KTRW: The journey to build a debuggable iPhone

Presented at Objective by the Sea version 3.0 (2020), March 13, 2020, 11 a.m. (50 minutes).

Development-fused iPhones with hardware debugging features like JTAG are out of reach for many iOS security researchers. This talk takes you along my journey to create a similar capability using off-the-shelf iPhones. We'll look at a way to break KTRR, a custom hardware mitigation Apple developed to prevent kernel patches, and use this capability to load a kernel extension that enables full-featured, single-step kernel debugging with LLDB on production iPhones. Finally, I'll show how I used the resulting KTRW debugger to discover and exploit the oob_timestamp vulnerability (CVE-2020-3837).

Presenters:

• Brandon Azad - Researcher at Google Project Zero
  Brandon Azad is a macOS/iOS security researcher at Google Project Zero, who enjoys finding 0-days, developing elegant exploits, and writing articles about security. His significant projects include a macOS/iOS kernel inspection tool called memctl as well as an IDA Pro toolkit for analyzing Apple kernelcache files called ida\_kernelcache.

Links:

• https://objectivebythesea.org/v3/content.html#bAzad
• https://www.youtube.com/watch?v=DRM0N4l-NGw
• https://objectivebythesea.org/v3/talks/OBTS_v3_bAzad.pdf

Similar Presentations:

• DEF CON 25 (2017) / macOS/iOS Kernel Debugging and Heap Feng Shui
• Black Hat USA 2011 / Exploiting the iOS Kernel
• Objective by the Sea version 5.0 (2022) / In Walled Gardens be Careful of Poisoned Apples