abelrguezr/ios-exploitation

iOS Exploitation Research

A comprehensive skill for iOS security research, exploit analysis, and understanding iOS hardening mechanisms.

When to Use This Skill

Use this skill when the user needs help with:

• Understanding iOS exploit mitigations (PAC, BTI, ASLR, DEP, KASLR, KPP, KTRR, PAN/PXN, TBI, PPL, MTE/EMTE)
• Analyzing iOS kernel or userland heap structures
• Working with iOS exploitation tools (Ghidra, BinDiff, kernelcache analysis)
• Understanding iOS exploit chains and patterns
• Researching iOS security architecture and XNU kernel internals
• Analyzing iOS vulnerability mitigations and bypass techniques

iOS Exploit Mitigations Reference

Core Mitigations

| Mitigation | Purpose | Key Details | |------------|---------|-------------| | Code Signing | All executable code must be cryptographically signed | Thwarts payload drop + execute; checks at runtime before loading binaries | | CoreTrust | Runtime signature validation against Apple's root certificate | Thwarts post-install tampering, jailbreak persistence | | DEP/NX/W^X | Writable pages are non-executable, executable pages are non-writable | Thwarts direct shellcode execution | | ASLR | Randomizes base addresses of libraries, heap, stack | Thwarts hardcoded gadget addresses for ROP/JOP | | KASLR | Randomizes kernel base address at boot | Thwarts kernel-level exploits relying on fixed locations | | KPP/AMCC | Monitors kernel text integrity via hash/checksum | Thwarts persistent kernel patching, inline hooks | | KTRR | Hardware-enforced read-only kernel text after boot | Thwarts any kernel code modification at EL1 | | PAC | Pointer Authentication Codes - cryptographic signatures on pointers | Thwarts pointer tampering, return address corruption | | BTI | Branch Target Identification - validates indirect branch targets | Thwarts jumping to arbitrary gadget addresses | | PAN/PXN | Privileged Access/Execute Never | Prevents kernel from accessing/executing user memory | | TBI | Top Byte Ignore - allows pointer tagging | Enables memory tagging, metadata in pointers | | PPL/SPTM | Page Protection Layer / Secure Page Table Monitor | Creates kernel-within-kernel protection boundary | | MTE/EMTE | Memory Tagging Extension / Enhanced MTE | Detects UAF, OOB, invalid accesses via tag checking |

Pointer Authentication Codes (PAC)

PAC is a hardware feature (ARMv8.3+) that embeds cryptographic signatures in pointer high bits.

Key Types:

• APIAKey / APIBKey - Instruction pointer keys
• APDAKey / APDBKey - Data pointer keys
• APGAKey - Generic key for non-pointer data

Instruction Families:

• PACxx - Sign pointer and insert PAC
• AUTxx - Authenticate and strip PAC
• XPACxx - Strip PAC without validation

Common PAC Bypasses:

1. dlsym() - Returns already-signed function pointers
2. Shared Cache - Pre-signed pointers in dyld shared cache
3. DYLD relocations - Timing-based bypasses during dynamic linking
4. NSPredicate/NSExpression - ObjC runtime methods for control flow

Branch Target Identification (BTI)

BTI validates indirect branch targets must have BTI landing pads.

| BTI Variant | Permits | Use Case | |-------------|---------|----------| | BTI C | Call-style indirect branches (BLR) | Function entry points | | BTI J | Jump-style branches (BR) | Jump tables, tail-calls | | BTI JC | Both C and J | General indirect targets |

Memory Tagging (MTE/EMTE)

Apple's Enhanced MTE (EMTE) / Memory Integrity Enforcement (MIE):

• Synchronous mode - Tag mismatches caught immediately
• Tag assignment - Secret tag assigned on allocation
• Tag checking - Hardware validates pointer tag matches allocation tag
• Retagging on free - Prevents use-after-free
• Neighbor differentiation - Catches buffer overflows
• Tag confidentiality - Prevents side-channel leakage

Kernel Heap Structures

Old Kernel Heap (Pre-iOS 15)

Zone Allocator (kalloc):

• Fixed-size zones: kalloc.16, kalloc.32, kalloc.64, etc.
• Raw freelist pointers in freed chunks
• Predictable object placement via heap sprays
• Easy freelist poisoning via overflow/UAF

Freelist Structure:

Zone page (64-byte chunks):
   [ A ] [ F ] [ F ] [ A ] [ F ] [ A ] [ F ]

