你尽力了吗—25年后的再追问

你 尽 力 了 吗—2 5年 后 的 再 追 问 Agenda -Speaker biography-Did you push your limits?Part 1-As a system architectPart 2-As a software engineerPart 3-As a quality assurance specialistPart 4-As a participant in the software development lifecyclePart 5-As a security researcher-Takeaways About me Wang Yu Security researcher.Serial entrepreneur, currentlyserving as CEO/CTO of aleading data securitycompany. Engineering background.Consistently delivering world-class research achievementsbridging industry andacademia. Did you push your limits? Part 1-As a system architect Case #1: The story behindIOMobileFrameBufferand CVE-2024-44199 Case #2 and Case #3: CVE-2020-3905 and CVE-2020-9928 Case #1-The story behindIOMobileFrameBuffer The statistical data onIOMobileFrameBuffervulnerabilities indicates that thecompetition between the offensive and defensive sides once reached a fever pitch. According to publicly available records, a total of sixteen kernel vulnerabilities inIOMobileFrameBufferhave been reported throughout its history. Among them, fourwere actively exploited by APT groups (CVE-2021-30807, CVE-2021-30883, CVE-2021-30983, CVE-2022-22587), two were leveraged for iOS jailbreak tools (JailbreakMe3.0-CVE-2011-0227, Pangu 9-CVE-2016-4654), and one was successfully utilized to win asecurity challenge competition (Tianfu Cup-CVE-2021-30983). The historical landscape of kernel vulnerabilities 2011-CVE-2011-0227 (Comex,JailbreakMe3.0) 2012-N/A2013-N/A2014-N/A 2015-CVE-2015-1097 (Barak Gabai), CVE-2015-5843 (FilippoBigarella) 2016-CVE-2016-4654 (TieleiWang-Team Pangu, Pangu 9) 2017-CVE-2017-13879 (Apple) 2018-CVE-2018-4335 (Brandon Azad) The historical landscape of kernel vulnerabilities (cont) 2021-CVE-2021-30807 (ITW APT attack / Saar Amar), CVE-2021-30883 (ITW APT attack/TieleiWang-Team Pangu), CVE-2021-30983 (TieleiWang-Team Pangu, Tianfu CupCompetition), CVE-2021-30985 (TieleiWang-Team Pangu), CVE-2021-30991 (TieleiWang-Team Pangu), CVE-2021-30996 (Saar Amar) 2022-CVE-2022-22587 (ITW APT attack / MeysamFirouzi/ Siddharth Aeri), CVE-2022-26768 (An Anonymous Researcher, Highly likely exploited by an ITW APT attack), CVE-2022-46690 (JohnAakerblom), CVE-2022-46697 (JohnAakerblom/ Antonio Zekic) 2023-N/A 2024-Any ideas? I missed that era 《IOMFB的一些陈芝麻》 Pangu 9 Internalshttps://www.blackhat.com/docs/us-16/materials/us-16-Wang-Pangu-9-Internals.pdf Selector 0x53-CVE-2021-30807WebContentto EL1 LPE-OOBR inAppleCLCDandIOMobileFrameBufferhttps://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/ Selector 0x4E-CVE-2021-30883Bindiffand PoC for the IOMFB Vulnerability, iOS 15.0.2https://saaramar.github.io/IOMFB_integer_overflow_poc/ The attack surfaces have been removed Case #2 and #3-CVE-2020-3905 and CVE-2020-9928 CVE-2020-3905:IOBluetoothHCIUserClient::DispatchHCIWriteEncryptionMode(OpCode0xC22)Kernel Object Race Condition Vulnerability Patched via Security Update 2020-002, but this patch can be bypassed.https://support.apple.com/en-us/HT211100 CVE-2020-9928:IOBluetoothFamilyKernel Object Race Condition Vulnerability Triggered by Mixed HCICommands Patched via Security Update 2020-004https://support.apple.com/en-us/HT211289 IOBluetoothHCIUserClient::DispatchHCIChangeLocalName HackingIOBluetoothhttp://colemancda.github.io/2018/03/25/Hacking-IOBluetooth IOBluetoothFamilyHCI gadgets Follow the calling sequence below: 1.DispatchHCIRequestCreate2.DispatchHCIReadLocalName3.DispatchHCIChangeLocalName4.DispatchHCI......5.DispatchHCIRequestDelete A call stack from "HackingIOBluetooth" (selected) Thread 0x2f5DispatchQueue11001 samples (1-1001)priority 31-46 (base 31)cputime 0.0228_xpc_connection_call_event_handler+ 35 (libxpc.dylib+ 44950) [0x7fff96b4bf96]4??? (blued + 551462) [0x105f63a26]4??? (blued + 239559) [0x105f177c7]4_NSSetCharValueAndNotify+ 260 (Foundation + 448025) [0x7fff82baa619]4-[NSObject(NSKeyValueObservingPrivate) _changeValueForKey:key:key:usingBlock:] + 60 (Foundation + 27629) [0x7fff82b43bed]4-[NSObject(NSKeyValueObservingPrivate) _changeValueForKeys:count:maybeOldValuesDict:usingBlock:] + 944 (Foundation + 1579207) [0x7fff82cbe8c7]4NSKeyValueDidChange+ 486 (Foundation + 274052) [0x7fff82b7fe84]4NSKeyValueNotifyObserver+ 350 (Foundation + 275949) [0x7fff82b805ed]4??? (blued + 112657) [0x105ef8811]1??? (blued + 117061) [0x105ef9945]1-[BroadcomHostControllerBroadcomHCILEAddAdvancedMatchingRuleWithAddress:address:blob:mask:RSSIThreshold:packetType:matchingCapacity:matchingRemaining:]+ 2001sendRawHCIRequest+ 246 (IOBluetooth+ 344294) [0x7fff830540e6]1IOConnectCallStructMethod+ 56 (IOKit+ 29625) [0x7fff830ab3b9]1IOConnectCallMethod+ 336 (IOKit+ 29170) [0x7fff830ab1f2]1io_connect_method+ 375 (IOKit+ 531601) [0x7fff83125c91]1mach_msg_trap+ 10 (libsystem_kernel.dylib+ 74570) [0x7fff96a1f34a]*1hndl_mach_scall64 + 22 (kernel + 638390) [0xffffff800029bdb6]*1mach_call_munger64 + 456 (kernel + 2011608) [0xffffff80003eb1d8]*1mach_msg_overwrite_trap+ 327 (kernel + 919415) [0xffffff80002e0777]*1ipc_km