iOS 10 Kernel Heap Revisited

Dive into the intricacies of iOS 10 kernel heap exploitation in this comprehensive conference talk from HITB GSEC 2016. Explore the evolution of the iOS Kernel Heap since iOS 4 and 5, examining Apple's hardening efforts against heap exploitation attacks. Gain detailed insights into the current state of iOS kernel heap exploitation, focusing on iOS 9 and iOS 10 beta versions. Learn about Apple's countermeasures against exploitation techniques used in the wild and discover how attackers can adapt. Get a sneak peek into new iOS 10 kernel exploitation mitigations visible in beta versions. Presented by Stefan Esser, a renowned PHP security expert and iOS security researcher, this 65-minute session covers topics such as the Kernel Zone Heap Allocator, Zone Memory, Dynamic Length Allocations, Kernel Heap Allocation Debugging, and various protection mechanisms implemented by Apple.

Intro
Kernel Zone Heap Allocator
Zone Allocator Usage
Zone Memory (Pages)
Dynamic Length Allocations?
Kernel Heap Allocation Debugging (1)
Zone Structure
Free Memory Blocks
How attackers abused the iOS 5 Zone Allocator
IOS & Heap Cookie Leak Protection
Zone Pagelist Feature
Zone Page Meta Data
Zone Pagelists
Allocation under Page Lists
Freeing under Page Lists
Was there a memory corruption? Yes? Continue!
Less Frequent Large Block Poisoning
Zone Page Metadata
Fored Zomestructure Array
new zone metadata region
page freelists
Metadata vs. Wrong Zone Frees
Wrappers and Metadata