In iOS 14 and 15 Apple shipped several iOS kernel mitigations that drastically changed iOS exploitation, and many researchers documented these mitigations publicly. In iOS 17 and 18, Apple introduced several interesting iOS userspace mitigations, however they were not discussed in as much detail. In this blog post we’ll discuss some of these mitigations by using the BLASTPASS exploit as a case study, and explore how relevant these exploit primitives are in iOS 18.

In mid-2023 we noticed a kernel infoleak which led to the discovery of quite an interesting bug. The infoleak was caused by the access of an uninitialised value in the FAR_EL1 register, which was copied unconditionally by XNU’s exception handler.