Official references:
- ARMv8 Instruction Set Overview (short, kinda outdated at this point)
- ARMv8 Architecture Reference Manual (long)
- ARM A-Profile Exploration tools (same as above, but in machine readable form)
- ARM System Architecture Software Standards (ABIs, extensions, etc.)
- Clang Pointer Authentication ABI
My own doing:
Note on ARM documents:
Both infocenter.arm.com and developer.arm.com are outright nightmares to navigate, and search engines don't help either. But if you have any ARM document as a PDF and want to check for a newer version, there is a neat trick. At the bottom of any page of the PDF, you should have a document identifier like so: That should have the form |
Mach-O
- m4b - Mach-O binaries
- Jonathan Levin - DYLD DetaYLeD
- Jonathan Levin - Code Signing
Sandbox
- Jonathan Levin - The Apple Sandbox (Video and Slides)
- iBSparkes - Breaking Entitlements
- stek29 - Shenanigans, Shenanigans!
- argp - vs com.apple.security.sandbox
IPC
- Apple - Mach (Overview and API documentation (inside the XNU source in
osfmk/man/index.html
)) - nemo - Mach and MIG (examples are outdated and for PPC/Intel, but descriptions are still accurate)
- Ian Beer - Apple IPC (Video and Slides)
File Systems
- Apple - APFS Reference
- stek29 - LightweightVolumeManager::_mapForIO
- bxl1989 - Understanding and Attacking Apple File System
Kernel
- Apple - Kernel Programming Guide
- Apple - IOKit Fundamentals (available as Website or PDF)
- Apple - About the Virtual Memory System
- qwertyoruiopz - Attacking XNU (Part One and Two)
- Stefan Esser - Kernel Heap
- stek29 - NVRAM lock/unlock
Kernel Integrity
- xerub - Tick Tock
- Siguza - KTRR
- Jonathan Levin - Casa de PPL
- Brandon Azad - KTRW: The journey to build a debuggable iPhone (Blog Post and Video)
Control Flow Integrity
- Brandon Azad - Examining Pointer Authentication on the iPhone XS
- Qualcomm Product Security - Pointer Authentication on ARMv8.3
- Roberto Avanzi - The QARMA Block Cipher Family (Paper and Presentation)
- Roberto Avanzi - Crypto that is Light to Accept
- Rui Zong and Xiaoyang Dong - Meet-in-the-Middle Attack on QARMA Block Cipher
Other Mitigations
- Siguza - APRR
- Siguza - PAN
- Sven Peter - SPRR & GXF
Web
Remote Targets
- Natalie Silvanovich - The Fully Remote Attack Surface of the iPhone
Persistence
- littlelailo - Tales of old: untethering iOS 11 (Video and Basic Rundown)
Hardware
- Ramtin Amin - Lightning Connector
- Ramtin Amin - NVMe NAND Storage
- Ramtin Amin - iPhone PCIe (dumping the 6s BootROM)
- Nyan Satan - Apple Lightning
SEP
- Tarjei Mandt, Mathew Solnik, David Wang - Demystifying the Secure Enclave Processor
- David Wang, Chris Wade - SEPOS: A Guided Tour
- windknown - Attack Secure Boot of SEP
Bootloader
- a1exdandy - Technical analysis of the checkm8 exploit
- Jonathan Levin - *OS: iBoot
Memory Safety
- Saar Amar - An Armful of CHERIs
- Saar Amar - Security Analysis of MTE Through Examples (Video and Slides)
- geohot - evasi0n7
- Jonathan Levin - TaiG 8.0 - 8.1.2 (Part One and Two)
- Jonathan Levin - TaiG 8.1.3 - 8.4 (Part One and Two)
- Jonathan Levin - Who needs task_for_pid anyway?
- qwertyoruiopz - About the “tpwn” Local Privilege Escalation
- Ian Beer - task_t considered harmful
- jndok - Exploiting Pegasus on OS X
- Siguza - Exploiting Pegasus on iOS
- Ian Beer - mach_portal (write-up and presentation slides)
- Ian Beer - Exception-oriented exploitation on iOS
- Jonathan Levin - Phœnix
- Gal Beniamini - Over The Air (Parts One, Two and Three)
- Siguza - v0rtex
- Ian Beer - async_wake_ios
- Siguza - IOHIDeous
- Jonathan Levin - QiLin (PDF and API)
- Brandon Azad - A fun XNU infoleak
- jeffball - Heap overflow in necp_client_action
- xerub - De Rebus Antiquis
- Ian Beer - multi_path
- Brandon Azad - blanket
- Brandon Azad - voucher_swap
- iBSparkes - MachSwap
- Ian Beer - Splitting atoms in XNU
- Natalie Silvanovich - The Many Possibilities of CVE-2019-8646
- Google Project Zero - A very deep dive into iOS Exploit chains found in the wild
- Ian Beer - Parts One, Two, Three, Four, Five and Implant Teardown
- Samuel Groß - JSC Exploits
- Ned Williamson - SockPuppet
- Samuel Groß - Remote iPhone Exploitation (Parts One, Two and Three)
- Siguza - cuck00
- Justin Sherman - used_sock
- Samuel Groß - Fuzzing ImageIO
- Siguza - Psychic Paper
- Brandon Azad - One Byte to rule them all
- Brandon Azad - The core of Apple is PPL: Breaking the XNU kernel's kernel
- Ian Beer - An iOS zero-click radio proximity exploit odyssey
- Alex Plaskett - Apple macOS 6LowPAN Vulnerability
- Luca Moro - Analysis and exploitation of the iOS kernel vulnerability CVE-2021-1782
- Alex Plaskett - XNU Kernel Memory Disclosure
- Jack Dates - Exploitation of a JavaScriptCore WebAssembly Vulnerability
- Mickey Jin - CVMServer Vulnerability in macOS and iOS
- K³ - Writing an iOS Kernel Exploit from Scratch
- CodeColorist - Mistuned Part 1: Client-side XSS to Calculator and More
- CodeColorist - Mistuned Part 2: Butterfly Effect
- Justin Sherman - CVE-2021-30656 kernel info leak
- Samuel Groß - Attacking JavaScript Engines
- Samuel Groß - Compile Your Own Type Confusions
- Adam Donenfeld - (De)coding an iOS Kernel Vulnerability
- xerub - The Bear in the Arena
- Linus Henze - Fugu14
- Justin Sherman - Popping iOS <=14.7 with IOMFB
- Ian Beer & Samuel Groß - A deep dive into an NSO zero-click iMessage exploit
- Ian Beer & Samuel Groß - FORCEDENTRY: Sandbox Escape
- Ian Beer - CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability
- Ian Beer - CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers
- qwertyoruiopz - iOS Reverse Engineering (Wiki and Papers)
- Google Project Zero - All the bugs Ian Beer has killed
- Google Project Zero - All the bugs Brandon Azad has killed
- Google Project Zero - All the bugs Ned Williamson has killed
- Google Project Zero - A survey of recent iOS kernel exploits
"Hack Different" is a Discord server about hacking, reverse engineering and development loosely on and around Apple platforms.
It has a relaxed atmosphere and is a great place to hang out and connect with fellow researchers and enthusiasts.