What if we had the SockPuppet vulnerability in iOS 16?
This post examines how an old XNU kernel UAF would fare under the kalloc_type allocator. A key takeaway is that at least in the iOS kernel, randomized, bucketed type isolation seems able to put a practical upper bound on the per-boot exploit success rate for some vulnerabilities. For SockPuppet, we estimate that the best possible exploit might only succeed on 92% of booted systems, whereas it used to be 100% reliable. Kernel UAFs in general are still exploitable, but kalloc_type seems to make them notably less attractive.
https://security.apple.com/blog/what-if-we-had-sockpuppet-in-ios16/
Blog - What if we had the SockPuppet vulnerability in iOS 16? - Apple Security Research
The next post in our XNU memory safety series examines how our hardened kernel allocator performs in the real world against a previously patched but powerful UAF software vulnerability. In this detailed analysis, we find out what might happen if SockPuppet were to meet kalloc_type in iOS 16.