WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun

•

2 gostaram•2,286 visualizações

This document discusses bugs in the iOS zone allocator between iOS versions 9.0 and 9.1. Specifically, it notes that: 1) Between iOS 9.0 and 9.1, the zone allocator had a bug where it moved metadata to the beginning of pages, leaving the first block unused and only fitting 62 elements per page instead of the expected 63. 2) This was due to a bug in the zcram() function that checked if elements would fit using "<" instead of "<=", possibly excluding the last element. 3) The bug was fixed in iOS 9.2 by refactoring zcram() to randomize freelist order, allowing the expected 63 elements to

Tecnologia

5 Minutes with the  
MacOS / iOS Zone Allocator
WhiskeyCon Singapore, March, 2017

| © 2017 by ANTID0TE All rights reserved
Who am I?
• Stefan Esser
• from Germany
• in Information Security since 1998
• SektionEins GmbH from (2007 - 2016)
• Antid0te UG (2013 - now)
2

| © 2017 by ANTID0TE All rights reserved
What is this talk about?
• between iOS 9.0 and iOS 9.1 the Zone Allocator had a bug
• it was fixed later due to refactoring of zcram()
• bug is not a security bug but influences heap layout
• might cause trouble for previously working heap-feng-shui code
3

| © 2017 by ANTID0TE All rights reserved
iOS Zone Allocator Allocations in iOS <= 6
• memory page is split into elements
• in this example allocation size 64
• every single element is used
• 64 elements per page
4

| © 2017 by ANTID0TE All rights reserved
iOS Zone Allocator Allocations in iOS 7 & 8
• Apple added meta data to end of page
• one less element (63) fits into a page
• exactly what we expect due to 
the meta data at end
5

| © 2017 by ANTID0TE All rights reserved
iOS Zone Allocator Allocations in iOS 9
• Apple moved meta data to beginning of page
• block in beginning cannot be used
• but why only 62 elements?
• why is the last block still unused?
• there must be something wrong
6

$| © 2017 by ANTID0TE All rights reserved zcram() (I) • first element positioned aligned after meta data • following elements are added one by one 7 vm_offset_t first_element_offset; if (zone_page_metadata_size % ZONE_ELEMENT_ALIGNMENT == 0){ first_element_offset = zone_page_metadata_size; } else { first_element_offset = zone_page_metadata_size +   (ZONE_ELEMENT_ALIGNMENT - (zone_page_metadata_size % ZONE_ELEMENT_ALIGNMENT)); } for (pos_in_page = first_element_offset;   (newmem + pos_in_page + elem_size) < (vm_offset_t)(newmem + PAGE_SIZE);   pos_in_page += elem_size) { page_metadata->alloc_count++; zone->count++; /* compensate for free_to_zone */ free_to_zone(zone, newmem + pos_in_page, FALSE); zone->cur_size += elem_size; }$

$| © 2017 by ANTID0TE All rights reserved zcram() (II) • checks in each iteration if end of element is still within page • check is broken it uses < (newmem + PAGE_SIZE) • if element ends exactly on page boundary it is considered out of bound • must be <= (newmem + PAGE_SIZE) otherwise always loses last element 8 for (pos_in_page = first_element_offset;   (newmem + pos_in_page + elem_size) < (vm_offset_t)(newmem + PAGE_SIZE); pos_in_page += elem_size) { page_metadata->alloc_count++; zone->count++; /* compensate for free_to_zone */ free_to_zone(zone, newmem + pos_in_page, FALSE); zone->cur_size += elem_size; }$

| © 2017 by ANTID0TE All rights reserved
iOS Zone Allocator Allocations in iOS 9 >= 9.2
• Apple refactored code - freelist order now randomized
• refactoring fixed bug
• only meta data at beginning  
not used
• 63 elements fit per page
9

| © 2017 by ANTID0TE All rights reserved
iOS Zone Allocator Allocations in iOS 10
• Apple moved meta data out of page
• once again full page used for allocations
• exactly 64 elements fit into page
10

Questions ?
www.antid0te.com
stefan@antid0te.com
© 2017 by ANTID0TE. All rights reserved

Mais conteúdo relacionado

Mais de Stefan Esser

With the release of OS X El Capitan Apple has introduced a new protection to the OS X kernel called System Integrity Protection (SIP). The purpose of this new mitigation is to lock down the system from attackers who have already gained root access. In the first part of this session we will elaborate what exactly SIP tries to protect against and how its features are implemented and integrated into the kernel. In the second part of this presentation we will then dive into obvious shortcomings of this implementation and discuss design weaknesses and actual bugs that allow to bypass it. All weaknesses will be demoed to the audience.

$SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP$ $SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP$

SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP

Stefan Esser

SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick

Stefan Esser

SyScan 2015 - iOS 678 Security - A Study in Fail

Stefan Esser

Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements

Stefan Esser

With the release of iOS6 Apple has cracked down on all published iOS exploitation information. It seems that nearly every trick and technique discussed in talks/papers or books of the last years has been taken care of by Apple in order to stop exploitation for jailbreaking or more malicious purposes. This talk will tie in with the iOS6 Security talk by Azimuth Security that discussed various kernel hardenings performed by Apple, and discuss further security relevant changes in iOS 6.1 kernel affecting kernel exploitation and user space exploitation.

CanSecWest 2013 - iOS 6 Exploitation 280 Days Later

Stefan Esser

Targeting the iOS Kernel Although the iPhone user land is locked down very tightly, previous talks about iPhone security have concentrated on user land attacks only. Therefore demonstrated exploit payloads have been very limited in what they can do or cannot do. More complicated work like user land rootkits or the addition of ASLR protection therefore relied entirely on kernel exploitation help from the jailbreaking community. This presentation will introduce the audience into finding security bugs in iOS kernelspace and how this is different from hunting kernel bugs in Mac OS X. Reverse engineering will be used to extract a lot of information from the kernelcache and then this information is used to enumerate the kernel's attack surface and the corresponding code is located. In addition to that the secrets of activating the iOS internal kernel debugger will be revealed and it will be demonstrated by debugging a previous disclosed iOS kernel exploit.

SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel

Stefan Esser

Exploiting the iOS Kernel The iPhone user land is locked down very tightly by kernel level protections. Therefore any sophisticated attack has to include a kernel exploit in order to completely compromise the device. Because of this our previous session titled "Targeting the iOS Kernel" already discussed how to reverse the iOS kernel in order to find kernel security vulnerabilities. Exploitation of iOS kernel vulnerabilities has not been discussed yet. This session will introduce the audience to kernel level exploitation of iPhones. With the help of previously disclosed kernel vulnerabilities the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows will be discussed. Furthermore the kernel patches applied by iPhone jailbreaks will be discussed in order to understand how certain security features are deactivated. A tool will be released that allows to selectively de-activate some of these kernel patches for more realistic exploit tests.

BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation

Stefan Esser

Mais de Stefan Esser (7)

$SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP$ $SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP$

SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP

SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick

SyScan 2015 - iOS 678 Security - A Study in Fail

Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements

CanSecWest 2013 - iOS 6 Exploitation 280 Days Later

SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel

BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation

Último

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Civil Lines Women Seeking Men

Delhi Call girls

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

08448380779 Call Girls In Friends Colony Women Seeking Men

Delhi Call girls

Sara Mae O’Brien Scott and Tatiana Baquero Cakici, Senior Consultants at Enterprise Knowledge (EK), presented “AI Fast Track to Search-Focused AI Solutions” at the Information Architecture Conference (IAC24) that took place on April 11, 2024 in Seattle, WA. In their presentation, O’Brien-Scott and Cakici focused on what Enterprise AI is, why it is important, and what it takes to empower organizations to get started on a search-based AI journey and stay on track. The presentation explored the complexities of enterprise search challenges and how IA principles can be leveraged to provide AI solutions through the use of a semantic layer. O’Brien-Scott and Cakici showcased a case study where a taxonomy, an ontology, and a knowledge graph were used to structure content at a healthcare workforce solutions organization, providing personalized content recommendations and increasing content findability. In this session, participants gained insights about the following: Most common types of AI categories and use cases; Recommended steps to design and implement taxonomies and ontologies, ensuring they evolve effectively and support the organization’s search objectives; Taxonomy and ontology design considerations and best practices; Real-world AI applications that illustrated the value of taxonomies, ontologies, and knowledge graphs; and Tools, roles, and skills to design and implement AI-powered search solutions.

