Introduction Memory management in XNU Page tables Physical use-after-free Exploitation strategy Heap spray Kernel memory read/write Conclusion Bonus: arm64e, PPL and SPTM| Alfie CG
Introduction The superblob The structure of the superblob The code directory The structure of the code directory Special slots Code slots Bonus: trustcache The entitlements blobs The requirements blob CodeResources Conclusion| Alfie CG
Analysis Introduction Resources Disclaimer USB initialisation Handling of USB transfers Initial request handling Data phase Use-after-free Lifecycle of image transfer USB stack shutdown Memory leak Why is a leak needed? USB request structure The bug Exploitation Heap feng shui Triggering the use-after-free The payload The overwrite Executing the payload Explaining the payload Conclusion| Alfie CG
Background Setting up the project Diagnosing the issue Alternative exploitation method launchd2 Conclusion Glossary| Alfie CG
Background Vulnerability Experimentation Arbitrary physical mapping Dynamically finding our mapping base Finding the kernel base A10(X) A11 Non-KTRR devices Virtual kernel read/write Page table panic Brandon Azad’s method PV head table (again) IOSurface kernel read/write Bonus: tfp0 arm64e Remaining versions Conclusion| Alfie CG
Where did we leave off? Background: KTRR IORVBAR Coprocessors Always-On Processor Investigation AXI? What’s that?! Mapping DRAM Code execution Improving the strategy What about A7 and A8(X)? Conclusion| Alfie CG