Git Product home page Git Product logo

aotpoisoning's Introduction

AOT Poisoning

Introduction

Rosetta 2 is a translation mechanism that allows Apple Silicon Mac to run Intel-based applications. It offers two types of translation: Just-In-Time (JIT) and Ahead-Of-Time (AOT). AOT translation is usually employed, but JIT translation is also used for applications that generate dynamic code (e.g., web browsers). AOT translation result is saved as AOT files, which are cached and reused for the next application launch.

We presented a new code injection technique named "AOT Poisoning" abusing this caching mechanism at Black Hat Asia 2023. This repository contains PoC code of AOT Poisoning and other utilities used in my research.

Requirements

How to use the PoC code of AOT Poisoning

Before running this script, you need to install the dependencies.

$ poetry install

This script has two commands: poison-aot-signed and poison-aot-nonsigned.

poison-aot-signed is a command that poisons an AOT file of a signed executable and injects shellcode through this. This issue is currently fixed as CVE-2022-42789, so this code injection does not work for the latest macOS

$ poetry run python main.py poison-aot-signed <path to application bundle (or executable)> <path to shellcode payload>

poison-aot-nonsigned is a command that poisons an AOT file of an unsigned executable and injects shellcode through this.

$ poetry run python main.py poison-aot-nonsigned <path to application bundle (or executable)> <path to shellcode payload>

Some shellcode payloads used in my research are in the shellcode directory.

Other utilities

calc_hash

calc_hash contains the code that calculates AOT lookup hash of an x64 executable. Rosetta 2 uses the AOT lookup hash to check whether the specified x64 executable was previously translated. If there is a previous translation result corresponding to the calculated hash value, the translation result is reused for the execution, resulting in reducing the redundant binary translation. For more details, see my Black Hat Asia 2023 talk slides.

mmap_timestamp_test

mmap_timestamp_test contains the code that tests the behavior of the APFS timestamp updates issue. The issue is that writing to a file via mmap() & munmap() without calling msync() does not update ctime and mtime. I used code in this directory to check this behavior. You can find some results of this code for Big Sur 11.5.2 and Big Sur 11.7.4.

Author

Koh M. Nakagawa. © FFRI Security, Inc. 2023

License

Apache version 2.0

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.