap โ€ขโ€ฏ (Kernel)IOMemoryDescriptor::createMappingInTas k โ€ขโ€ฏ (Mach Msg)ipc_kmsg_get โ€ขโ€ฏ (Mach Msg)ipc_kmsg_send โ€ขโ€ฏ (General IO)Copyio โ€ขโ€ฏโ€ฆ Implementation โ€“ Hook Summary
  • 20. Implementation โ€“ Hook Summary Sinnpet
  • 21. Keep fuzzing stable โ€ขโ€ฏ Get rid of noise oโ€ฏ busy call, black screen call, hung call, oโ€ฏ reproduced crashes Hunt according to vulnerability context โ€ขโ€ฏ Kernel heap address leak โ€ขโ€ฏ Map user data into kernel and read as buffer size โ€ขโ€ฏ โ€ฆ Implementation โ€“ Why Condition Checker๏ผŸ
  • 22. โ€ขโ€ฏ &&, ||, *(wild match), white(black) โ€ขโ€ฏ Process โ€ขโ€ฏ User id (root/Non-root) โ€ขโ€ฏ Process Name (e.g. Safari, RCE, sandbox-evasion) โ€ขโ€ฏ Module โ€ขโ€ฏ Module Name โ€ขโ€ฏ Function โ€ขโ€ฏ Symbol Name/Address โ€ขโ€ฏ Offset range Implementation โ€“ Dimension of Condition 1/3
  • 23. //Config for mac prodetail_control_entry_t g_white_listing_detail_control[] ={ // procName,uid,driverBundleName, driverClassName, selFunctionNO //"*", 0,"*","*",ANY_MATCH_INTEGER,#if 0 //Reported or collected yet: // {"*",PROCESS_UID_ANY_INTEGER,"*","AGPMClient",7312}, // {"*",PROCESS_UID_ANY_INTEGER,"*", "nvDeviceTesla", 5}, // {"*",PROCESS_UID_ANY_INTEGER,"*", "NV2DContextTesla", 17}, // {"*",PROCESS_UID_ANY_INTEGER,"*","IONVSurfaceTesla",10}, // {"*",PROCESS_UID_ANY_INTEGER,"*","IOHDIXHDDriveOutKernelUserClient",2}, {"*",PROCESS_UID_ANY_INTEGER,"*","IGAccelSharedUserClient",1},//crash-24 {"*",PROCESS_UID_ANY_INTEGER,"*","AccelSurface",16},//crash-23 {"*",PROCESS_UID_ANY_INTEGER,"*",OBJECT_CLASS_NAME_NO_FOUND,16}, {"*",PROCESS_UID_ANY_INTEGER,"*","HD",2},// crash-21 //"*",PROCESS_UID_ANY_INTEGER,"*","Accel",2,// crash-28 //"*",PROCESS_UID_ANY_INTEGER,"*","IG",2,// crash-28 //"*",PROCESS_UID_ANY_INTEGER,"*","Con",2,//crash-28 "*",PROCESS_UID_ANY_INTEGER,"*","IGAccelSharedUserClient",0,//crash-29 "*",PROCESS_UID_ANY_INTEGER,"*","IOThunderboltFamilyUserClient",22,// crash-30 //"*",PROCESS_UID_ANY_INTEGER,"*","IG",ANY_MATCH_INTEGER, //"*",PROCE SS_UID_ANY_INTEGER,"*","Accel",ANY_MATCH_INTEGER, //"vm",PROCESS_UID_ANY_INT EGER,"*","*",ANY_MATCH_INTEGER, //"*",PROCESS_UID_ANY_INTEGER,"*","vm",ANY_MA TCH_INTEGER, "sandbox",PROCESS_UID_ANY_INTEGER,"*","*",ANY_MATCH_INTEGER, "dog",PROCESS_UID_ANY_INTEGER,"*","*",ANY_MATCH_INTEGER, // {"WindowServer",PROCESS_UID_ANY_INTEGER,"*","AccelSurface",16},// crash-23 //"*",PROCESS_UID_ANY_INTEGER,"*","SMC",ANY_MATCH_INTEGER, //"window server",PROCESS_UID_ANY_INTEGER,"*","*",ANY_MATCH_INTEGER,}; Implementation โ€“ White Listing Sample
  • 24. โ€ขโ€ฏ Data โ€ขโ€ฏ is_address_RWX โ€ขโ€ฏ Copy direction(in/out) โ€ขโ€ฏ Kernel or User space (SMAP noise) โ€ขโ€ฏ Call-Stack โ€ขโ€ฏ Function ret โ€ขโ€ฏ Stack Level (from bottom to top) โ€ขโ€ฏ Level range[,] Implementation โ€“ Dimension of Condition 2/3
