Brandon Azad Profile
Brandon Azad

@_bazad

Followers
15K
Following
0
Media
11
Statuses
37

@bazad@infosec.exchange

Joined April 2018
Don't wanna be here? Send us removal request.
@_bazad
Brandon Azad
3 years
I’m really excited for us to shed light on some really cool work we’ve been doing to harden the XNU allocator! This has been a huge effort by so many people, and I’m very proud of the direction:
Tweet card summary image
security.apple.com
Improving software memory safety is a key security objective for engineering teams across the industry. Here we begin a journey into the XNU kernel at the core of iOS and explore the intricate work...
6
96
394
@_bazad
Brandon Azad
5 years
My teammates at Project Zero have been among the kindest and smartest people I've met, and I've learned so much from them. I'll really miss working alongside everyone on the team. Thank you all for these wonderful experiences, and keep on hacking!.
11
19
333
@_bazad
Brandon Azad
5 years
It's with both bittersweet sadness and excitement that I say goodbye to Project Zero, as I'll be joining Apple next week to continue my work improving Apple device security. My time at Project Zero has been amazing, and it's been an honor to share in this wonderful mission.
117
136
1K
@_bazad
Brandon Azad
5 years
From A13 SecureROM. This isn't a security issue, since this particular bzero is only used to initialize the boot trampoline in SRAM. Even so, Apple appears to have addressed this in iBoot, hence the credit in the iOS 14 release notes. Always worth checking hand-rolled assembly.
Tweet media one
7
81
432
@_bazad
Brandon Azad
5 years
Here are the slides from my BlackHat talk "iOS Kernel PAC, One Year Later", in which I consider how kernel PAC CFI has changed since its introduction in iOS 12 and examine 5 ways to bypass it in iOS 13:
4
176
493
@_bazad
Brandon Azad
5 years
You can find the full PPL bypass at
0
20
68
@_bazad
Brandon Azad
5 years
The core of Apple is PPL: Attacking the XNU kernel's kernel. How to use an out-of-bounds read in PPL (Apple's kernel-within-the-kernel) to get a stale TLB entry for a page, allowing you to bypass PPL and map arbitrary physical addresses accessible at EL0.
Tweet media one
8
178
517
@_bazad
Brandon Azad
5 years
One Byte to Rule Them All: An iOS 13 exploit technique that turns a one-byte kernel heap overflow into an arbitrary physical address mapping primitive, all while avoiding the kernel task port and sidestepping mitigations like PAC, KASLR, and zone_require.
12
255
721
@_bazad
Brandon Azad
5 years
iOS Kernel Pac, One Year Later.
0
16
118
@_bazad
Brandon Azad
5 years
I'm excited to be sharing my latest research on iOS kernel Pointer Authentication at Black Hat USA 2020!. One year ago, I published 5 ways to bypass iOS 12 kernel PAC. This year, we'll take a look at what's changed in iOS 13, once again concluding with 5 new ways to bypass PAC.
7
271
1K
@_bazad
Brandon Azad
5 years
Looks like iOS Pointer Authentication is getting per-process A keys.
Tweet media one
1
41
238
@_bazad
Brandon Azad
5 years
New blog post on how I was able to find the 0-day used in unc0ver just 4 hours after it was released: Key takeaways:.1. Obfuscating an exploit doesn't hide the bugs. 2. Like SockPuppet, this bug could have been identified with simple regression tests.
8
313
931
@_bazad
Brandon Azad
5 years
Thanks to everyone for suggesting exploits missed in my initial survey! I updated the blog post to add an exploit for iOS 12.4.1, swap an exploit for iOS 12.1.2, and clarify the wording of some of the mitigations. Please do reach out with any more suggestions!.
1
7
58
@_bazad
Brandon Azad
5 years
I've compiled a summary of every original public iOS kernel exploit from app context since iOS 10, describing the high-level exploit flow to get stable kernel read/write. The trends of how these exploits have evolved over time are quite interesting:
14
383
1K
@_bazad
Brandon Azad
5 years
KTRW now has proper support for kernel debugging iOS 13. It uses checkra1n to insert an XNU kernel extension into the kernelcache before boot.
Tweet media one
11
98
409
@_bazad
Brandon Azad
5 years
IDA 7.5 improves support for iPhone kernel debugging using KTRW! Breakpoints now work very nicely out of the box. Also, KTRW's iOS 13 support is in the works.
6
95
456
@_bazad
Brandon Azad
5 years
Here are slides and recordings from 36C3 and OBTS. 36C3 slides: video: OBTS slides: day 2 stream: In the OBTS live demo I showed how I used KTRW to discover the oob_timestamp bug.
0
69
216
@_bazad
Brandon Azad
5 years
Unfortunately due to a recent injury I won’t be able to attend @nullcon. I’m hoping to still make it to #OBTS.
33
7
233
@_bazad
Brandon Azad
5 years
I'm excited to be presenting at both @nullcon and #OBTS this March. Come learn how I built KTRW, an iOS kernel debugger for production A11 iPhones, and how I used it to expose attack surface that led to the discovery of the oob_timestamp vulnerability.
4
19
164
@_bazad
Brandon Azad
5 years
For those interested in low-level analysis of Apple's A13 and associated kernel mitigations, here's a version of oob_timestamp with a PAC bypass for iOS 13.3.
15
142
500