iOS Kernel PAC, One Year Later

In February 2019, I reported to Apple five ways to bypass kernel Pointer Authentication on the iPhone XS . My impression was that the design, while a dramatic improvement on the ARMv8.3 standard, had some fundamental issues when defending kernel control flow against attackers with kernel memory access. This talk will look at how PAC has (and hasn’t) improved in the subsequent year, once again concluding with five new ways to bypass kernel PAC to obtain arbitrary kernel code execution on iOS 13.3.

By Brandon Azad
Full Abstract & Presentation Materials: HatRead More