Академический Документы
Профессиональный Документы
Культура Документы
Fried Apples: 3
Jailbreak DIY
5
10
o 8
10
11
12
March 28-31, 2017
iOS Security Overview 1
Sandbox
6
o 7
o Exploit Mitigations 8
o Data Protection 9
10
12
March 28-31, 2017
What is jailbreak ? 1
o Disable OS restrictions
4
10
11
12
March 28-31, 2017
Jailbreak types 1
o Tethered
4
o Untethered 8
11
12
March 28-31, 2017
Initial attack vector strategies 1
o WebKit\SMS\baseband based 8
10
11
12
March 28-31, 2017
Making jailbreak if you have bugs 1
10
11
12
March 28-31, 2017
Making jailbreak if you don't have bugs 1
10
11
12
March 28-31, 2017
1
Implementation 5
10
11
12
March 28-31, 2017
Arbitrary code execution strategies 1
o ROP 5
11
12
March 28-31, 2017
Bypassing sandbox strategies 1
o TOCTOU \ Symlinks 4
o XPC 6
o Kernel patch
7
10
11
12
March 28-31, 2017
Escalating privileges strategies 1
o Kernel patch 6
10
11
12
March 28-31, 2017
Bypassing KASLR strategies 13
14
15
o Information leak
16
17
o Brute force 18
19
20
21
22
23
24
March 28-31, 2017
Bypassing DEP strategies 13
14
15
o JavaScriptCore JIT
16
17
19
o Kernel patch 20
o ROP chain
21
22
23
24
March 28-31, 2017
Seeking for patches in kernel 13
14
15
17
19
o Dynamic patchfinder
20
21
23
24
March 28-31, 2017
Kernel patches in detail 13
14
15
o root o sandbox 16
17
o task_for_pid(0) o __mac_mount 18
o _mapForIO
19
o amfi 20
21
22
23
24
March 28-31, 2017
Escalate privileges 13
14
15
17
19
20
21
22
23
24
March 28-31, 2017
Escalate privileges patch 13
14
15
o Find setreuid
16
17
19
21
22
23
24
March 28-31, 2017
Escalate privileges patch detailed 13
14
15
16
17
18
19
20
21
22
23
24
March 28-31, 2017
Kernel task 13
14
15
17
19
20
21
22
23
24
March 28-31, 2017
Kernel task patch 13
14
15
o Patch task_for_pid
16
17
19
21
22
23
24
March 28-31, 2017
Kernel task patch detailed 13
14
15
16
17
18
19
20
21
22
23
24
March 28-31, 2017
Kernel task patch detailed 13
14
15
16
17
18
19
20
21
22
23
24
March 28-31, 2017
Apple Mobile File Integrity (AMFI) 13
14
15
17
o Fake entitlements 18
19
22
23
24
March 28-31, 2017
AMFI patch 25
26
27
o Patch amfi_get_out_of_my_way
28
29
o Patch PE_i_can_has_debugger 30
31
33
34
35
36
March 28-31, 2017
AMFI patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
AMFI policy patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
AMFI policy patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
AMFI policies to patch 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
Sandbox 25
26
27
29
31
32
33
34
35
36
March 28-31, 2017
Sandbox patch 25
26
27
29
o Hook sb_evaluate 30
31
33
34
35
36
March 28-31, 2017
Sandbox patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
Sandbox patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
Sandbox policies 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
__mac_mount 25
26
27
29
31
32
33
34
35
36
March 28-31, 2017
__mac_mount patch 25
26
27
o Patch __mac_mount
28
29
31
32
33
34
35
36
March 28-31, 2017
__mac_mount patch detailed 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
_mapForIO lock 37
38
39
41
43
44
45
46
47
48
March 28-31, 2017
_mapForIO lock patch 37
38
39
o Patch _mapForIO
40
41
o Patch PE_i_can_has_kernel_configuartion 42
43
44
45
46
47
48
March 28-31, 2017
_mapForIO lock patch detailed 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
37
38
39
40
42
43
44
45
46
47
48
March 28-31, 2017
Bypassing KPP strategies 37
38
39
41
o Execution on EL3 42
43
45
46
47
48
March 28-31, 2017
How KPP works? 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
Original translation table 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
Create fake Level 1 table 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
Create fake Level 2 table 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
Create fake Level 3 table 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
Create fake pages 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
BBQit Framework 49
50
51
52
53
54
55
56
57
58
59
60
March 28-31, 2017
KPP bypass technique 49
50
51
52
53
54
55
56
57
58
59
60
March 28-31, 2017
KPP bypass technique (continue) 49
50
51
52
53
54
55
56
57
58
59
60
March 28-31, 2017
Achieving persistence strategies 49
50
51
53
55
58
59
60
March 28-31, 2017
Achieving persistence example 49
50
51
53
o Signed by Apple 54
55
58
59
60
March 28-31, 2017
Achieving persistence details 49
50
51
52
53
54
55
56
57
58
59
60
March 28-31, 2017
SSH 49
50
51
53
o tcprelay.py -t 22:4222 54
55
o Password ‘alpine’ 56
57
58
59
60
March 28-31, 2017
Cydia 49
50
51
53
55
o Optional /.cydia_no_stash 56
58
59
60
March 28-31, 2017
iOS 10 security enhancements 49
50
51
53
55
o KPP enhancements 56
57
58
59
60
March 28-31, 2017
iOS 10 amfi mitigations 49
50
o MISValidateSignatureAndCopyInfo
51
52
54
o validateCodeDirectoryHashInDaemon 55
57
59
60
March 28-31, 2017
iOS 10 sandbox mitigations 49
50
51
o New operations 52
53
o New hooks 55
_hook_iokit_check_nvram_get,
56
57
_hook_proc_check_set_host_special_port, 58
_hook_proc_check_get_cs_info ... 59
60
March 28-31, 2017
iOS 10 KPP enhancements 49
50
51
53
55
57
58
59
60
March 28-31, 2017
KPP hardware mitigations 61
62
63
o AMCC
64
65
67
70
71
72
March 28-31, 2017
KPP hardware mitigations 61
62
63
64
65
66
67
68
69
70
71
72
March 28-31, 2017
Future of jailbreaks 61
62
63
65
67
70
71
72
March 28-31, 2017
Black Hat Sound Bytes 61
62
63
65
67
69
70
71
72
March 28-31, 2017
61
62
63
@FriedAppleTeam
64
65
66
67
68
69
70
72
March 28-31, 2017