Tweets
- Tweets, current page.
- Tweets & replies
- Media
You blocked @_bazad
Are you sure you want to view these Tweets? Viewing Tweets won't unblock @_bazad
-
I'm presenting on KTRW at
#36C3 this year. I'll take you along my journey discovering hardware debugging registers and discuss the challenges of writing a full-featured iOS kernel debugger usable with LLDB: https://halfnarp.events.ccc.deThanks. Twitter will use this to make your timeline better. UndoUndo -
KTRW was motivated by the desire to see better and more open tooling for security research on iPhones. Read about the journey to find the KTRR bypass: https://googleprojectzero.blogspot.com/2019/10/ktrw-journey-to-build-debuggable-iphone.html …
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
I built an iOS kernel debugger called KTRW based on a KTRR bypass for the iPhone X. It is capable of patching kernel __TEXT_EXEC, loading kernel extensions, and performing single-step kernel debugging with LLDB and IDA Pro over USB:https://github.com/googleprojectzero/ktrw …
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
I will be presenting "A study in PAC" at MOSEC 2019. The talk will cover my analysis of how Apple implemented (and improved on) Pointer Authentication on the A12 and look at 5 ways to bypass it.
Thanks. Twitter will use this to make your timeline better. UndoUndo -
I'll be presenting the technical details of voucher_swap, a kernel exploit for CVE-2019-6225 on iOS 12.1.2, at
@typhooncon this June.pic.twitter.com/Qic75gugXEThanks. Twitter will use this to make your timeline better. UndoUndo -
My analysis of Apple's implementation of PAC on the A12 (a substantial improvement over the ARM standard for protecting against kernel attackers): https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
The A12, now with more kernel code execution; introducing voucher_swap: https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
If you're interested in bootstrapping iOS kernel security research (including the ability to forge PACs and call arbitrary kernel functions), keep an A12 research device on iOS 12.1.2.
Thanks. Twitter will use this to make your timeline better. UndoUndo -
iOS full userspace compromise via malicious crashing: https://github.com/bazad/blanket . Versions up to 11.4 are vulnerable, but the exploit only targets 11.2.6. The writeup also discloses some new mitigation bypasses.
Thanks. Twitter will use this to make your timeline better. UndoUndo -
I'll be presenting "Crashing to root: How to escape the iOS sandbox using abort()" at @bevxcon this September. I'll show how to exploit CVE-2018-4280, fixed in iOS 11.4.1, by crashing maliciously in order to elevate privileges, defeat codesigning, and spawn a shell on iOS 11.2.6.pic.twitter.com/tRxLqD55fY
Thanks. Twitter will use this to make your timeline better. UndoUndo -
The ida_kernelcache analysis toolkit now supports the new iOS 12 kernelcache format, including untagging pointers to restore IDA's xrefs:https://github.com/bazad/ida_kernelcache …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
The iOS 12 kernelcache is changing. Here's my analysis on the new static pointer tagging found in the kernelcache: https://bazad.github.io/2018/06/ios-12-kernelcache-tagged-pointers/ …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
This is a userspace-only exploit (no kernel vulnerabilities), but still gets you a shell. I'm submitting a talk about this work to a security conference. When the exploit becomes public will depend on when the issue gets fixed and whether the talk is accepted.pic.twitter.com/r6IEbz99xS
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
For those on iOS 11.2.6 or below, I'm working on a userspace security research platform. You'll be able to spawn pseudo-signed binaries to run as unsandboxed root with arbitrary entitlements (including task_for_pid-allow).
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.