Over the past year, Apple has consistently added features to prevent exploitation of the iOS kernel. These features, while largely misunderstood, provide a path for understanding of the iOS security model going forward. This talk will examine the history of iOS’s exploit mitigations from iOS 8 to iOS 9.3 in order to teach important features of the architecture. This talk will cover various enhancements that stop attackers from dynamically modifying the functionality of system services, but also resulted in the defeat of all known exploitation through function hooking. Additionally, we will explore how the ability to use PLT interception and the use of direct memory overwrite are no longer options for exploit writers because of recent changes. Finally, we will cover the code-signing mechanism in depth, user land and kernel implementations and possible ways to bypass code-sign enforcement.
Max Basally is a security researcher at Lookout. He has over 9 years of experience in the security research space. Max has experience in native code obfuscation, malware detection and iOS exploitation. Before joining Lookout Max was working in malware research and software protection areas, most recently at Bluebook Security. Currently he is focused on mobile security research, XNU and LLVM internals. Max holds a Master’s degree in Computer Science.