  • 25. stack_match_item_t stack_matcher_for_copyio[]={ //If any item in list match, then match //{routineName, cache}, routineAddress, offSetFrom, offsetTo, levelLow, levelHigh {{"_shim_io_connect_method_scalarI_scalarO",STACK_ANY_INTEGER},STACK_ANY_INTEGE R,0, 0xC120-0xB8B0, STACK_ALL_LEVEL_RANGE}, {{"_shim_io_connect_method_scalarI_structureO",STACK_ANY_INTEGER},STACK_ANY_INTE GER,0, 0xDB94-0xD5C0, STACK_ALL_LEVEL_RANGE}, {{"_shim_io_connect_method_scalarI_structureI",STACK_ANY_INTEGER},STACK_ANY_INTEG ER,0, 0xEA97-0xE490, STACK_ALL_LEVEL_RANGE}, {{"_shim_io_connect_method_structureI_structureO",STACK_ANY_INTEGER},STACK_ANY_IN TEGER,0, 0xF588-0xF270, STACK_ALL_LEVEL_RANGE}, {{"_is_io_connect_method",STACK_ANY_INTEGER},STACK_ANY_INTEGER,0, 0xb2a9-0xaf10,STACK_ALL_LEVEL_RANGE}, } Implementation โ€“ Stack Frame Sample
  • 26. Dimension of condition 3/3 โ€ขโ€ฏ Misc โ€ขโ€ฏ Mach_msg โ€ขโ€ฏ msg subsystem idโ€ฆ โ€ขโ€ฏ Userclient โ€ขโ€ฏ serviceName,ClassName,selectorโ€ฆ
  • 27. detail_control_entry_t g_white_listing_detail_control[] ={ // procName,uid,driverBundleName, driverClassName, selFunctionNO //{"*",PROCESS_UID_ANY_INTEGER,"*","AGPMClient",7312},, {"*",PROCESS_UID_ANY_INTEGER,"*","IGAccelSharedUserClient",1},//crash-24 {"*",PROCESS_UID_ANY_INTEGER,"*","AccelSurface",16},//crash-23 {"*",PROCESS_UID_ANY_INTEGER,"*",OBJECT_CLASS_NAME_NO_FOUND,16}, {"*",PROCESS_UID_ANY_INTEGER,"*","HD",2},//crash-21 {"*",PROCESS_UID_ANY_INTEGER,"*","IX",2},//crash-21 "*",PROCESS_UID_ANY_INTEGER,"*","AGPM",7312,//crash-11 "*",PROCESS_UID_ANY_INTEGER,"*","IGAccelGLContext",2,//crash-28 Implementation โ€“ UserClient Sample
  • 28. #define KMSG_IOKIT_SUBSYSTEM_RANGE 0xAF0, 0x0B47 detail_control_entry_for_ipc_kmsg_send_t g_black_listing_detail_control_foripc_kmsg_send[] ={ //procName,uid,msg_id_from, msg_id_to, routineName, addr, addr_offset_from, addr_offset_to "chrome",PROCESS_UID_ANY_INTEGER, KMSG_IOKIT_SUBSYSTEM_RANGE,"__Xio_connect_method",KMSG_ADDR_OFFSET_ANY_RANGE, KMSG_LEAVING,}; โ€ขโ€ฏ #define KMSG_IOKIT_SUBSYSTEM_RANGE 0xAF0, 0x0B47 โ€ขโ€ฏ #define KMSG_MACH_VM_SUBSYSTEM_RANGE 0x12C0, 0x12D4 โ€ขโ€ฏ #define KMSG_MACH_PORT_SUBSYSTEM_RANGE 0xC80, 0x0CA4 โ€ขโ€ฏ #define KMSG_MACH_HOST_SUBSYSTEM_RANGE 0xC8, 0xE4 โ€ขโ€ฏ #define KMSG_HOST_PRIV_SUBSYSTEM_RANGE 0x190, 0x1AA โ€ขโ€ฏ โ€ฆโ€ฆ Implementation โ€“ Mach-msg Sample
  • 29. โ€ขโ€ฏEnlightenment for code review โ€ขโ€ฏ Buggy module, interface for REโ€ฆโ€ฆ โ€ขโ€ฏThe Pattern accumulated in bug hunting activities โ€ขโ€ฏNo vulnerability but indicates suspicious vulnerability โ€ขโ€ฏImplemented through condition checker Implementation โ€“ What Is Context?
