Attacking the XNU Kernel in El Capitain

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration)

The XNU kernel powers Apple's operative systems. As their market share grows, exploitation of OS X and iOS is gaining popularity. The introduction of kernel exploit mitigations such as KASLR and SMEP has been overcome with new techniques. "vm_map_copy" corruption, a well-known technique useful for bypassing KASLR and SMAP / AS Isolation, has been mitigated in 10.11 & iOS 9. My talk will demonstrate new techniques to get around XNU's latest changes and I will demonstrate a real kernel exploit for the most recent version of El Capitain to bypass System Integrity Protection (rootless).

Presenters:

• Luca Todesco - N/A
  Luca Todesco ia an Italian student researching independently. His research exploitation techniques, and focus, are on Apple's XNU kernel and it's heap.

Links:

• https://www.blackhat.com/eu-15/briefings.html#attacking-the-xnu-kernel-in-el-capitain
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2015/Videos/Attacking The XNU Kernel In El Capitain.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2015/Videos/Attacking The XNU Kernel In El Capitain.srt (subtitles)
• https://www.youtube.com/watch?v=k550C0V79ts
• https://www.blackhat.com/docs/eu-15/materials/eu-15-Todesco-Attacking-The-XNU-Kernal-In-El-Capitain.pdf

Similar Presentations:

• REcon 2016 / Shooting the OS X El Capitan Kernel Like a Sniper
• DEF CON 17 (2009) / Runtime Kernel Patching on Mac OS X
• Black Hat Europe 2018 / Eternal War in XNU Kernel Objects