Attacking the XNU Kernel in El Capitain

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration).

The XNU kernel powers Apple's operative systems. As their market share grows, exploitation of OS X and iOS is gaining popularity. The introduction of kernel exploit mitigations such as KASLR and SMEP has been overcome with new techniques. "vm_map_copy" corruption, a well-known technique useful for bypassing KASLR and SMAP / AS Isolation, has been mitigated in 10.11 & iOS 9. My talk will demonstrate new techniques to get around XNU's latest changes and I will demonstrate a real kernel exploit for the most recent version of El Capitain to bypass System Integrity Protection (rootless).

Presenters:

• Luca Todesco - N/A
  Luca Todesco ia an Italian student researching independently. His research exploitation techniques, and focus, are on Apple's XNU kernel and it's heap.

Links:

• Con Page
• Infocon Video
• Infocon Video (subtitles)
• YouTube Video
• Slides

Similar Presentations:

• Black Hat Europe 2018 / Eternal War in XNU Kernel Objects
• DEF CON 17 (2009) / Runtime Kernel Patching on Mac OS X
• REcon 2016 / Shooting the OS X El Capitan Kernel Like a Sniper