Ian Beer -- Project Zero iOS Exploits

Ian Beer (Google Project Zero) is one of the most influential iOS security researchers. His work has shaped how the community understands and exploits the iOS kernel. Each exploit comes with a detailed write-up – these are the best learning materials available.

Why Ian Beer Matters

  • Pioneered many exploitation techniques the community still uses today
  • Excellent write-ups – clearly explain each step, great for learning
  • mach_portal (2016) and async_wake (2017) were the foundation for unc0ver and many jailbreaks
  • AWDL exploit (2020) demonstrated a zero-click wormable attack over Wi-Fi
  • In-the-wild analysis (2019) analyzed 5 real exploit chains from targeted attacks

Exploits in Chronological Order

1. mach_portal (December 2016) – iOS 10.1.1

Field Detail
CVE CVE-2016-7644, CVE-2016-7661, CVE-2016-7637
Target iOS 10.1.1
Technique Mach port replacement + kernel UAF
Result tfp0 (kernel task port) 
Chain:
  1. CVE-2016-7637: Mach port name replacement vulnerability
     β†’ Replace port name in transit β†’ type confusion
  2. CVE-2016-7644: set_dp_control_port kernel UAF
     β†’ Dangling port reference in kernel
  3. CVE-2016-7661: Sandbox escape via powerd
     β†’ Escape sandbox to reach kernel attack surface

Exploit flow:
  Sandbox escape β†’ trigger kernel UAF
    β†’ Reallocate freed port with controlled data
    β†’ Fake port pointing to kernel task
    β†’ tfp0 achieved

Historical significance:

  • First to demonstrate Mach port UAF β†’ fake task port technique
  • This technique became standard in iOS exploitation for 4 years
  • Source code published β†’ community built jailbreaks on it (Yalu)

2. async_wake (December 2017) – iOS 11.1.2

Field Detail
CVE CVE-2017-13861
Target iOS 11.1.2, all devices
Component IOSurfaceRootUserClient
Technique IOSurface UAF β†’ fake task port β†’ tfp0
Write-up Includes a PoC local kernel debugger 
Vulnerability:
  IOSurfaceRootUserClient external method
  β†’ s_set_surface_notify β€” sets a notification port on an IOSurface
  β†’ Bug: port reference count off by one
  β†’ Port freed but still referenced β†’ UAF

Exploitation:
  1. Allocate mach port
  2. Call s_set_surface_notify β†’ kernel stores extra reference
  3. Deallocate port (bug: refcount goes to 0 β†’ freed)
  4. Port memory freed but IOSurface still holds pointer
  5. Heap spray: send OOL port descriptors same size as ipc_port
     β†’ Freed port memory reallocated with controlled data
  6. Trigger IOSurface notification β†’ kernel uses fake port
  7. Fake port configured as IKOT_TASK β†’ points to fake task
  8. Fake task's map = kernel_map
  9. mach_vm_read_overwrite / mach_vm_write β†’ kernel r/w

Key technique introduced: OOL port descriptor spray for port replacement. Became the standard pattern.

3. In-the-Wild iOS Exploit Chains Analysis (August 2019)

Field Detail
Published August 29, 2019
Content Analysis of 14 vulnerabilities in 5 exploit chains
iOS range iOS 10 through 12
Source Captured from watering hole attacks (real targets) 
5 chains analyzed:
  Chain 1: iOS 10.0-10.3.3
  Chain 2: iOS 10.3-10.3.3
  Chain 3: iOS 11.0-11.4.1
  Chain 4: iOS 12.0-12.1
  Chain 5: iOS 12.0-12.1.2

Each chain includes:
  WebKit exploit β†’ Sandbox escape β†’ Kernel exploit β†’ Implant

Why this matters:

  • First public detailed analysis of real-world iOS exploit chains
  • Shows the sophistication level of nation-state attackers
  • 5 chains cover 2 years – the attacker maintained exploits across iOS updates
  • Each vulnerability is explained with root cause + exploitation technique
  • Perfect learning material – real bugs, real exploitation, real impact

4. oob_timestamp (CVE-2020-3837) – Analyzed by Brandon Azad

Field Detail
CVE CVE-2020-3837
Target iOS 13.3
Component XNU vm_map_copy
Technique One-byte OOB write β†’ change vm_map_copy type β†’ physical memory mapping 
Vulnerability:
  One-byte out-of-bounds write
  β†’ Overwrites type field of vm_map_copy_t structure
  β†’ Changes type from KERNEL_BUFFER (3) to ENTRY_LIST (1)
  β†’ iOS is little-endian β†’ single byte enough to change type

