Debug for Bug: Crack and Hack Apple Core by Itself - Fun and Profit to Debug and Fuzz Apple Kernel by lldb Script

Presented at Black Hat USA 2019, Aug. 8, 2019, 5 p.m. (60 minutes)

As we know for security researchers, almost every operation system vendor has highly raised the bar of security vulnerability credit or bonus criteria and lots of security mitigations such CFI on Android 9 or PAC based on hardware on iOS 12 have been integrated to vendor system.

What is more, industrial standard fuzzers (typical as AFL, syzkaller based on code coverage feedback) have been deployed on large scale. The survival space of bug hunting left for security researchers seems to be much smaller. Code reviewing based on threat expert knowledge seems to be the only way but which is obvious time consuming and dummy effort.

Any idea on how to break the deadlock now? As security researchers, maybe you could try our debug fuzzer for bug hunt. This method we pledged has been verified to be effective to find and expand new attack interface but also flexible, scalable and scriptable for vulnerability research utilities.

Based on our fuzzing methodology, we found dozens of vulnerabilities, including double free, oob read/write etc. which we will provide a detailed analysis of. However, these 10 vulnerabilities is the only part of we found, others will be analyzed later and submitted to Apple.

Presenters:

• Moony Li - Security Researcher Leader, Trend Micro
  Moony Li is a security researcher leader in TrendMicro. Mainly focus on Windows, OSX, Android, iOS Security sandbox solution, and vulnerability, exploit hunt. He has participated at many conferences, such as HITCON 2016, CodeBlue 2016, Pacsec 2016, BlackHat Europe 2016, Code Blue 2017, Black Hat Asia 2018, Black Hat USA 2018 Arsenal, Blackhat Europe 2018, CodeBlue2018, HITB 2019
• Lilang Wu - Senior Engineer, Trend Micro
  Lilang Wu is a Senior Engineer from TrendMicro and has four years security experience. He focus on iOS, MacOS and Android kernel vulnerability discovery and malware hunting. He has participated at many conferences: 1.Blackhat USA 2018 Arsenal - Art of Dancing with Shackles: Best Practice of App Store Malware Automatic Hunting System; 2.Blackhat Europe 2018 - Drill Apple Core: Up and Down - Fuzz Apple Core Component in Kernel and User Mode for Fun and Profit; 3. CodeBlue 2018 - Wow, PESSR has Eroded Apple in Blink - Fun and Profit to Gain Dozens of iOS Vulnerabilities in Minutes by (P)ortable (E)xtensible (S)criptable (S)eed (R)eproducible Mobile Fuzzer; 4. CodeBlue 2018 - Android War of Finding Needle in Haystack - Best Practice of Hunting System for Android Exploit in the wild; 5.CodeBlue 2018 - Smart Fuzzing XPC & XNU; 6.HITB 2019 - Taste the fresh Apple - Best practice for researching the new attack interface, hunt vulnerability and security protection for iOS/OSX system update Twitter: @Lilang_wu Github: https://github.com/dongyangwu

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#debug-for-bug-crack-and-hack-apple-core-by-itself---fun-and-profit-to-debug-and-fuzz-apple-kernel-by-lldb-script-15616
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Debug for Bug Crack and Hack Apple Core by Itself.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Debug for Bug Crack and Hack Apple Core by Itself.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=erU26h4X05A

Similar Presentations:

• VB2019 / Play fuzzing machine - hunting iOS and macOS kernel vulnerabilities automatically and smartly
• DEF CON 27 (2019) / Zero bugs found? Hold my Beer AFL! How To Improve Coverage-Guided Fuzzing and Find New 0days in Tough Targets
• Black Hat Europe 2018 / Drill Apple Core: Up and Down - Fuzz Apple Core Component in Kernel and User Mode for Fun and Profit