iOS Kernel PAC, One Year Later

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 12:30 p.m. (40 minutes)

In February 2019, I reported to Apple five ways to bypass kernel Pointer Authentication on the iPhone XS . My impression was that the design, while a dramatic improvement on the ARMv8.3 standard, had some fundamental issues when defending kernel control flow against attackers with kernel memory access.<br /> <br /> This talk will look at how PAC has (and hasn't) improved in the subsequent year, once again concluding with five new ways to bypass kernel PAC to obtain arbitrary kernel code execution on iOS 13.3.

Presenters:

• Brandon Azad - Security Researcher, Google Project Zero
  Brandon Azad is a Security Researcher at Google Project Zero focusing on iOS/macOS security.

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#ios-kernel-pac-one-year-later-19726

Similar Presentations:

• Black Hat USA 2019 / Attacking iPhone XS Max
• Black Hat USA 2011 / Exploiting the iOS Kernel
• Black Hat USA 2022 / To Flexibly Tame Kernel Execution With Onsite Analysis