Siguza -- iOS/macOS Kernel Research

Siguza is an independent security researcher specializing in the iOS/macOS kernel. Siguza’s write-ups are renowned for being deep, detailed, and written in a narrative style that is easy to follow. Especially strong in IOKit exploitation and kernel internals documentation.

Why Siguza Matters

• v0rtex (2017): IOSurface exploit → tfp0 for iOS 10.x – foundation for many jailbreaks
• IOHIDeous (2017): macOS kernel 0-day – IOHIDFamily exploit, brilliant write-up
• psychicpaper (2020): sandbox escape + entitlement bypass 0-day – extremely elegant
• cl0ver (2016): iOS 9 exploit – early work but very instructive write-up
• Kernel research articles: PAC internals, APRR, PPL deep dives
• Collaboration: Contributed to many jailbreak projects

Exploits in Chronological Order

1. cl0ver (October 2016) – iOS 9.0-9.3.4

Lesson: OSUnserializeXML = controlled kernel heap allocation primitive. Widely used before being hardened (iOS 12+).

2. v0rtex (December 2017) – iOS 10.x

Why this matters:

• 64-bit devices only (A7-A10); 32-bit port was done separately by tihmstar (h3lix jailbreak)
• Write-up “Turning the IOSurface inside out” – one of the best exploitation tutorials
• Used by Meridian jailbreak (iOS 10.x)

3. IOHIDeous (December 2017) – macOS <= 10.13.1

Lessons:

• IOKit race conditions: IOKit drivers are inherently multi-threaded – a rich source of bugs
• IOHIDFamily specifically: complex, many handlers, shared state between UserClients
• macOS exploitation – directly applicable concepts to iOS (same kernel)

4. psychicpaper (May 2020) – iOS < 13.5

Vulnerability:
  AMFI/amfid had FOUR different entitlement parsers that disagreed:

  1. amfid (userspace daemon) — parses entitlements as plist
  2. AMFI (kernel extension) — parses entitlements differently
  3. Sandbox — has its own entitlement check
  4. Provisioning profile validation — another parser

  Parser disagreement = confusion about what entitlements a binary has

Result:
  → Binary gets ANY entitlements (private, restricted, platform)
  → Escape sandbox: claim com.apple.private.security.no-sandbox
  → Get task-for-pid: claim task_for_pid-allow
  → Become platform binary: claim platform-application
  → ALL without an actual Apple certificate!

Why this is the most elegant exploit:

• No memory corruption needed – pure logic bug
• No kernel exploit needed – works entirely in userspace
• Deterministic – works 100% of the time, no races
• Any entitlement – unrestricted capabilities
• Simple – once understood, the exploit code is trivial

Siguza’s Approach – What to Learn

1. Deep Source Code Reading

Siguza reads XNU source code thoroughly:
  - Not just finding bugs — understanding entire subsystems
  - Documenting behavior that Apple does not document
  - Finding inconsistencies between documentation and code
  → Bugs often lie in gaps between intended and actual behavior

2. Finding Logic Bugs

psychicpaper = pure logic bug, no memory corruption
  - Find parser disagreements
  - Find inconsistent state handling
  - Find assumption mismatches between components
  → Often more reliable and powerful than memory corruption

3. IOKit Expertise

v0rtex, IOHIDeous: both target IOKit drivers
  - Understand IOKit object lifecycle
  - Understand UserClient patterns
  - Understand race conditions in driver callbacks
  → IOKit = largest kernel attack surface

4. Write-Up Quality

Siguza's blog posts:
  - Narrative style: tell a story
  - Explain WHY decisions were made
  - Show failed approaches before the successful one
  - Include enough detail to reproduce
  → Read these write-ups as tutorials, not just reports

Resources – Read in This Order

1. cl0ver (2016) – First exploit, introduces OSUnserializeXML technique
2. v0rtex (2017) – IOSurface exploitation masterclass
3. IOHIDeous (2017) – IOKit race condition hunting
4. psychicpaper (2020) – Logic bug artistry
5. Siguza’s GitHub – Source code for all exploits
6. Siguza’s Blog – All research articles