  • 30. โ€ขโ€ฏ Some IOKit related memory corruption vulnerabilities may happen in the following context: โ€ขโ€ฏ Call IOMemoryDescriptor :: createMappingInTask to mapping user mode buffer space to kernel mode. โ€ขโ€ฏ Read a value from the buffer and use it as a size to read or write a buffer. โ€ขโ€ฏ Some kernel information leak vulnerability may happen in the following context: โ€ขโ€ฏ The output bufferโ€™s content has 0xFFFFFF prefix. Implementation โ€“ Context Sample
  • 31. โ€ขโ€ฏ Fuzzing Source: โ€ขโ€ฏ Multiple applications โ€ขโ€ฏ AppStore (MMORPG games, FaceTime,USB hardisk, BlueTooth, Wifi, VM,DirectXโ€ฆ) โ€ขโ€ฏ Virus Total, Apple OpenSource UT, github sample code โ€ขโ€ฏ Combination of rich kind of fuzzing source โ€ขโ€ฏ Active fuzzing, Python watchdog, browsing WebGL โ€ขโ€ฏ Fuzzing Stability: โ€ขโ€ฏ Bypass active hang, black screen, reproduced cases using condition checker(nvTestlaSurfaceTesla, IGAccelGLContext, IGAccelSurfaceโ€ฆ) Best Practice โ€“ For Passive 1/3
  • 32. โ€ขโ€ฏ Reproduction: โ€ขโ€ฏ Log through network โ€ขโ€ฏ Log to NVRAM? Log to memory and kdp_panic_dump callback? โ€ขโ€ฏ Core dump server โ€ขโ€ฏ sh-3.2# nvram boot-args=โ€pmuflags=1 debug=0xd44 kext-dev-mode=1 kcsuffix=development โ€“ v _panicd_ip=10.64.80.106โ€ โ€ขโ€ฏ Thunderbolt+fwkdp+lldb โ€ขโ€ฏ Automation โ€ขโ€ฏ kdp_panic_dump callback+dump+reboot? Best Practice โ€“ For Passive 2/3
  • 33. Miscellaneous Tips โ€ขโ€ฏ Occasional fuzz activities recommended โ€ขโ€ฏ Normal program running โ€“ sudden fuzz โ€ขโ€ฏ Keep OS version updated with latest KDK Best Practice โ€“ For Passive 3/3
  • 34. Best Practice โ€“ How to complementary passive fuzzing๏ผŸ
  • 35. Best Practice โ€“ For Active Fuzz 1/4 Active Fuzz Passive Fuzz Researcher [1]Provide more IOKit call [2]Suspicious moudle/function manifest [3]Context Pattern [2]Suspicious moudle/function manifest Code Reviewer
  • 36. โ€ขโ€ฏ Statistical data from passive fuzz โ€ขโ€ฏ Accessible user client, non-root, non-sandbox, crash frequencies, crash types(UAF, OOB)โ€ฆ โ€ขโ€ฏ Contact API in lower level to bypass unnecessary checks (if possible) โ€ขโ€ฏ Resolve Mac-O format, find symbol, hard-code offset โ€ขโ€ฏ e.g. IOServiceGetMatchingServices(mach_port_t, CFDictionaryRef, io_iterator_t *) ->io_service_get_matching_services_bin(mach_port_t, char*,int, void*) Best Practice โ€“ For Active 1/4
  • 37. โ€ขโ€ฏ Reproduce: โ€ขโ€ฏ No need to record your random call/random parameter - just record your pseudorandom number seed (E.g. Mt19937-64/Mt19937-32) โ€ขโ€ฏ The kernel crash is easily reproduced, no matter how randomly you call API and fuzz parameters Best Practice โ€“ For Active 2/4
  • 38. seed = CrahsedCases[i] for(randomSelect every kernel module) for(randomSelect every interface) APICall( randomByte() ) Best Practice โ€“ For Active 2/4 Pseudo code for reproduce
  • 39. for (every fuzz session) seed = generate() sendSeedOutside() for(randomSelect every kernel module) for(randomSelect every interface) APICall( randomByte() ) Best Practice โ€“ For Active 3/4 Pseudo code for active fuzzing
  • 40. โ€ขโ€ฏ Reproduce: โ€ขโ€ฏ Web seed server for multiple connections โ€ขโ€ฏ One pseudorandom seed for a relatively short fuzz cycle Best Practice โ€“ For Active 4/4
  • 41.
