back

iOS kernel exploitation archaeology

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:54:57
Language
English
Abstract
This talk presents the technical details and the process of reverse engineering and re-implementation of the evasi0n7 jailbreak's main kernel exploit. This work was done in late 2013, early 2014 (hence the "archaeology" in the title), however, it will provide insight into the kernel debugging setup for iOS devices (iDevices), the encountered difficulties and how they were overcome, all of which can be useful for current iOS kernel vulnerability research.

The evasi0n7 jailbreak was released by the evad3rs on 22nd December 2013 targeting 7.0 to 7.1b3 iOS devices (iDevices). This talk documents the reverse engineering process of evasi0n7's main kernel exploit, which was performed in order to not only understand the underlying vulnerability, but more importantly to document the exploitation techniques the evad3rs have utilized. The talk will initially focus on the kernel debugging setup (a very important but often ignored step in device/embedded exploitation talks), the encountered problems and how they were overcome. I will then explain the underlying vulnerability, and the reverse engineering of the implemented exploitation techniques. Finally, I will present a detailed step by-step re-implementation of the kernel exploit.

Talk ID
8720
Event:
34c3
Day
1
Room
Saal Clarke
Start
6:30 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
argp
Talk Slug & media link
34c3-8720-ios_kernel_exploitation_archaeology

Talk & Speaker speed statistics

Very rough underestimation:
138.9 wpm
747.9 spm
138.5 wpm
742.1 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
138.9 wpm
747.9 spm
kernelstructpointvm_map_copyheapbugbasicallythingsdevicezoneexploitaddressstructsttyiosarraycontroldebuggingkalloc.88jailbreaktalkargptimesizecodewritestageptmx_ioctlthingand.freebinaryevasi0n7orderexploitationbytesapplearbitraryiphonesprayfakeinterestingworkrememberkdatastartedcontrolledtechniquekallocmentioned
argp:
138.5 wpm
742.1 spm
kernelstructpointvm_map_copyheapbugbasicallythingsdevicezoneaddressttyarraycontrolstructsiosdebuggingexploitjailbreakkalloc.88codetimesizewriteptmx_ioctlfreeevasi0n7thingbinarybytestalkiphonestagerememberarbitraryexploitationstartedordercontrolledkdatafakeapplespraysecondtoldinterestedcoursecreatefunctioninvalid