Modern operating systems nowadays implement read-only memory mappings at their CPU architecture level, preventing common security attacks. By mapping memories as read-only, the memory owner process can usually trust the memory content, eleminating unnecessary security considerations such as boundary check, TOCTTOU(Time of check to time of use) issues etc., with the assumption of other processes not being able to mutate read-only shared mappings in their own virtual spaces.
However, the assumption is not always correct. In the past few years, several logical issues were addressed by security community, most of which were caused by operating systems incorrectly allowing to remap the read-only memories as writble without marking them COW(copy-on-write). As a result, the memory content of the owner process is not trustable anymore, yet causing memory corruption problem or even leading to userland privilege escalation. With operating system evolves, such issues are rare though. On the other hand, with stronger and more abundant features provided by peripheral components attached to the mobile device, DMA(direct-memory-access) technology enables the ability for fast data transfer between the host and peripheral devices. DMA leverages IOMMU(Input/Output Memory Management Unit) for memory operations, thus memory protection mechanism provided by CPU MMU is not available during the DMA transfer. In the middle of 2017, Gal Beniamini of Goole Project Zero team utilized DMA to successfully achieve device-to-host attack on both Nexus 6p and iPhone 7. Nevertheless, this new attack model usually only applies for device-to-host attack senario, where a firmware bug is needed to fully control the device. Unfortunately, DMA related interfaces are not exposed to userland applications directly.
With months of research, we found an exception case on iOS device: the Apple Graphics. At MOSEC conference in 2017, we demonstrated jailbreak for iOS 10.3.2 and iOS 11 beta 2, the latest version at that time, on iPhone 6s and iPhone 7. Details of the demonstration have never been published yet.
In this talk, we will introduce the concepts essential to our bugs, which includes: - Indirect DMA features exposed to iOS userland - The implementation of IOMMU memory protection - Notification mechanism between GPU and Apple Graphics driver
The next part will cover two bug details: one in DMA handling with host virtual memory, and another out-of-bound write issue caused by potentially untrusted userland read-only memory.
Lastly we talk about how we combine two flaws across different Apple Graphics components to achieve reliable kernel code execution from iOS application sandbox.
Liang Chen is a senior security researcher at KeenLab of Tencent (formerly known as Keen Team). Liang has a strong research experience on software vulnerability exploitation and vulnerability discovery. During these years, Liang's major research area was browser exploitation including Safari, Chrome, Internet Explorer, etc on both PC and mobile platform. Also Liang researches sandbox escape technology on various platforms. Liang led Tencent Security Team Sniper to win "Master of Pwn" in Pwn2own 2016. Liang led the team to win "Master of Pwn" in Mobile Pwn2Own 2016 and Mobile Pwn2Own 2017. Liang is also the winner of iPhone Safari category in Mobile Pwn2own 2013 and Mavericks Safari category in Pwn2Own 2014. Liang developed Keen Jailbreak for iOS 10.3.2 and iOS 11.1.1. Liang has spoken at several security conferences including XCON 2013, Black Hat Europe 2014, CanSecWest 2015/2016, POC 2015/2016/2017, Black Hat 2016, RECon 2016, Infiltrate 2017 etc.