Freelist view:
   HEAD ──► [ F ] ──► [ F ] ──► [ F ] ──► [ F ] ──► NULL

Exploitation:

1. Heap overflow into adjacent freed chunk → overwrite "next" pointer
2. Use-after-free write → overwrite "next" pointer
3. Next allocation returns attacker-controlled address

Modern Kernel Heap (iOS 15+/A12+)

kalloc_type System:

• Type-based zones - Each object type has dedicated zone
• Slabs and per-CPU caches - Decentralized allocation
• Encoded freelist pointers - XOR-encoded with per-zone secret
• Guarded allocations - Guard pages around critical objects
• PPL/SPTM protection - Hardware-enforced page protection
• PAC on pointers - Function pointers, vtables protected

Allocation Flow:

1. Type lookup → kalloc_type_<object> zone
2. Check per-CPU cache
3. If empty → global freelist
4. If empty → allocate new slab
5. Return chunk with encoded freelist pointer

Comparison:

| Feature | Old Heap | Modern Heap | |---------|----------|-------------| | Granularity | Size-based | Size + type-based | | Predictability | High | Low | | Freelist | Raw pointers | Encoded pointers | | Adjacency control | Easy | Hard | | Exploit reliability | High | Low |

Userland Heap (xzone malloc)

Modern iOS userland allocator (iOS 17+):

Architecture:

• Segment groups - Partition by usage (data, pointer_xzones, data_large, pointer_large)
• Metadata slabs - Out-of-line metadata separate from payloads
• Chunks and blocks - Chunks for size classes, blocks for allocations
• Guard pages - Unmapped slices between chunks
• Type IDs - malloc_type_id_t for type-aware allocation

Security Features:

• Metadata decoupling from object payloads
• Guard pages catch out-of-bounds writes
• Type-based segregation prevents cross-type reuse
• EMTE/MIE integration for tag checking
• Delayed reuse, poisoning, quarantine for freed blocks
• Randomized placement within chunks

Exception Handling in XNU

Exception Flow:

1. CPU triggers synchronous exception
2. Low-level trap handler (trap.c, exception.c)
3. exception_triage() routes exception
4. Delivers to: thread port → task port → host port
5. If unhandled → BSD signal or kernel panic

Exception Ports:

task_set_exception_ports()
thread_set_exception_ports()
host_set_exception_ports()

Mach Exception to Signal Mapping:

| Mach Exception | Signal | |----------------|--------| | EXC_BAD_ACCESS | SIGSEGV/SIGBUS | | EXC_BAD_INSTRUCTION | SIGILL | | EXC_ARITHMETIC | SIGFPE | | EXC_SOFTWARE | SIGTRAP | | EXC_BREAKPOINT | SIGTRAP | | EXC_CRASH | SIGKILL | | EXC_ARM_PAC | SIGILL (non-fatal) |

PAC Exceptions:

• EXC_ARM_PAC raised on signature mismatch
• TFRO_PAC_EXC_FATAL flag makes PAC failures fatal (bypasses debugger)
• Platform binaries use fatal PAC exceptions

Exploitation Tools

Ghidra + BinDiff Setup

Installation:

1. Download BinDiff DMG from https://www.zynamics.com/bindiff/manual
2. Install BinDiff
3. Open Ghidra, go to File → Install Extensions
4. Add /Applications/BinDiff/Extra/Ghidra/BinExport
5. Install even with version mismatch

Kernel Version Diffing:

1. Download iOS IPSW files from https://ipsw.me/
2. Decompress to extract kernelcache binaries
3. Load both kernelcaches in Ghidra
4. Export as "Binary BinExport (v2) for BinDiff"
5. Open BinDiff, create workspace with primary (vulnerable) and secondary (patched)

Finding XNU Versions

Check iOS version to XNU mapping at: https://www.theiphonewiki.com/wiki/kernel

Example: iOS 15.1 RC/15.1/15.1.1 → Darwin Kernel Version 21.1.0 (xnu-8019.43.1~1)

Modern Exploit Chain Patterns

JSKit-Based Safari Chains

Pattern:

WebKit renderer RCE → kernel IPC UAF → kernel arbitrary R/W → code-sign bypass → unsigned system stager

Key Components:

• JSKit framework - Reusable JavaScript-level arbitrary read/write primitive
• Version abstraction - PAC bypass modules for different iOS releases
• Manual Mach-O mapping - In-memory payload loading without filesystem artifacts
• Portfolio model - Multiple interchangeable WebKit exploits

