@_bazad profile picture
Brandon Azad @_bazad

@bazad@infosec.exchange

Joined April 2018
  • Tweets 37
  • Following 0
  • Followers 14,495
11 Photos and videos
Brandon Azad@_bazad
27 Oct 2022
I’m really excited for us to shed light on some really cool work we’ve been doing to harden the XNU allocator! This has been a huge effort by so many people, and I’m very proud of the direction: security.apple.com/blog/towa…

Towards the next generation of XNU memory safety: kalloc_type - Apple Security Research

Improving software memory safety is a key security objective for engineering teams across the industry. Here we begin a journey into the XNU kernel at the core of iOS and explore the intricate work...

security.apple.com
6
95
393
Brandon Azad@_bazad
2 Oct 2020
It's with both bittersweet sadness and excitement that I say goodbye to Project Zero, as I'll be joining Apple next week to continue my work improving Apple device security. My time at Project Zero has been amazing, and it's been an honor to share in this wonderful mission.
117
132
1,203
Brandon Azad@_bazad
2 Oct 2020
My teammates at Project Zero have been among the kindest and smartest people I've met, and I've learned so much from them. I'll really miss working alongside everyone on the team. Thank you all for these wonderful experiences, and keep on hacking!
11
19
328
Brandon Azad@_bazad
21 Sep 2020
From A13 SecureROM. This isn't a security issue, since this particular bzero is only used to initialize the boot trampoline in SRAM. Even so, Apple appears to have addressed this in iBoot, hence the credit in the iOS 14 release notes. Always worth checking hand-rolled assembly.
6
77
425
Brandon Azad@_bazad
5 Aug 2020
Here are the slides from my BlackHat talk "iOS Kernel PAC, One Year Later", in which I consider how kernel PAC CFI has changed since its introduction in iOS 12 and examine 5 ways to bypass it in iOS 13: bazad.github.io/presentation…

4
173
486
Brandon Azad@_bazad
31 Jul 2020
The core of Apple is PPL: Attacking the XNU kernel's kernel. googleprojectzero.blogspot.c… How to use an out-of-bounds read in PPL (Apple's kernel-within-the-kernel) to get a stale TLB entry for a page, allowing you to bypass PPL and map arbitrary physical addresses accessible at EL0.
8
175
509
Brandon Azad@_bazad
31 Jul 2020
You can find the full PPL bypass at bugs.chromium.org/p/project-…
19
66
Brandon Azad@_bazad
30 Jul 2020
One Byte to Rule Them All: An iOS 13 exploit technique that turns a one-byte kernel heap overflow into an arbitrary physical address mapping primitive, all while avoiding the kernel task port and sidestepping mitigations like PAC, KASLR, and zone_require. googleprojectzero.blogspot.c…

One Byte to rule them all

Posted by Brandon Azad, Project ZeroOne Byte to rule them all, One Byte to type them,One Byte to ...

projectzero.google
12
250
708
Brandon Azad@_bazad
16 Jul 2020
I'm excited to be sharing my latest research on iOS kernel Pointer Authentication at Black Hat USA 2020! One year ago, I published 5 ways to bypass iOS 12 kernel PAC. This year, we'll take a look at what's changed in iOS 13, once again concluding with 5 new ways to bypass PAC.
0:05
7
265
1,062
Brandon Azad@_bazad
16 Jul 2020
iOS Kernel Pac, One Year Later blackhat.com/us-20/briefings…
16
116
Brandon Azad@_bazad
10 Jul 2020
Looks like iOS Pointer Authentication is getting per-process A keys.
1
41
235
Brandon Azad@_bazad
9 Jul 2020
New blog post on how I was able to find the 0-day used in unc0ver just 4 hours after it was released: googleprojectzero.blogspot.c… Key takeaways: 1. Obfuscating an exploit doesn't hide the bugs. 2. Like SockPuppet, this bug could have been identified with simple regression tests.

How to unc0ver a 0-day in 4 hours or less

By Brandon Azad, Project ZeroAt 3 PM PDT on May 23, 2020, the unc0ver jailbreak was released for ...

projectzero.google
8
307
919
Brandon Azad@_bazad
11 Jun 2020
I've compiled a summary of every original public iOS kernel exploit from app context since iOS 10, describing the high-level exploit flow to get stable kernel read/write. The trends of how these exploits have evolved over time are quite interesting: googleprojectzero.blogspot.c…

A survey of recent iOS kernel exploits

Posted by Brandon Azad, Project ZeroI recently found myself wishing for a single online reference...

projectzero.google
14
376
1,025
Brandon Azad@_bazad
19 Jun 2020
Thanks to everyone for suggesting exploits missed in my initial survey! I updated the blog post to add an exploit for iOS 12.4.1, swap an exploit for iOS 12.1.2, and clarify the wording of some of the mitigations. Please do reach out with any more suggestions!
1
6
56
Brandon Azad@_bazad
9 Jun 2020
KTRW now has proper support for kernel debugging iOS 13. It uses checkra1n to insert an XNU kernel extension into the kernelcache before boot.
11
97
400
Brandon Azad@_bazad
20 May 2020
IDA 7.5 improves support for iPhone kernel debugging using KTRW! Breakpoints now work very nicely out of the box. Also, KTRW's iOS 13 support is in the works.
2:17
6
95
449
Brandon Azad@_bazad
14 Mar 2020
Here are slides and recordings from 36C3 and OBTS. 36C3 slides: bazad.github.io/presentation… video: media.ccc.de/v/36c3-10806-kt… OBTS slides: bazad.github.io/presentation… day 2 stream: youtube.com/watch?v=ZDJsag2Z… In the OBTS live demo I showed how I used KTRW to discover the oob_timestamp bug.
67
212
Brandon Azad@_bazad
27 Feb 2020
Unfortunately due to a recent injury I won’t be able to attend @nullcon. I’m hoping to still make it to #OBTS.
33
7
228
Brandon Azad@_bazad
25 Feb 2020
I'm excited to be presenting at both @nullcon and #OBTS this March. Come learn how I built KTRW, an iOS kernel debugger for production A11 iPhones, and how I used it to expose attack surface that led to the discovery of the oob_timestamp vulnerability.
4
19
162
Brandon Azad@_bazad
24 Feb 2020
For those interested in low-level analysis of Apple's A13 and associated kernel mitigations, here's a version of oob_timestamp with a PAC bypass for iOS 13.3. bugs.chromium.org/p/project-…

15
139
492
Load more