With the release of iPhone XS and XS Max, Apple's implementation of Pointer Authentication Code (PAC) on the A12 SoC comes more into play for exploit mitigations. While PAC effectively makes many of our own kernel vulnerabilities unexploitable on iPhone XS/XS Max, we were able to achieve tethered jailbreaks on iPhone XS/XS Max. This talk will describe this process. Specifically, this talk will first discuss Apple's PAC implementation based on our tests, introduce an ancient bug in the XNU that is still affecting the latest official release of iOS (i.e. 12.1.4), and then elaborate how to exploit it to bypass PAC and gain arbitrary kernel read/write. Finally, this talk will explain post exploitation techniques including how to make arbitrary kernel function call based on arbitrary kernel read/write.
Tielei Wang is a member of Team Pangu. He was a research scientist at the Georgia Institute of Technology from 2012 to 2014 and received his Ph.D. in 2011. His research interests include system security, software security, and mobile security. He discovered a number of zero-day vulnerabilities and won the Secunia Most Valued Contributor Award in 2011. He has published many papers in top research conferences including IEEE Security and Privacy, USENIX Security, ACM CCS, and NDSS, and gave several presentations at BlackHat USA, CanSecWest, POC, and RUXCON.
Hao Xu is a member of Team Pangu and has been involved in information security for over 10 years. His research interests range from OSX/iOS/Windows kernel security, rootkit and malware analysis, hardware virtualization technology, and reverse engineering. He is a regular speaker at Syscan 360, POC, Xcon.