Kernel Bridge Pattern

CVE-2023-41992 (IPC UAF):

• Kernel use-after-free in IPC code
• Re-allocate freed object from userland
• Abuse dangling pointers for arbitrary kernel R/W

CVE-2023-41991 (Code-sign bypass):

• Patch trust cache / code-signing structures
• Unsigned payloads execute as system
• Expose lightweight kernel R/W service

PREYHUNTER Helper Modules

Watcher anti-analysis:

• Checks security.mac.amfi.developer_mode_status
• Detects diagnosticd, jailbreak traces (Cydia, bash, tcpdump, frida, sshd)
• Detects AV apps (McAfee, Avast, Norton)
• Blocks on custom HTTP proxy or root CAs

Helper surveillance:

• /tmp/helper.sock communication
• DMHooker/UMHooker hook sets
• VOIP audio capture (/private/var/tmp/l/voip_%lu_%u_PART.m4a)
• System-wide keylogger
• Photo capture without UI
• SpringBoard notification suppression

HiddenDot suppression:

• Hooks SBSensorActivityDataProvider._handleNewDomainData:
• Zeroes Objective-C self pointer
• Drops camera/mic indicator updates

Research Workflow

Step 1: Identify Target iOS Version

1. Check iOS version and corresponding XNU kernel version
2. Download IPSW files for vulnerable and patched versions
3. Extract kernelcache binaries

Step 2: Set Up Analysis Environment

1. Install Ghidra and BinDiff
2. Load kernelcaches in Ghidra
3. Export BinExport format
4. Create BinDiff workspace

Step 3: Analyze Mitigations

1. Identify which mitigations are active (PAC, BTI, KTRR, PPL, etc.)
2. Determine hardware generation (A12+, A15+, etc.)
3. Check for EMTE/MIE support
4. Map out kernel heap structure (kalloc_type zones)

Step 4: Identify Vulnerability Class

1. Determine if userland or kernel vulnerability
2. Check for heap corruption, UAF, OOB, type confusion
3. Map to appropriate heap structure (kernel kalloc_type or userland xzone)
4. Identify available primitives (read/write, control flow)

Step 5: Plan Exploitation

1. Assess mitigation bypass requirements (PAC, BTI, etc.)
2. Determine if info leak needed for ASLR/KASLR
3. Plan heap grooming strategy (if applicable)
4. Identify code-sign bypass path (if kernel)

Step 6: Execute and Validate

1. Implement exploit chain
2. Test on target iOS version
3. Validate each stage (primitive → bypass → payload)
4. Document findings and patterns

Key References

• XNU Source: osfmk/kern/exception.c, osfmk/arm64/trap.c, bsd/kern/kern_sig.c
• PAC Research: bazad.github.io
• PAC Bypasses: i.blackhat.com
• Project Zero: googleprojectzero.blogspot.com
• Synacktiv: synacktiv.com
• Epsilon: blog.epsilon-sec.com
• Jamf Predator Analysis: jamf.com/blog
• Google Threat Intel: cloud.google.com/blog

Quick Reference Commands

# Install BinDiff extension in Ghidra
ghidraRun
# File → Install Extensions → Add /Applications/BinDiff/Extra/Ghidra/BinExport

# Download iOS IPSW files
# Visit https://ipsw.me/ and download target versions

# Decompress IPSW to extract kernelcache
# Use standard archive tools to extract .ipsw → .dmg → kernelcache

# Check XNU version for iOS
# Visit https://www.theiphonewiki.com/wiki/kernel

Common Pitfalls

1. Assuming PAC is bypassable - Kernel PAC is highly robust; focus on userland bypasses
2. Ignoring type-based heap - Modern kalloc_type separates object types; heap sprays less effective
3. Overlooking EMTE - Memory tagging catches UAF/OOB immediately on supported hardware
4. Missing PPL/SPTM - Page protection layers prevent arbitrary kernel memory modification
5. Forgetting PAC exceptions - TFRO_PAC_EXC_FATAL prevents debugger interception on platform binaries
6. Assuming freelist poisoning works - Encoded freelist pointers require key knowledge
7. Ignoring PAN/PXN - Kernel cannot access/execute user memory by default

When to Escalate

If the user needs:

• Specific exploit code implementation
• Detailed binary analysis of a specific vulnerability
• Custom tool development for iOS exploitation
• Legal/ethical guidance on exploitation research

Provide the conceptual framework and direct them to appropriate resources or suggest they consult with security professionals for implementation details.