Tweets

You blocked @_bazad

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @_bazad

  1. 19 Nov 2019

    I'm presenting on KTRW at this year. I'll take you along my journey discovering hardware debugging registers and discuss the challenges of writing a full-featured iOS kernel debugger usable with LLDB:

    Undo
  2. 28 Oct 2019

    KTRW was motivated by the desire to see better and more open tooling for security research on iPhones. Read about the journey to find the KTRR bypass:

    Show this thread
    Undo
  3. 28 Oct 2019

    I built an iOS kernel debugger called KTRW based on a KTRR bypass for the iPhone X. It is capable of patching kernel __TEXT_EXEC, loading kernel extensions, and performing single-step kernel debugging with LLDB and IDA Pro over USB:

    Show this thread
    Undo
  4. 7 May 2019

    I will be presenting "A study in PAC" at MOSEC 2019. The talk will cover my analysis of how Apple implemented (and improved on) Pointer Authentication on the A12 and look at 5 ways to bypass it.

    Undo
  5. 8 Mar 2019

    I'll be presenting the technical details of voucher_swap, a kernel exploit for CVE-2019-6225 on iOS 12.1.2, at this June.

    Undo
  6. 1 Feb 2019

    My analysis of Apple's implementation of PAC on the A12 (a substantial improvement over the ARM standard for protecting against kernel attackers):

    Undo
  7. 29 Jan 2019

    The A12, now with more kernel code execution; introducing voucher_swap:

    Undo
  8. 22 Jan 2019

    If you're interested in bootstrapping iOS kernel security research (including the ability to forge PACs and call arbitrary kernel functions), keep an A12 research device on iOS 12.1.2.

    Undo
  9. 21 Sep 2018

    iOS full userspace compromise via malicious crashing: . Versions up to 11.4 are vulnerable, but the exploit only targets 11.2.6. The writeup also discloses some new mitigation bypasses.

    Undo
  10. 30 Jul 2018

    I'll be presenting "Crashing to root: How to escape the iOS sandbox using abort()" at @bevxcon this September. I'll show how to exploit CVE-2018-4280, fixed in iOS 11.4.1, by crashing maliciously in order to elevate privileges, defeat codesigning, and spawn a shell on iOS 11.2.6.

    Undo
  11. 21 Jun 2018

    The ida_kernelcache analysis toolkit now supports the new iOS 12 kernelcache format, including untagging pointers to restore IDA's xrefs:

    Undo
  12. 20 Jun 2018

    The iOS 12 kernelcache is changing. Here's my analysis on the new static pointer tagging found in the kernelcache:

    Undo
  13. 29 Apr 2018

    This is a userspace-only exploit (no kernel vulnerabilities), but still gets you a shell. I'm submitting a talk about this work to a security conference. When the exploit becomes public will depend on when the issue gets fixed and whether the talk is accepted.

    Show this thread
    Undo
  14. 22 Apr 2018

    For those on iOS 11.2.6 or below, I'm working on a userspace security research platform. You'll be able to spawn pseudo-signed binaries to run as unsandboxed root with arbitrary entitlements (including task_for_pid-allow).

    Show this thread
    Undo

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·