Eternal War in XNU Kernel Objects

Presented at Black Hat Europe 2018, Dec. 5, 2018, 2 p.m. (50 minutes)

Jailbreaking, in general, means breaking the device out of its "jail'." Apple devices (e.g., iPhone, iPad, Apple Watch) are the most famous "jail'' devices among the world. iOS, macOS, watchOS, and tvOS are operating systems developed by Apple Inc. and used in Apple devices. All systems deploy a same hybrid kernel structure called XNU. To jailbreak devices, attackers need to patch the kernel to disable corresponding security measures. An essential condition for a kernel patching is to gain a stable arbitrary kernel memory read and write ability through kernel vulnerabilities. But, it is a consensus in security that there is no system without flaws; therefore, the only thing Apple can do is add an increasing number of mitigations. However, "Villains can always outsmart," attackers can always find a way to bypass them.

In this talk, we perform a systematic assessment of recently proposed mitigation strategies by Apple. We demonstrate that most of these defenses can be bypassed through corrupting unsafe kernel objects. We summarize this type of attack as ipc_port Kernel Object-Oriented Programming (PKOOP). More specifically, we show realistic attack scenarios to achieve full control of the latest XNU version. To defend against PKOOP attack, we propose XNU Kernel Object Protector (XKOP) to significantly reduce the number of possible targets for unprotected kernel objects. XKOP, a framework to hook related system, calls to check the integrity of risky kernel objects without system modification. We believe that our assessment and framework are curative contributions to the design and implementation of a secure XNU kernel.


  • Hunter@OrionLab . - Senior Staff Security Expert, Alibaba Inc.
    Hunter@OrionLab is the Senior Staff Security Expert at Alibaba Inc. Director of OrionLab & GeminiLab.
  • Xiaolong Bai - Security Engineer, Alibaba Inc.
    Xiaolong Bai (twitter@bxl1989, github@bxl1989) is a security engineer in Alibaba Orion Security Lab. Before joining Alibaba, he received his Ph.D. at Tsinghua University. He has published several research papers at top conferences including IEEE S&P, Usenix Security, CCS, NDSS, and presented his research in Black Hat USA and Hack In The Box. He has been acknowledged by famous vendors including Apple, Google, Facebook, Evernote, and Tencent for his contribution in discovering the vulnerabilities in their systems and improving the security of their products. He is a member of the OverSky team for private jailbreaking development.
  • Min Zheng / Spark - Security Expert, Alibaba Inc.   as Min (Spark) Zheng
    Min (Spark) Zheng (twitter@SparkZheng, github@zhengmin1989) is a security expert in Alibaba Orion Security Lab. He received his Ph.D. in the CSE department of the CUHK. His research focuses on malware analysis, smartphone (Android & iOS) security, system design, and implementation. Before receiving Alibaba A-Star offer award in 2015, he worked at FireEye, Baidu, and Tencent. He was the champion of GeekPwn 2014 and AliCTF 2015. He won the"best security researcher" award in FIT 2016 for detecting the iOS/macOS vulnerabilities, XcodeGhost virus, and WormHole RCE vulnerability. He is a member of the OverSky team for private jailbreaking development. He has presented his research in DEF CON, HITB, BlackHat, ISC, XCon, etc.


Similar Presentations: