BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.24
BEGIN:VEVENT
DESCRIPTION:   'Title: Apple's Predicament: NSPredicate Exploitation on mac
 OS and iOS\n   When: Saturday\, Aug 12\, 11:30 - 12:15 PDT\n   Where: Caes
 ars Forum - Forum - 130-134 - Track 3 - [1]Map\n\n   SpeakerBio:Austin Emm
 itt \, Senior Security Researcher at Trellix\n   Advanced Research Center\
 n   Austin Emmitt is a vulnerability researcher with a background in\n   m
 obile security. He has found critical vulnerabilities in Android\,\n   iOS
 \, and other platforms. He is also the creator of the radius2\n   symbolic
  execution framework.\n   Twitter: [2]@alkalinesec\n\n   Description:\n   
 In 2021 the FORCEDENTRY sandbox escape introduced the usage of\n   NSPredi
 cate in an iOS exploit. This new technique allowed attackers to\n   sidest
 ep codesigning\, ASLR\, and all other mitigations to execute\n   arbitrary
  code on Apple devices. As a result\, Apple put in place new\n   restricti
 ons to make NSPredicate less powerful and less useful for\n   exploits. Th
 is presentation will cover new research showing that these\n   added restr
 ictions could be completely circumvented in iOS 16\, and how\n   NSPredica
 tes could be exploited to gain code execution in many\n   privileged iOS p
 rocesses. This technical deep dive will be a rare\n   instance of iOS secu
 rity that anyone can comprehend without years of\n   experience.\n\n   Aft
 er an overview of the classes involved\, we will explore the full\n   synt
 ax of NSPredicate and cover how it can be used to script the\n   Objective
 -C runtime and even call any C function. It will be shown\n   that PAC can
  still be bypassed 100% reliably with NSPredicates in\n   order to execute
  any function with arbitrary arguments. A new tool\n   will be unveiled to
  help craft complex NSPredicates to execute\n   arbitrary code and inject 
 those predicates in any application.\n   Additionally\, a demonstration wi
 ll be given which executes arbitrary\n   code in the highly privileged Pre
 ferences app.\n\n   Finally\, the talk will cover a bypass of NSPredicateV
 isitor\n   implementations which allows a malicious process to evaluate an
 y\n   NSPredicate within several system processes including coreduetd\,\n 
   appstored\, OSLogService\, and SpringBoard. Next there will be a live\n 
   demo of exploiting SpringBoard to steal a userā€™s notifications and\n  
  location data. The presentation will end with some discussion about\n   w
 hat can still be done with NSPredicates now that these issues have\n   bee
 n fixed\, including bypassing App Store Review\, and what app\n   develope
 rs should know to keep their own apps safe.\n\n   REFERENCES:\n\n   NSPred
 icate - [3]https://developer.apple.com/documentation/foundation/nspredicat
 e?language=objc\n   See No Eval: Runtime Dynamic Code Execution in Objecti
 ve-C by\n   CodeColorist - [4]https://codecolor.ist/2021/01/16/see-no-eval
 -runtime-code-execution-objc/\n   FORCEDENTRY: Sandbox Escape by Ian Beer 
 & Samuel Groß of Google\n   Project Zero - [5]https://googleprojectzero.bl
 ogspot.com/2022/03/forcedentry-sandbox-escape.html\n\n   '\n\n   1. #Caesa
 rsForumBR\n   2. https://twitter.com/alkalinesec\n   3. https://developer.
 apple.com/documentation/foundation/nspredicate?language=objc\n   4. https:
 //codecolor.ist/2021/01/16/see-no-eval-runtime-code-execution-objc/\n   5.
  https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape
 .html\n\n\n
DTEND:20230812T191500Z
DTSTART:20230812T183000Z
LOCATION:DC - Caesars Forum - Forum - 130-134 - Track 3
SUMMARY:Apple's Predicament: NSPredicate Exploitation on macOS and iOS
END:VEVENT
END:VCALENDAR