KTRR & CTRR — Kernel Text Readonly Region

KTRR/CTRR hardware-enforces kernel code (.text) thành read-only, non-modifiable. Không thể patch kernel instructions trực tiếp — buộc exploits phải dùng data-only attacks.

KTRR (A10 — iPhone 7+)

Kernel Text Readonly Region:

  • Hardware register lock (set bởi iBoot trước khi boot kernel)
  • Defines memory range chứa kernel __TEXT segment
  • Bất kỳ write attempt nào vào range này → hardware fault
  • Không thể unlock sau khi set (fuse-based)
KTRR registers:
  KTRR_LOWER_EL1  → start of protected range
  KTRR_UPPER_EL1  → end of protected range
  KTRR_LOCK_EL1   → lock bit (write-once)

Protected:
  - Kernel __TEXT segment (code)
  - Kernel __TEXT_EXEC segment
  - CoreTrust code (iOS 12+)
  
NOT protected:
  - Kernel __DATA segment (writable data)
  - Kernel __DATA_CONST (writable at load time, locked later)
  - Zone allocator memory
  - IOKit objects

Impact: Không thể patch kernel functions → thay vào đó phải:

  • Modify function pointers trong __DATA
  • Modify kernel variables controlling behavior
  • Modify object data (data-only attacks)

CTRR (A15+ — iPhone 13+)

Configurable Text Readonly Region:

  • Enhanced version of KTRR
  • More configurable (per-page granularity thay vì single range)
  • pmap_lockdown_kc() adds lockdown attribute cho mỗi page
  • Pages với lockdown attribute không thể mapped vào user process page tables
CTRR enhancements:
  - Per-page lockdown (vs KTRR's single range)
  - Prevents mapping protected pages into any process (not just writing)
  - Stronger isolation: even with physrw, cannot map these pages to user VA

Data-Only Attacks (Post-KTRR Strategy)

Thay vì patch code:        Thay vào đó modify data:
  NOP out check instruction   → Set variable that check reads to bypass value
  Patch function to return 0  → Modify function pointer to point to existing code
  Insert shellcode            → Chain existing gadgets (ROP/JOP)
  Modify branch target        → Overwrite vtable entry

Ví dụ:

// Kernel code (in __TEXT, KTRR-protected):
if (amfi_get_out_of_my_way) {   // Variable in __DATA!
    return KERN_SUCCESS;         // Skip code signing check
}

// Exploit: kwrite to set amfi_get_out_of_my_way = 1
// → Code signing check bypassed without modifying code

Tài Nguyên