Mach ports are one of the most fundamental parts of the XNU kernel. This talk takes a deep-dive into how the user and kernel mach port APIs work, the implicit security guarantees they make and how to leverage those guarantees to build logical exploit primitives. I will discuss the discovery and exploitation of multiple sandbox escape and kernel bugs on iOS.
We take a look at the general process of patch analysis. We walk through each step from downloading the patch to a weaponized exploit. For the case study, we perform the analysis for CVE-2016-0189 (vbscript.dll) & jscript9.dll security bug fixed in MS16-063 for Internet Explorer 11, Edge/chakra.dll bugs (CVE-2016-7200 & CVE-2016-7201), win32k kernel bug fixed in MS16-106, as well as new bugs that are discovered in latest March update.
We also talk about ways to bypass mitigation such as CFG and RFG.
Attacking Antivirus Software's Kernel Driver
The training courses of Zer0Con focus on bug hunting and exploitation.
Regstration will be closed on March 20.
If you want to run your training course, send us email with the followings.
- Self introduction, Abstract, Curriculum, ETC.
- poc.zer0con@ gmail.com (PGP public key)
- If you want to run your training course before Training Course in Seoul, Korea, contact us.
Regstration will be closed on March 31.
Zer0Con registration is a four-step process:
∙ first, you register here,
∙ then we check if you are eligible or not,
∙ and finally you will receive a link to pay.
∙ if you pay, we will send you your ticket.
You should bring your ticket to get your badge.
Tickets are only allowed for first 100 people.
- ADDRESS: 70, Baumoe-ro 12-gil, Seocho-gu, Seoul, Korea
- TEL: +82-2-571-8100
- WEB: http://thek-hotel.co.kr/e_seoul/main.asp
- If you want more information, click the map below.
If you have any questions, contact us.
* We recommend you to use the pgp key (PGP KEY)
Also, We are looking for sponsors. There are several benefits for sponsors, so please feel free to contact us
Organizer & Sponsor
Copyright(c) Zer0Con All rights reserved.