One Byte to rule them all
> For the last several years, nearly all iOS kernel exploits have followed the same high-level flow: memory corruption and fake Mach ports are used to gain access to the kernel task port, which provides an ideal kernel read/write primitive to userspace. Recent iOS kernel exploit mitigations like PAC and zone_require seem geared towards breaking the canonical techniques seen over and over again to achieve this exploit flow. But the fact that so many iOS kernel exploits look identical from a high level begs questions: Is targeting the kernel task port really the best exploit flow? Or has the convergence on this strategy obscured other, perhaps more interesting, techniques? And are existing iOS kernel mitigations equally effective against other, previously unseen exploit flows?
> In this blog post, I’ll describe a new iOS kernel exploitation technique that turns a one-byte controlled heap overflow directly into a read/write primitive for arbitrary physical addresses, all while completely sidestepping current mitigations such as KASLR, PAC, and zone_require. By reading a special hardware register, it’s possible to locate the kernel in physical memory and build a kernel read/write primitive without a fake kernel task port. I’ll conclude by discussing how effective various iOS mitigations were or could be at blocking this technique and by musing on the state-of-the-art of iOS kernel exploitation. You can find the proof-of-concept code here.
Certificate Transparency: a bird's-eye view
> Certificate Transparency (CT) is a still-evolving technology for detecting incorrectly issued certificates on the web. It’s cool and interesting, but complicated. I’ve given talks about CT, I’ve worked on Chrome’s CT implementation, and I’m actively involved in tackling ongoing deployment challenges – even so, I still sometimes lose track of how the pieces fit together. I find it easy to forget how the system defends against particular attacks, or what the purpose of some particular mechanism is.
A Massive Leak
> “Memory leaks are impossible in a garbage collected language!” is one of my favorite lies. It feels true, but it isn’t. Sure, it’s much harder to make them, and they’re usually much easier to track down, but you can still create a memory leak. Most times, it’s when you create objects, dump them into a data structure, and never empty that data structure. Usually, it’s just a matter of finding out what object references are still being held. Usually.
> A few months ago, I discovered a new variation on that theme. I was working on a C# application that was leaking memory faster than bad waterway engineering in the Imperial Valley.
Malofiej 28 visualization awards
> In this edition, 162 media outlets from 34 different countries have sent in their works. Of the 1,000 entries in the competition, 400 correspond to printed graphics categories and 600 to digital infographics categories. The jury gave a total of 170 medals, 17 gold, 65 silver and 87 bronze medals in printed and digital media. From the 170 medals awarded by the jury, 58 went to the printed category (5 gold medals, 18 silver and 35 bronze) and 112 went to the online category (12 gold medals, 47 silver and 52 bronze).
How can CharUpper and CharLower guarantee that the uppercase version of a string is the same length as the lowercase version?
> Every time there is another JWS/JWT vulnerability involving “alg“:“none” (like today, lolsob), people focus on the “none” part. But the real problem is the “alg” part.
The core of Apple is PPL: Breaking the XNU kernel's kernel
> While doing research for the one-byte exploit technique, I considered several ways it might be possible to bypass Apple’s Page Protection Layer (PPL) using just a physical address mapping primitive, that is, before obtaining kernel read/write or defeating PAC. Given that PPL is even more privileged than the rest of the XNU kernel, the idea of compromising PPL “before” XNU was appealing. In the end, though, I wasn’t able to think of a way to break PPL using the physical mapping primitive alone.
> However, it’s not the Project Zero way to leave any mitigation unbroken. So, having exhausted my search for design flaws, I returned to the ever-faithful technique of memory corruption. Sure enough, decompiling a few PPL functions in IDA was sufficient to find some memory corruption.
CVE-2020–9934: Bypassing TCC
> The Transparency, Consent, and Control (TCC) Framework is an Apple subsystem which denies installed applications access to ‘sensitive’ user data without explicit permission from the user (generally in the form of a pop-up message)
Let's build a Full-Text Search engine
> Today we are going to build our own FTS engine. By the end of this post, we’ll be able to search across millions of documents in less than a millisecond. We’ll start with simple search queries like “give me all documents that contain the word cat” and we’ll extend the engine to support more sophisticated boolean queries.
Hasselblad, Kodak, & Apollo 11
A probably not entirely wrong history of cameras developed for the moon.
Inside the 8086 processor, tiny charge pumps create a negative voltage
> You might wonder how a charge pump can turn a positive voltage into a negative voltage. The trick is a “flying” capacitor, as shown below. On the left, the capacitor is charged to 5 volts. Now, disconnect the capacitor and connect the positive side to ground. The capacitor still has its 5-volt charge, so now the low side must be at -5 volts. By rapidly switching the capacitor between the two states, the charge pump produces a negative voltage.
> In 1927, a Baltimore man was on a mission to blast off to Venus. Nearly a century later, a documentary crew is on its own mission to find the rocket built for that journey.
Some great illustrations, too.
> In short, I enjoy and appreciate The Times. And after paying over $300 a year for nearly a decade, and having read the Times on a near-daily basis for my entire adult life, I feel I qualify as a good customer. And they repay me by deliberately annoying me several times a day, every day, when I attempt to read the product I’m paying them for. How could one not find this outrageously annoying?
Using Go build directives to optionally use new APIs in the standard library
> I mentioned recently that new APIs in the Go standard library were relatively easy to optionally support, because such new APIs only appear in new Go releases and you can conditionally build files based on the Go release that’s building your program. But that’s a pretty abstract description, so let’s make it concrete.
"Kharkovchanka" - The Colossal Soviet Antarctic Cruisers
> “The Kharkovchanka” - Russia’s Colossal Antarctic Cruisers which have been continuously operating in some of the most extreme environments on Earth for over 50 years. Produced in Kharkiv, Ukrainian Soviet Socialistic Republic and originally operated by USSR, the ’Харьковчанка’ (literally ‘Kharkiv Women’), these amazing Snow Cruisers were built in the late 1950s and featured everything a polar explorer could need in the field. In their half-century mission, they have crossed thousands of miles on Antarctic Ice, visited the South Pole, the pole of inaccessibility as well the dozens of outposts and research stations on the continent.
Previously: “The Snow Cruiser“-Antarctica’s Abandoned Behemoth
The search for the saddest punt in the world
> To punt is to give up, and in the 21st century, NFL teams have given up nearly 50,000 times. Most of those punts were reasonable decisions. But a few were so cowardly, and in such defiance of all reason, that they must not be forgotten. In this episode of Chart Party, it’s our mission to find them.
Here's why your Samsung Blu-ray player bricked itself: It downloaded an XML config file that broke the firmware
> This file, when fetched and saved to the device’s flash storage and processed by the equipment, crashed the system software and force a reboot. Upon reboot, the player parsed the XML file again from its flash storage, crashed and rebooted again. And so on, and so on, and so on. Crucially, the XML file would be parsed before a new one could be fetched from the internet, so once the bad configuration file was fetched and stored by these particular Samsung Blu-ray players in the field, they were bricked.
Hacking With Environment Variables
> Interesting environment variables to supply to scripting language interpreters
Major Bug in glibc is Killing Applications With a Memory Limit
> malloc() preallocates large chunks of memory, per thread. This is meant as a performance optimization, to reduce memory contention in highly threaded applications. On a typical physical server, dual Xeon CPU with a terabyte of RAM. The core count is easily 40 or above. 10 cores * 2 CPU * 2 for hyper threading. This means a preallocation of up to 20 GB of RAM in the process.