Kernel Read/Write Primitives | iOS Exploit Starterpack

kread/kwrite = khả năng đọc/ghi arbitrary kernel virtual addresses. Đây là mục tiêu chính — có kread/kwrite = kiểm soát kernel.

Tại Sao kread/kwrite Là Đủ

Có kread/kwrite → có thể:

Đọc/ghi process credentials → root
Modify sandbox slot → unsandbox
Inject trust cache → bypass code signing
Đọc kernel objects → leak thêm thông tin
Modify bất kỳ kernel data structure nào

Các Kỹ Thuật

1. IOSurface-Based kread/kwrite

Phổ biến nhất trong modern exploits.

Concept:
  IOSurface objects chứa dictionary properties (key-value pairs)
  Properties stored as serialized data trong kernel heap
  set_value/get_value methods đọc/ghi property data

Exploit:
  1. Create IOSurface
  2. Trigger vulnerability → corrupt IOSurface internal data pointer
  3. iosurface_kread: set corrupted pointer → target address
     → get_value reads from target address → returns data to userspace
  4. iosurface_kwrite: set corrupted pointer → target address
     → set_value writes attacker data to target address

Functions:
  iosurface_kread32(addr)  → read 32 bits at kernel addr
  iosurface_kread64(addr)  → read 64 bits at kernel addr
  iosurface_kwrite32(addr, val) → write 32 bits
  iosurface_kwrite64(addr, val) → write 64 bits

2. Pipe-Based kread/kwrite

Concept:
  pipe() creates kernel pipe_buffer struct
  read(pipe_fd) reads from pipe_buffer
  write(pipe_fd) writes to pipe_buffer

Exploit:
  1. Create pipe pair
  2. Corrupt pipe_buffer struct:
     - Change buffer pointer → kernel address
     - Change buffer size → large
  3. read(pipe_fd) → kernel copies from corrupted address → kread
  4. write(pipe_fd) → kernel copies to corrupted address → kwrite

3. Fake Task Port (Classic, pre-iOS 14)

Concept:
  task port + mach_vm_read/write = access task's address space
  If task port points to kernel_task → access kernel memory

Exploit:
  1. Craft fake ipc_port structure in controlled memory
  2. Set kobject type = IKOT_TASK
  3. Set kdata.task → fake task structure
  4. Fake task's map → kernel_map (or kernel_pmap)
  5. Send/receive to get port name for fake port
  6. mach_vm_read(fake_port, addr, size) → kread
  7. mach_vm_write(fake_port, addr, data, size) → kwrite

Mitigated by:
  - PAC on port pointers (iOS 12+)
  - zone_require (iOS 14+)
  - Lockdown of task port operations

4. kfd Methods

kfd project implements multiple kread/kwrite methods:

Method	Mechanism
`kread_kqueue_workloop_ctl`	Abuse kqueue workloop for kernel reads
`kread_sem_open`	Abuse POSIX semaphore for kernel reads
`kwrite_dup`	Abuse dup() file descriptor for kernel writes
`kwrite_sem_open`	Abuse POSIX semaphore for kernel writes

5. Physical R/W → Virtual R/W

Nếu có physrw (physical read/write):
  1. Đọc TTBR1_EL1 (kernel page table base) từ known location
  2. Walk kernel page tables manually
  3. Translate kernel virtual address → physical address
  4. Read/write physical address
  → Equivalent to kread/kwrite nhưng qua physical layer

Stability & Reliability

Method	Reliability	iOS range	Notes
IOSurface	Cao	iOS 11+	Standard trong modern exploits
Pipe	Trung bình	iOS 10+	Simple nhưng có limitations
Fake task port	Cao (khi work)	iOS ≤13	Killed by PAC + zone_require
kfd methods	Cao	iOS 15-16	Well-tested
Physical r/w	Cao	Depends	Cần PUAF primitive

Tài Nguyên

kfd Project — reference implementation
Alfie CG — Kernel Exploit Guide — IOSurface kread/kwrite
Secfault — Kernel Exploit from Scratch