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Enterprise Knowledge

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

Delhi Call girls

The Raspberry Pi 5 was announced on October 2023. This new version of the popular embedded device comes with a new iteration of Broadcom’s VideoCore GPU platform, and was released with a fully open source driver stack, developed by Igalia. The presentation will discuss some of the major changes required to support this new Video Core iteration, the challenges we faced in the process and the solutions we provided in order to deliver conformant OpenGL ES and Vulkan drivers. The talk will also cover the next steps for the open source Raspberry Pi 5 graphics stack. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://eoss24.sched.com/event/1aBEx

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Igalia

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Histor y of HAM Radio presentation slide

vu2urc

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun

1. 5 Minutes with the   MacOS / iOS Zone Allocator WhiskeyCon Singapore, March, 2017

3. | © 2017 by ANTID0TE All rights reserved What is this talk about? • between iOS 9.0 and iOS 9.1 the Zone Allocator had a bug • it was fixed later due to refactoring of zcram() • bug is not a security bug but influences heap layout • might cause trouble for previously working heap-feng-shui code 3

4. | © 2017 by ANTID0TE All rights reserved iOS Zone Allocator Allocations in iOS <= 6 • memory page is split into elements • in this example allocation size 64 • every single element is used • 64 elements per page 4

5. | © 2017 by ANTID0TE All rights reserved iOS Zone Allocator Allocations in iOS 7 & 8 • Apple added meta data to end of page • one less element (63) fits into a page • exactly what we expect due to  the meta data at end 5

6. | © 2017 by ANTID0TE All rights reserved iOS Zone Allocator Allocations in iOS 9 • Apple moved meta data to beginning of page • block in beginning cannot be used • but why only 62 elements? • why is the last block still unused? • there must be something wrong 6

7. | © 2017 by ANTID0TE All rights reserved zcram() (I) • first element positioned aligned after meta data • following elements are added one by one 7 vm_offset_t first_element_offset; if (zone_page_metadata_size % ZONE_ELEMENT_ALIGNMENT == 0){ first_element_offset = zone_page_metadata_size; } else { first_element_offset = zone_page_metadata_size +   (ZONE_ELEMENT_ALIGNMENT - (zone_page_metadata_size % ZONE_ELEMENT_ALIGNMENT)); } for (pos_in_page = first_element_offset;   (newmem + pos_in_page + elem_size) < (vm_offset_t)(newmem + PAGE_SIZE);   pos_in_page += elem_size) { page_metadata->alloc_count++; zone->count++; /* compensate for free_to_zone */ free_to_zone(zone, newmem + pos_in_page, FALSE); zone->cur_size += elem_size; }

8. | © 2017 by ANTID0TE All rights reserved zcram() (II) • checks in each iteration if end of element is still within page • check is broken it uses < (newmem + PAGE_SIZE) • if element ends exactly on page boundary it is considered out of bound • must be <= (newmem + PAGE_SIZE) otherwise always loses last element 8 for (pos_in_page = first_element_offset;   (newmem + pos_in_page + elem_size) < (vm_offset_t)(newmem + PAGE_SIZE); pos_in_page += elem_size) { page_metadata->alloc_count++; zone->count++; /* compensate for free_to_zone */ free_to_zone(zone, newmem + pos_in_page, FALSE); zone->cur_size += elem_size; }

9. | © 2017 by ANTID0TE All rights reserved iOS Zone Allocator Allocations in iOS 9 >= 9.2 • Apple refactored code - freelist order now randomized • refactoring fixed bug • only meta data at beginning   not used • 63 elements fit per page 9

10. | © 2017 by ANTID0TE All rights reserved iOS Zone Allocator Allocations in iOS 10 • Apple moved meta data out of page • once again full page used for allocations • exactly 64 elements fit into page 10

WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Stefan Esser

Mais de Stefan Esser (7)

Último

Último (20)

WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun