iOS Kernel Heap Armageddon Revisited

Explore advanced iOS kernel heap exploitation techniques in this Black Hat USA 2012 conference talk. Delve into the intricacies of kernel heap memory allocators beyond the freelist, uncovering previously undiscussed attack vectors. Learn about different kernel heap allocation functions, their wrappers, and potential vulnerabilities in heap meta data. Discover how to position memory allocated across different zones and allocators, enabling cross-attacks. Understand the power of overwriting C++ objects within the kernel to achieve arbitrary code execution. Gain insights into a novel technique for controlling the iOS kernel heap, drawing parallels to JavaScript-based browser exploit methodologies. Examine iOS 6 changes, various memory mappers, and kernel functions critical to exploitation. Master kernel heap massage techniques, memory size considerations, and effective heap spraying strategies. Equip yourself with the knowledge to navigate the complexities of iOS kernel heap security and potential attack surfaces.

Introduction
Who am I
Disclaimer
Why this talk
Outline
Zones
iOS 6 Mock API
iOS 6 Changes
Other Mappers
KLLog
Memory Allocation
Integer Overflow
Buffer Overflows
New and New Array
locator
kernel memory allocate
master entry point
okbiet
klog
userspace tool
cross memory allocator
keep application data
iokit
always objects
always objects in memory
regencount
override
OSstring
OSarray
Kernel Heap Massage
Kernel Heap Control
Kernel Function
Memory Size Cheat Sheet
Heap Spraying
Array
Memory
Data
Heap
Heap Spray
Questions