iOS Kernel PAC, One Year Later
In February 2019, I reported to Apple five ways to bypass kernel Pointer Authentication on the iPhone XS . My impression was that the design, while a dramatic improvement on the ARMv8.3 standard, had some fundamental issues when defending kernel control flow against attackers with kernel memory access. This talk will look at how PAC has (and hasn't) improved in the subsequent year, once again concluding with five new ways to bypass kernel PAC to obtain arbitrary kernel code execution on iOS 13.3. By Brandon Azad Full Abstract & Presentation Materials: https://www.blackhat.com/us-20/briefi...
▶︎
Web Cache Entanglement: Novel Pathways to Poisoning
▶︎
36C3 - KTRW: The journey to build a debuggable iPhone
▶︎
Keynote - "What's in a Jailbreak? Hacking the iPhone: 2014 - 2019" - Mark Dowd
▶︎
24C3: Inside the Mac OS X Kernel
▶︎
DEF CON 32 - From getting JTAG on the iPhone 15 to hacking Apple's USB-C Controller - Stacksmashing
▶︎
Exploiting the iOS Kernel Stefan Esser
▶︎
Detecting Fake 4G Base Stations in Real Time
▶︎
BlueHat IL 2020 - Luca Todesco - The One Weird Trick SecureROM Hates
▶︎
iOS Dual Booting Demystified
▶︎
Nullcon Goa 2025: State Of IOS Jailbreaking In 2025 - Lars Fröder
▶︎
Demystifying Modern Windows Rootkits
▶︎
Something is jamming GPS over Europe. Here's what we found
▶︎
34C3 - iOS kernel exploitation archaeology
▶︎
36C3 - Messenger Hacking: Remotely Compromising an iPhone through iMessage
▶︎
Demystifying the Secure Enclave Processor
▶︎
Is the iPhone 17 the First Un-Breakable Phone?
▶︎
2019 LLVM Developers’ Meeting: A. Bougacha & J. McCall “arm64e: An ABI for Pointer Authentication ”
▶︎
OBTS v3.0: "KTRW: The journey to build a debuggable iPhone" - Brandon Azar
▶︎
what if we just verified all the pointers?
▶︎