As a user I like my device being safe from outside attackers (NSO & co).
But I definitely do not want my device to be protected against me. It’s absurd that I have to use the methods of an attacker to gain modification privileges on a device I own.
So I'd say the odds of them loosening their grip here are pretty slim.
"Started macOS/iOS security from the second half of 2019"[!]
Not only does he perform a rather well polished dance but he writes it up in an entertaining and well presented way. I suspect english is a second language too which makes the whole thing even more impressive.
Just to reiterate: he waltzes around a key aspect of the security in iOS 14 - that is disturbing to me. If he can do that, what do you think a well funded nation state bunch of noddies gets up to?
The SEL4 kernel is different because it has actually been "proved correct" and "proved secure" according to the authors.
- Result: run unauthorized code on iOS 14
- 14 is the most secure toy phone OS to date, with kernel heap hardening, data PAC, userspace PAC hardening, tfp0 hardening, ipc_kmsg hardening
- Exploit took advantage of multiple bugs, concentrating on PAC (Pointer Authentication Code, cryptographic signature on the pointer value, designed to resist memory disclosure attacks, for more context see [1])
- Multiple steps and dependencies, chaining vulnerabilities and exploits
- Code on https://github.com/pattern-f
I really commend Zuozhi Fan (@pattern_F_)for publishing the code with the report.
Additional resources:
[1] https://googleprojectzero.blogspot.com/2019/02/examining-poi...
As the owner of my device though, I would say the result is that it lets me run authorized code because I am the authority, not Apple.
By jailbreaking, I am asserting my legal authority as the owner.
If you root your phone and disable its ability to spy on you then that’s obviously against the desired effect. The whole point of the hash scanning is that, you, the user, cannot disable it.
Meaning there would probably be laws to force us not to tamper with that functionality.
Similar to how printer manufacturers have to look for “the yellow dots” on bank notes and refuse to print/scan.
The presentations get published.
Isn't this totally normal?
I mean, sure it'd be totally blackhat to publish a brand new pdf exploit this way, but blackhat as a conference went way beyond those roots a long time ago.
On the one hand, you'd think anyone technologically savvy wouldn't do that.
On the other hand, accidentally clicking on links in PDF's is the bane of my existence. I constantly consume academic books and papers as PDF's on my iPad in the built-in Books app, tap somewhere with my Apple Pencil for any number of reasons (to pan, to zoom, to highlight), and bam I'm transported 100's of pages away and with no back button.
If I could ask for any PDF reader feature, it would be to improve link handling. If it's an internal link, for the love of god include a back button. And if it's an external link for a web browser, for the love of god require a confirmation dialog first. I should never be led to a malware URL because of an accidental click.
My guess is that my brain has subconsciously tuned out engaging pdf content because of how difficult it is to use in-browser... Especially when dealing with text sizes and zooming sigh. It's even worse with pdfs on mobile :(
Also the sudden break from "website" to "pdf" format is often jarring.
