*OS Internals::Volume III - Security & Insecurity
Table of Contents
Part I: Defensive Techniques and Technologies
The missing documentation for Apple's proprietary security mechanisms
- About This Book
- Authentication
- Password files (*OS)
- SetUID and SetGID (MacOS)
- The Pluggable Authentication Module (MacOS)
- opendirectoryd (MacOS)
- LocalAuthentication.framework
- Apple IDs
- External Accounts
- Auditing (MacOS)
- Design
- Audit Sessions
- Implementation
- System Call Interface
- OpenBSM APIs
- Auditing Considerations
- Authorization - KAuth
- Design
- Implementation
- Credentials and Labels
- KAuth Identity Resolvers (MacOS)
- Debugging KAuth
- MACF - The Mandatory Access Control Framework
- Background
- MACF Policies
- MACF Callouts
- MACF System Calls
- Code Signing
- The Code Signature Format
- Code Signature Requirements
- Code Signature Enforcement
- Code Signing Weaknesses
- Code Signing APIs
- authd and GateKeeper (MacOS)
- authd
- GateKeeper
- libquarantine
- Quaratine.kext
- Quarantine in Action
- AppleMobileFileIntegrity (MacOS 10.10+, iOS)
- AppleMobileFileIntegrity.kext
- amfid
- Provisioning Profiles
- SIP Integration (MacOS)
- AMFI Trust Cache
- AMFI UserClient
- Sandboxing
- Evolution of the Sandbox
- App Sandbox (MacOS)
- Mobile Containers (*OS)
- Sandbox Profiles
- User Mode APIs
- mac_syscall
- Sandbox.kext
- sandboxd (MacOS)
- ContainerManagerd (*OS)
- System Integrity Protection (MacOS 10.11+)
- Design
- Implementation
- APIs
- Privacy
- Transparency, Consent and Control
- Unique Device Identifiers
- Differential Privacy (MacOS 12/iOS 10)
- Encryption
- Partition Level Encryption (MacOS)
- File Level Encryption (*OS)
- Keychains, keybags and more
- The secure boot chain (iOS)
- Obliteration (*OS)
Part II: Vulnerabilities and Exploitation
A detailed exploration of both the bugs and their exploits
- MacOS: Classic vulnerabilities in 10.10.x and 10.11.x
- 10.10.1: ntpd
- 10.10.2: rootpipe
- 10.10.3: Racing kextd
- 10.10.4: DYLD_PRINT_TO_FILE
- 10.10.5: DYLD_ROOT_PATH (muymacho)
- 10.11.0: tpwn
- 10.11.3: Mach race
- 10.11.4: Lokihardt's Trifecta (pwn2own 2016)
- iOS: Jailbreaking
- The Jailbreaking Process
- Kernel Patches
- Kernel Patch Protection
- Evolution of iOS Jailbreaks
- iOS Malware
- evasi0n (6.x)
- The Loader
- The Untether
- Kernel Mode Exploits
- Apple Fixes
- evasi0n 7 (7.0.x)
- The Loader
- The Untether
- Kernel Mode Exploits
- Apple Fixes
- Pangu Axe (7.1.x)
- The Loader
- The Jailbreak Payload
- The Untether
- Kernel Mode Exploits
- Apple Fixes
- XuanYuan Sword (8.0-8.1)
- The Loader
- User Mode Exploits
- The Untether
- Apple Fixes
- TaiG (8.0-8.1.2)
- The Loader
- User Mode Exploits
- The Untether
- Kernel Mode Exploits
- Apple Fixes
- TaiG (8.1.3-8.4)
- The Loader
- User Mode Exploits
- The Untether
- Kernel Mode Exploits
- Apple Fixes
- Pangu 9 (9.0.x) and 9.1
- The Loader
- The Jailbreak Payload
- Kernel Mode Exploit
- Code Signing Bypass
- The Untether
- Pangu 9.1
- Apple Fixes
- Pangu 9.3 (9.2-9.3.3).................................................................................. 399
- Pegasus (9.0.1-9.3.4).................................................................................. 405
- Exploit Flow
- Kernel Memory Read and KASLR Bypass
- Kernel Arbitrary Memory Write
- Persistence
- mach_portal (10.1.1).................................................................................. 417
- Exploit Flow
- Mach port name urefs handling
- Crashing powerd
- XNU UaF in set_dp_control_port
- Disabling Protections
- Apple Fixes
- Yalu (10.0-10.2).......................................................................... 431
- Primitives
- KPP Bypass
- Mach Voucher Bug (10.2)
Appendix: MacOS Hardening Guide