  • 42. What We Will Cover โ€ขโ€ฏ Security Mitigation ยงโ€ฏExploit Methods โ€ขโ€ฏ Exploit Practice
  • 43. โ€ขโ€ฏ SIP (System Integrity Protection) โ€ขโ€ฏ KALSR(e.g. PEGASUS CVE-2016-4655) โ€ขโ€ฏ SMAP โ€ขโ€ฏ SMEP https://speakerdeck.com/marcograss/dont-trust-your-eye-apple- graphics-is-compromised Security Mitigation
  • 44. โ€ขโ€ฏ Bypass KASLR โ€“โ€ฏUsing vulnerability to leak kernel code segment address in run time โ€“โ€ฏBuild up payload with leaked API (e.g. thread_exception_return) โ€ขโ€ฏ Bypass SMAP โ€“โ€ฏUsing vulnerability to leak kernel heap address โ€“โ€ฏBuild up ROP chain in kernel heap โ€“โ€ฏKernel heap address would be needed โ€ขโ€ฏ Bypass SMEP โ€“โ€ฏUsing vulnerability to execute RIP in kernel โ€“โ€ฏExecute ROP chain to disable SMEP/SMAP โ€“โ€ฏPayload execution Exploit Methods
  • 45. โ€ขโ€ฏ The OSX/iOS hacking guru Stefan Esser (@i0n1c) propose OSUnserializeXML is a good way in SyScan 2012 h"ps://reverse.put.as/wp-content/uploads/2011/06/ SyScan2012_StefanEsser_iOS_Kernel_Heap_Armageddon.pdf Tips of Heap FengShui OSUnerializeXML()
  • 46. โ€ขโ€ฏ In most cases, the OSDictionary allocated by OSUnserializeXML will be freed by OSObject::release in one system call ใ€‚ใ€‚ใ€‚ Howeverโ€ฆ
  • 47. โ€ขโ€ฏ If the allocated object is referenced by another component, it will not be released even if call object::release to it. โ€ขโ€ฏ IORegistry is a good choice for Heap Fengshui โ€ขโ€ฏ So we find OSUnserializeXML invoking nearby IORegistry method calling โ€ฆ Howeverโ€ฆ
  • 48. โ€ขโ€ฏ In IOKIT service IOMProotDomain , slector 7 (kPMSleepSystemOptions) RootDomainUserClient::secureSleepSystemOptions ใ€‚ใ€‚ใ€‚ Always an exceptionJ
  • 49. We Exploit apple to root by bugs found and Heap Fengshui tips
  • 50. โ€ขโ€ฏ CVE-2016-xxx : This is typical UAF vulnerability in AppleHDAEngineInput kernel module. โ€ขโ€ฏ CVE-2016-xxxx: Another bug in the Disk image module can leak an object address. The address exists in kernel heap. Bugs
  • 51. payload Ring3 Ring0 kernel SMAP SMEP KASLR kslide Driver Memory address โ€“ Disk Address Call current_proc Call proc_ucred Call posix_cred_get Call thread_exception_return IOCommand Exploit App ROP Gadgets mov cr4 rax; ret Call payload StackPivot 0x68 Object 0x108 AppleHDAEngineInput IOHDIXHDDriveOutKernel vtable_addr +0 +8 call [vtable+0] [1]Leak kernel buffer IOCommand address [3]Spray freed IOCommand with OSData๏ผˆStackPivot๏ผ‰ [2]Free IOCommand [4]Free Object [5]Spray freed Object with OSData(leaked IOCommand and ROP) [0]Leak kslide to build up payload [6]Trigger execution by use Object Exploit Process 1/2
  • 53. Demo
  • 55. Special thanks : Herry Li, @zenhumany Juwei Lin, @fuzzerDOTcn