iOS Kernel PAC, One Year Later

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 12:30 p.m. (40 minutes).

In February 2019, I reported to Apple five ways to bypass kernel Pointer Authentication on the iPhone XS . My impression was that the design, while a dramatic improvement on the ARMv8.3 standard, had some fundamental issues when defending kernel control flow against attackers with kernel memory access.<br /> <br /> This talk will look at how PAC has (and hasn't) improved in the subsequent year, once again concluding with five new ways to bypass kernel PAC to obtain arbitrary kernel code execution on iOS 13.3.

Presenters:

  • Brandon Azad - Security Researcher, Google Project Zero
    Brandon Azad is a Security Researcher at Google Project Zero focusing on iOS/macOS security.

Links:

Similar Presentations: