Part I: Defensive Techniques and Technologies
The missing documentation for Apple's proprietary security mechanisms
Chapter I: Authentication
1
SetUID and SetGID (MacOS)
3
The Pluggable Authentication Module (MacOS)
4
- Experiment: Tinkering with PAM configuration files
7
- Maintaining permissions
9
- Experiment: Manipulating local users using dscl(1)
10
- Experiment: Manipulating local users using dscl(1) (cont.)
11
Communicating with clients
12
- Experiment: Domonstrating XPC behind the scenes of getXX APIs
13
- com.apple.opendirectoryd.membership
14
- com.apple.opendirectoryd.api
15
- com.apple.opendirectoryd.rpc
15
The LocalAuthentication Framework
16
Chapter 2: Auditing (MacOS)
21
- Auditing Concepts (a refresher)
22
- Experiment: Tweaking and viewing auditing in real time
24
- Figure 2-12: The implementation of auditing in the MacOS kernel
27
- [get/set]auid (#353, #354)
31
- [get/set]audit_addr (#357, #358)
31
- Reading Audit Records
32
- Writing Audit Records
33
Auditing Considerations
34
Chapter 3: Authorization (KAuth)
35
- Authorizing vnode operations
41
KAuth Identity Resolvers (MacOS)
42
- Experiment: Exploring the identitysvc() system call
43
Chapter 4: Mandatory Access Control Framework
45
- Experiment: Finding MAC Policy modules in MacOS and *OS
48
- Experiment: Figuring out policy operations from a disassembly
52
- expose_task (MacOS 10.11)
57
Chapter 5: Code Signing
61
The Code Signature Format
62
- LC_CODE_SIGNATURE and the SuperBlob
62
- Experiment: Code Signature Blobs
63
- The Code Directory Blob
64
Experiment: Viewing Code Signatures
65
- Experiment: Demonstrating the special signature slots
68
- Experiment: Generating (self-signed) code signature
69
Code Signature Requirements
71
- The Requirements Grammar
71
- Encoding requirements
72
- Experiment: Examining requirement blobs
73
- Requirement validation
74
Code Signature Enforcement
77
- Code Signing Weaknesses
81
- Bait-and-Switch inode reuse (< iOS 9)
81
- Lack of validation on __DATA sections and writable memory
82
- Exploiting kernel bugs
82
- Framework-Level Wrappers
84
- Experiment: Locating entitlement producing daemons
85
- DTrace probes (MacOS)
86
Chapter 6: Software Restrictions (MacOS)
89
- The authorization database
90
- Experiment: Examining the authorization database
91
- Experiment: Executing with privileges
93
- Precursor: Quarantine
94
- Experiment: Displaying the quarantine attributes of a file
95
- Experiment: Making sense of the policy database
101
- MacOS 13: Secure Kernel Extension Loading
102
- Testing translocation
104
- Experiment: Behind the scenes of Path Translocation
105
- Experiment: Behind the scenes of Path Translocation (cont.)
106
Managed Clients (MacOS)
107
- Managed Preferences
113
Chapter 7: AppleMobileFileIntegrity
117
AppleMobileFileIntegrity.kext
118
- proc_check_cpumon (*OS)
121
- proc_check_inherit_ipc_ports
121
- proc_check_get_task
122
- proc_check_map_anon (*OS)
123
- proc_check_library_validation
125
- proc_check_mprotect (*OS)
126
- proc_check_run_cs_invalid (*OS)
126
- vnode_check_exec (*OS)
127
- vnode_check_signature
128
- cred_label_update_execve
129
- Exception Handling hooks (MacOS 12+)
130
- Daemon-Kext communication
132
- Experiment: Inspecting amfid Mach messages
134
Provisioning Profiles
139
- Experiment: Examining provisioning profiles
141
- Profile/UDP "databases"
143
The AMFI Trust Caches
147
Chapter 8: The SandBox
149
The Evolution of the Sandbox
150
- (semi)-Voluntary confinement
152
- Experiment: Toying with the App Sandbox
153
- Diagnosing and controlling the App Sandbox
154
Mobile Containers (*OS)
155
- Sandbox profile language
157
- Experiment: Exploring sandbox profiles with sandbox-exec
158
- Table 8-9: Sandbox operations (as of v592)
161
- Exploring: Steps to decompile a sandbox profile
163
- Experiment: Reversing the Sandbox extension token format
166
- sandbox_[un]suspend
167
- sandbox tracing (460+)
168
- User state items (570+)
168
- hook_policy_initbsd
172
- hook_policy_syscall
173
- The Sandbox MACF Hooks
173
- Experiment: Reversing a sandbox hook implementation
174
- Experiment: Reversing a sandbox hook implementation (cont.)
