it's turbo time

Conversation

Miguel de Icaza

@bryanjclark the writeups on those exploits are fascinating. Like the one that devised an entire hardware architecture on top of a tiny image operator exploit, and they built a compiler to write code for it

Will Clark

robotdeathsquad@mastodon.social

8 months ago

Reply to

@bryanjclark I believe it’s a combination of: 1. Image containers offer a lot of places to hide bits here and there. Had a buddy get into Steganography back in the early 2000s.
2. Images are one of the few files that iOS will download and parse when it’s pushed to you so they can put them in notifications and such.

Miguel de Icaza

Migueldeicaza@mastodon.social

8 months ago

Reply to @Migueldeicaza@mastodon.social

@bryanjclark this one, god I am glad I was not misremembering it. As I replied to you I was thinking “did I hallucinate that? Sounds like science fiction”

It’s not:

https://en.m.wikipedia.org/wiki/FORCEDENTRY

Andrew German

_german@mastodon.social

8 months ago

Reply to

@bryanjclark whither BlastDoor? https://9to5mac.com/2021/01/28/apple-adopts-new-blastdoor-security-system-on-ios-14-to-reinforce-imessage-integrity/

marcos

nsfmc

8 months ago

Reply to

@bryanjclark this is such a fascinating exploit if it uses server-based passkit push updates to deliver compromised payloads that don't get handled by blastdoor until it's too late. i would imagine the problem is that images require a non-finite amount of space after decompression but that some cleverly compressed regions can exhaust the amount of memory allocated and allow you to traipse over old dylib code that executes at a higher privilege level. my understanding is that blastdoor prevents this for most data that comes in from imessage, but probably older codepaths are still vulnerable (i'm guessing lockdown mode just nixes all features that don't route initially through blastdoor)