Exploiting IOSurface 0
Liang Chen@Pangu Team
Agenda
• IOSurface overview
• IOSurface 0 and exploitation techniques
• New mitigations overview (for late iOS 12 and iOS 13)
• Conclusion
IOSurface Overview
• IOSurface object represents a userland buffer which is shared with
the kernel.
• Fundamental framework for both iOS and macOS
• Users can create IOSurface in userland, within
container/WebContent sandbox
IOSurface Creation
• IOSurfaceRootUserClient method 0, 6, 7
• IOSurfaceRootUserClient::s_create_surface
• IOSurfaceRootUserClient::s_create_surface_fast_path
• IOSurfaceRootUserClient::s_create_surface_client_mem
• IOSurfaceRootUserClient::s_create_surface requires user to provide a dictionary including key
parameters of the IOSurface
• IOSurfaceRootUserClient::s_create_surface_fast_path and
IOSurfaceRootUserClient::s_create_surface_client_mem are simplified version of
IOSurfaceRootUserClient::s_create_surface
• In all cases, IOSurfaceRoot::createSurface will be reached to create the IOSurface object
IOSurface Creation
• Question: where is the created IOSurface stored
• In IOSurfaceRootUserClient: Yes
• But not all IOSurface is created by userland IOSurfaceRootUserClient
• Also IOSurface can be looked up by other IOSurfaceRootUserClient objects
• Needs to be stored globally
• Stored in IOCoreSurfaceRoot object
• Global array with bitmap managed by IOCoreSurfaceRoot object
• Expand if more IOSurface is created