175
- Handling process execution
176
- Daemon-Kext Implementation
180
Chapter 9: System Integrity Protection (MacOS)
181
- Filesystem protections
184
- Debugging protections
184
- Entitlement/Disablement
186
Transparency, Consent and Control
192
- Protected Information
192
- The TCC Database(s)
193
- Experiment: Examining the TCC database
194
- Prompting for access
195
- Experiment: Exploring tccd's XPC interface
197
Unique Device Identifiers
199
Differential Privacy (MacOS 12/iOS 10)
201
Chapter 11: Data Protection
203
Volume-level Encryption (MacOS)
204
- Mounting Encrypted Volumes
206
- corestorage daemons
207
File-level Encryption (*OS)
210
- com.apple.system.cprotect and protection classes
210
- Experiment: Viewing data protection classes
212
- Experiment: Reversing the keybagd XPC interface
220
The AppleKeyStore.kext
221
- Experiment: Inspecting KeyChain internals
227
Part II: Vulnerabilities and Exploitation
A detailed exploration of bugs and their exploits
Chapter 12: MacOS Vulnerabilities
231
10.1: The ntpd remote root (CVE-2014-9295)
232
10.2: The rootpipe privilege escalation (CVE-2015-1130)
234
10.3: Racing Kextd (CVE-2015-3708)
236
10.4: DYLD_PRINT_TO_FILE privilege escalation (CVE-2015-3760)
238
10.5: DYD_ROOT_PATH privilege escalation
240
11.0: tpwn privilege escalation and/or SIP neutering
242
11.3: "Mach Race" local privilege escalation (CVE-2016-1757)
244
11.4: LokiHardt'S Trifecta (CVE-2016-1796,1797,1806)
246
- Arbitrary Code Execution (CVE-2016-1796)
246
- Sandbox Escape (CVE-2016-1797)
248
- SubmitDiagInfo (CVE-2016-1806)
248
Chapter 13: Jailbreaking
253
The jailbreaking process
257
- Running arbitrary (unsigned) code
257
- Getting on the device
257
- Bypassing code signing
258
- Escaping the confines of the Application Sandbox
258
- Elevating Privileges
259
- Reading and Writing Kernel Memory
259
- MACF sysctl patches
261
- Root filesystem remount
268
Kernel Patch Protection
269
- Experiment: Inspecting KPP with joker and jtool
271
- Experiment: Inspecting KPP with joker and jtool (cont.)
272
- Cryptographic algorithm
274
- iOS 10 kernel changes
275
- KTRR (iPhone 7 and later)
275
Evolution of iOS Jailbreaks
279
- Shebang Shenanigans
283
- Pièce de Résistance - Code Signing
285
- Persistence through /etc/launchd.conf
287
- Kernel Memory Layout: I - Zone ("heap") Layout
290
- Kernel Code Execution: IOUSBDeviceFamily's stallPipe()
292
- Arbitrary Memory Read/Write with Mach OOL Descriptors
296
- Kernel Memory Layout: II - Kernel base
298
- Refinement: Read (small) Primitive
299
- Refinement: Read (large) Primitive
299
- Refinement: Write Gadget
300
Chapter 15: Evasi0n 7
303
- Injecting the Application
305
- Dyld Injection (I): Loading gameover.dylib
306
- Privilege Escalation
307
- Dylib Injection (II): Replacing xpcd_cache.dylib
308
- Dylib Injection (III): Trojaning libmis.dylib
309
- Reproducing the jailbreak
310
Chapter 16: Pangu 7 (PanguAxe) (盘古斧)
321
- Certificate Injection
323
- The Jailbreak Payload
324
- Leaking the kernel stack
327
- Breaking early_random()
330
- Kernel Memory Overwrite(1): IODataQueue
332
- Kernel Memory Overwrite(2): IOHIDEventServiceUserClient
333
- Refinement: Arbitrary kernel memory overwrite
334
Chapter 17: Pangu 8 (軒轅劍)
337
- Certificate Injection
339
- Loading the Exploit Library
339
- Bypassing code signatures
341
Chapter 18: TaiG (太极)
347
- Sandbox Escape: AFC and BackupAgent
349
- libmis.dylib and overlapping segments (again)
353
- KASLR Info Leak via OSBundleMachOHeaders (again)
356
- Experiment: Observing the Get Loaded Kext Info exploited
357
- mach_port_kobject strikes again
358
- IOHIDFamily... Again...
360
- Experiment: Obtaining a kernel dump using TaiG 1
365
Chapter 20: Pangu 9 (伏羲琴)
385
- Loading the Jailbreak App (10-20%)
388
- Configuring the Environment (45%)
388
- Launching the Pangu App (75%)
390
The Jailbreak Payload
392
- Arbitrary Code Execution - I: Bypassing KASLR
396
- Arbitrary Code Execution - II: Inspecting gadgets
396
- Experiment: Examining Pangu 9 shared cache
399
- Experiment: Examining Pangu 9 shared cache (cont.)
400
- Anti-Anti-Debugging
401
Chapter 21: Pangu 9.3 (女娲石)
405
- The Exploit primitive
408
- Arbitrary Code Execution
409
Chapter 22: Pegasus (Trident)
411
Kernel Memory Read and KASLR Bypass
416
Arbitrary Kernel Memory Write
418
- Experiment: Figuring out what the leaked kernel address is
426
Putting it all together - a Phœnix rises!
429
Chapter 23: mach_portal
433
Mach port name urefs handling
435
- Applying the attack to launchd
437
XNU UaF in set_dp_control_port
441
Disabling protections
443
- Unsandboxing - The "ShaiHulud Maneuver"
443
- Root filesystem r/w
443
Bypassing code signatures
444
Chapter 24: Yalu (10.0-10.2)
447
- [Read/Write]Anywhere64
448
10.2: A deadly trap and a recipe for disaster
455
- Experiment: Adapting a PoC to a different kernel version
459
- The exploit (Todesco & Grassi)
460
- Constructing a fake Mach object
460
- Triggering the overflow
462
- Getting the kernel task port
465
Kernel Memory Corruption
473
- Kernel function call primitive
474
Post-Exploitation: The Jailbreak Toolkit
476
- Prerequisite: Manipulating the process and task lists
476
- Remounting the root filesystem as read-write
480
- Injecting entitlements - I - The CS Blob
482
- Injecting Entitlements - II - AMFI
483
- Replacing entitlements
485
- Borrowing entitlements
486
- Bypassing code signing
488
- The AMFI Trust Cache
488
Appendix A: MacOS Hardening Guide
497
Mandatory Access Control (MACF)
511
APFS Snapshot mount (iOS 11.3)
514