Exploitation:
  1. Trigger one-byte OOB write
  2. Overwrite vm_map_copy type field: KERNEL_BUFFER β†’ ENTRY_LIST
  3. Inline data (attacker-controlled) now treated as vm_map_entry pointers
     β†’ vm_map_copyout_internal() walks the fake entry list
     β†’ Calls pmap_enter_options() for each fake entry
  4. β†’ Maps arbitrary physical pages into userspace
  5. Escalate to physical memory mapping β†’ full physical read/write

Key insight: vm_map_copy is a UNION-like structure
  Type 1: entries[] = linked list of VM entries
  Type 3: kdata = pointer to kernel buffer + size (inline data)
  β†’ Change type 3β†’1 = inline data reinterpreted as entry list = type confusion

Lesson: β€œOne byte is enough” – even a 1-byte OOB write, if targeting the right structure, can escalate to full physrw.

5. AWDL Wormable Wi-Fi Exploit (December 2020)

Field Detail
CVE CVE-2020-3843 (+ 2 additional radio proximity 0-days)
Target iOS 13.x (all iPhones within Wi-Fi range)
Component AWDL (Apple Wireless Direct Link) protocol
Type Zero-click, wormable, radio proximity
Development time 6 months (solo) 
Attack vector:
  AWDL = peer-to-peer Wi-Fi protocol (AirDrop, Sidecar, ...)
  β†’ Always on, always listening for AWDL frames
  β†’ No user interaction needed β€” just be in Wi-Fi range
  β†’ WORMABLE: a compromised device can attack nearby devices

Vulnerability:
  Buffer overflow in AWDL frame parsing:
  1. Send crafted AWDL action frames via Wi-Fi
  2. Target's AWDL stack parses frame β†’ buffer overflow
  3. Overflow in kernel (AWDL runs in kernel space)
  β†’ Kernel code execution from Wi-Fi proximity

  Total time from first frame to compromise: ~2 minutes

Why this is the scariest exploit:

  • Zero-click: victim does not need to do anything
  • No app needed: victim does not need to install an app or click a link
  • Radio proximity: just needs to be nearby (Wi-Fi range ~100m)
  • Wormable: a compromised device automatically attacks other nearby devices
  • Kernel-level: AWDL stack runs in kernel – instant kernel code execution

Common Techniques of Ian Beer

Fake Task Port Pattern

Popularized and refined by Beer across multiple exploits:

1. Trigger kernel vulnerability β†’ get dangling/corrupted port reference
2. Heap spray OOL port descriptors β†’ replace freed port memory
3. Fake port structure:
   ip_object.io_bits = IO_BITS_ACTIVE | IKOT_TASK
   kdata.task = address of fake task structure
4. Fake task structure:
   map = kernel_map address
5. mach_vm_read(fake_port, kaddr, size) β†’ reads kernel memory
6. mach_vm_write(fake_port, kaddr, data, size) β†’ writes kernel memory

Evolved over:
  mach_portal (2016) β†’ async_wake (2017) β†’ various (2018-2019)
Killed by:
  zone_require (iOS 14) + PAC (iOS 12+ arm64e)

Write-Up Style

Beer’s write-ups follow a consistent pattern – excellent for learning:

  1. Vulnerability discovery – how the bug was found
  2. Root cause – why the bug exists in code
  3. Exploitation strategy – how to turn the bug into a primitive
  4. Heap layout control – specific grooming technique
  5. Primitive construction – building kread/kwrite
  6. Post-exploitation – what you can do with it

Resources – Read in This Order

  1. mach_portal (2016) – Start here: introduces Mach port exploitation
  2. async_wake (2017) – Refined IOSurface + fake port technique
  3. A very deep dive into iOS Exploit chains (2019) – Real-world chain analysis, 5 parts
  4. One Byte to Rule Them All (2020, Brandon Azad) – vm_map_copy type confusion
  5. AWDL Radio Proximity Exploit (2020) – Magnum opus: wormable zero-click
  6. A Survey of Recent iOS Kernel Exploits (2020) – Comprehensive overview