iOS Kernel Heap Armageddon presented at SysCan 2012

by Stefan Esser,

Tags: iOS Heap Overflows

Summary : "This talk starts by giving the audience an overview of the different kernel heap allocators and what they are used for.
The talk will discuss how these allocators are related to each other, which contain exploitable meta data and which do not. The previous work: attacks on the zone allocator's freelist will be briefly described Attacking other meta data will be discussed.
The relative position of kernel zones, and memory allocated by different allocators will be analyzed to answer the question if a buffer overflow in memory of one kernel zone can overflow data in another kernel zone. Or if overflowing memory of one allocator can overflow into another allocator.
The memory layout of C++ kernel objects used by IOKit drivers will be explained and it will be discussed how overwriting them can result in code execution. This talk will also cover what portions of the kernel heap/memory are just readable and writable and which are also executable.
Then a more generic technique will be introduced that allows to control the iOS kernel heap layout (heap spraying, heap feng shui) and at the same time allows to fill the kernel heap with application data like C++ kernel objects that when overwritten lead to code execution."