Official references:
- ARMv8 Instruction Set Overview (short, kinda outdated at this point)
- ARMv8 Architecture Reference Manual (long)
- ARM A-Profile Exploration tools (same as above, but in machine readable form)
- ARM System Architecture Software Standards (ABIs, extensions, etc.)
My own doing:
Note on ARM documents:
Both infocenter.arm.com and developer.arm.com are outright nightmares to navigate, and search engines don't help either. But if you have any ARM document as a PDF and want to check for a newer version, there is a neat trick. At the bottom of any page of the PDF, you should have a document identifier like so:
That should have the form
ARM XXX ddddX.x. Take the three letters and following four digits (in this case,DDI0406) and construct an URL like so:
https://developer.arm.com/docs/XXXdddd/latest
(In this case,https://developer.arm.com/docs/DDI0406/latest.)
Mach-O
- Jonathan Levin - DYLD DetaYLeD
- Jonathan Levin - Code Signing
Sandbox
IPC
- Apple - Mach (Overview and API documentation (inside the XNU source in
osfmk/man/index.html)) - nemo - Mach and MIG (examples are outdated and for PPC/Intel, but descriptions are still accurate)
- Ian Beer - Apple IPC (Video and Slides)
File Systems
- Apple - APFS Reference
Kernel
- Apple - Kernel Programming Guide
- Apple - IOKit Fundamentals (available as Website or PDF)
- Apple - About the Virtual Memory System
- qwertyoruiopz - Attacking XNU (Part One and Two)
- Stefan Esser - Kernel Heap (I hope I don't get sued)
Kernel Integrity
- xerub - Tick Tock
- Siguza - KTRR
- Jonathan Levin - Casa de PPL
- Siguza - APRR
- Brandon Azad - KTRW: The journey to build a debuggable iPhone
Control Flow Integrity
- Brandon Azad - Examining Pointer Authentication on the iPhone XS
- Qualcomm Product Security - Pointer Authentication on ARMv8.3
- Roberto Avanzi - The QARMA Block Cipher Family (Paper and Presentation)
- Roberto Avanzi - Crypto that is Light to Accept
- Rui Zong and Xiaoyang Dong - Meet-in-the-Middle Attack on QARMA Block Cipher
Remote Targets
- Natalie Silvanovich - The Fully Remote Attack Surface of the iPhone
Hardware
- Ramtin Amin - Lightning Connector
- Ramtin Amin - NVMe NAND Storage
- Ramtin Amin - iPhone PCIe (dumping the 6s BootROM)
SEP
- Tarjei Mandt, Mathew Solnik, David Wang - Demystifying the Secure Enclave Processor
- geohot - evasi0n7
- Jonathan Levin - TaiG 8.0 - 8.1.2 (Part One and Two)
- Jonathan Levin - TaiG 8.1.3 - 8.4 (Part One and Two)
- Jonathan Levin - Who needs task_for_pid anyway?
- qwertyoruiopz - About the “tpwn” Local Privilege Escalation
- Ian Beer - task_t considered harmful
- jndok - Exploiting Pegasus on OS X
- Siguza - Exploiting Pegasus on iOS
- Ian Beer - mach_portal (write-up and presentation slides)
- Ian Beer - Exception-oriented exploitation on iOS
- Jonathan Levin - Phœnix
- Gal Beniamini - Over The Air (Parts One, Two and Three)
- Siguza - v0rtex
- Ian Beer - async_wake_ios
- Siguza - IOHIDeous
- Jonathan Levin - QiLin (PDF and API)
- Brandon Azad - A fun XNU infoleak
- jeffball - Heap overflow in necp_client_action
- xerub - De Rebus Antiquis
- Ian Beer - multi_path
- Brandon Azad - blanket
- Brandon Azad - voucher_swap
- Ian Beer - Splitting atoms in XNU
- Natalie Silvanovich - The Many Possibilities of CVE-2019-8646
- Google Project Zero - A very deep dive into iOS Exploit chains found in the wild
- Ian Beer - Parts One, Two, Three, Four, Five and Implant Teardown
- Samuel Groß - JSC Exploits
- qwertyoruiopz - iOS Reverse Engineering (Wiki and Papers)
- Google Project Zero - All the bugs Ian Beer has killed