|
An overview of the architecture of *OS variants, from a threat assessment perspective. Focus on different abuse cases, and the mitigation techniques devised by Apple to address and prevent them.
- Quick recap of the *OS Architecture
- High level presentation of mitigation techniques
- Attack surface of MacOS and the iOS variants
- Divergences between MacOS and iOS variants
|
|
Explaining the reactive mechanisms by means of which system activity can be monitored (though not intercepted) and logged. This includes a detailed discussion of:
- Auditing (MacOS)
- KDebug
- DTrace (MacOS)
- FSEvents
- Stackshot
- Proc info
|
2. |
The Boot Sequence |
|
2 hours |
|
The boot sequence - aside from starting up the system - is responsible for establishing and securing the chain of trust, which ensures component integrity. MacOS boot is (still) fairly lax, but that of the *OS variants is rigorously designed to be as bulletproof as possible.
This module takes a close look at the stages of boot, focusing in particular on iBoot. Focusing on a purely reverse engineering approach, this module takes apart iBoot - from BootROM to kernelcache loading:
- Boot sequence components: BootROM, iLLB, iBoot and friends
- SHSH blobs and APTickets
- Attack surface and potential vulnerability discussion
- Reversing iBoot (once decrypted)
- Reversing the Secure Enclave Processor (SEP) image (once decrypted)
|
3. |
The Mandatory Access Control Framework |
|
0.5-1 hours |
|
The Mandatory Access Control Framework (MACF) is the de-facto standard for all of Apple's security mitigation techniques - from code signing, through sandboxing. A legacy of TrustedBSD, although it is a "private" KPI, it is remarkably simple and, at the same time, powerful.
- Precursor: KAuth
- Introducing: MACF
- The MACF KPIs
- MAC Policies
- Creating a simple MACF policy
- Case study: MacOS Quarantine
- Case Study: MacOS 10.15 EndpointSecurity
|
4. |
AppleMobileFileIntegrity |
|
2 hours |
|
Sworn nemesis of jailbreakers, AppleMobileFileIntegrity (amfi) has become the linchpin of Darwin security, controlling the kernel-enforcement of code signing and kernel-level entitlements.
- AMFI components (kext, daemon)
- Detailed breakdown of AMFI.kext
- Full reversing of amfid
- AMFI.kext as an entitlement enforcement
- The AMFI User Client
- iOS 12: CoreTrust
|
|
The Apple Sandbox mechanism has evolved dramatically since its inception in MacOS 10.5 as "SeatBelt". It has also diverged in its implementations outside MacOS.
- Sandboxing Terminology
- Implementation in MacOS: The App Sandbox
- The Sandbox Profile Language (SBPL)
- Compiling profiles
- Decompiling profiles
- Creating custom profiles
- Debugging the sandbox
- User mode APIs
- Implementation in *OS: forcing Containers
- Sandbox extensions
- Detailed reversing of the Sandbox kernel extension
- System Integrity Protection as a manifestation of the Sandbox
- iOS 10 and the platform profile
- Darwin 18 and TCC integration
|
|
Ports are mere 32-bit identifiers in user space, but kernel space reveals a vast menagerie of complicated objects, of which IPC ports are but one type. This module examines thoese objects in detail, including:
- The BSD objects (processes, threads and files)
- The ipc_object_t
- The ipc_port_t
- The task_t and thread_t
- Vouchers
|
7. |
Get in the (kernel) zone |
|
3 hours |
|
Everything that user mode "sees" and touches is a figment of the kernel's memory. Understanding memory structures and management is paramount - for researchers and exploiters alike. This module discusses in depth the various allocation mechanisms of kernel memory
- The vm_map abstraction
- The pmap abstraction
- The Zone allocator
- Darwin 18: The Zone Cache
- Garbage collection, Feng Shui, and other techniques
- Zone ("kernel heap") hardening
|
8. |
Let's Get Physical |
|
3 hours |
|
Apple is one of the only vendors to adopt proprietary protections for physical memory. Starting with the simple "WatchTower" KPP, Apple moved to introduce KTRR in the A10, followed by APRR (A11), along with novel applications such as PPL. But what do all these acronyms mean? And what is their impact on exploitation?
- A6-A9, iOS9+: KPP
- A10+: KTRR
- A11+: APRR
- A12+: PPL
|
9. |
Aie, Aie, IOKit |
|
2 hours |
|
IOKit is the most advanced and powerful feature of XNU, allowing C++ code in kernel with all its might - Object orientation and inheritance - and all its weaknesses. IOKit objects have become crucial for many an exploit, both as a vector for vulnerabilities, and as a mechanism for kernel code execution.
- IOKit objects: Services and user clients
- Enumerating and identifying IOKit objects in *OS kernels
- Object corruption and fake objects
- Kernel code execution primitives (and how to survive without them)
|
10. |
Vulnerabilities and Exploits |
|
6.5 hours (and interleaved throughout other modules) |
|
We turn our attention to discuss a few examples from the MacOS world, as well as past jailbreaks - as many as time permits, with actual code samples showing point proofs of concept on vulnerable (past) versions of MacOS and *OS.
Exact samples may change by time of training, but at this point are:
The 9.3.5 ("Phoenix") jailbreak
- Ian Beer's 11.1.2 async_wake
- User mode jailbreaks: Brandon Azad's Blanket
- The most recent iOS 12.1.1 Mach voucher bug (Brandon Azad's and S0rryMyBad's methods)
- Discussion of the OSUnserialize* bugs behind Pegasus
- The QiLin post-exploitation toolkit
- Operation Triangulation (< 16.6)
- @felixpb's amazing physical memory exploits
- Dopamine Jailbreak
|