Saar Amar (@AmarSaar) / X

Saar Amar

3,223 posts

Saar Amar

@AmarSaar

saaramar.github.io/Publications/

Joined October 2016

Pinned
Saar Amar
@AmarSaar
Feb 28, 2023
Time for a new blogpost! Let's do a CHERIoT walkthrough - including a straightforward setup, understanding how we kill bug classes and mitigating attacks on our minimal TCB through practical examples, and more fun! msrc.microsoft.com/blog/2023/02/f…
80K
Saar Amar
@AmarSaar
Oct 11, 2021
So, another IOMFB vulnerability was exploited ITW (15.0.2). I bindiffed the patch and built a POC. And, because it's a great bug, I just finished writing a short blogpost with the tech details, to share this knowledge :) Check it out! saaramar.github.io/IOMFB_integer_…
Saar Amar
@AmarSaar
Dec 10, 2018
Everybody knows researching Hyper-V is the most fun thing you can do, so I wrote a blog post about how to start doing just that! Let me know what you think && if you find any 0days of course :) aka.ms/hvresearch101
Saar Amar
@AmarSaar
Jul 26, 2021
So, as it turns out, an LPE vulnerability I found 4 months ago in IOMFB is now patched in iOS 14.7.1 as in-the-wild. I wanted to share some knowledge and details about the bug and some ways to exploit it. Hope you'll find it useful, check it out!
saaramar.github.io
WebContent->EL1 LPE: OOBR in AppleCLCD / IOMobileFrameBuffer
Saar Amar
@AmarSaar
May 24, 2021
Apple fixed a bug I triggered accidentally in a functionality that is accessible from the app sandbox. Because it's a funny story, I wrote a short blogpost about it. I hope you would like it; check it out!
saaramar.github.io
Exhaust EL1 memory from the app sandbox
Saar Amar
@AmarSaar
Dec 31, 2022
New blogpost! I put together a thorough survey of security mitigations && architectures from the past few years. HW solutions, SW mitigations, and safe languages. CHERI, MTE, Rust, Swift, kalloc_type, Firebloom, GuardedMemcpy, CastGuard, and more!
saaramar.github.io
Survey of security mitigations and architectures, December 2022
155K
Saar Amar
@AmarSaar
May 4, 2022
Last year, Apple shared a high-level overview of "Memory safe iBoot implementation". I thought it would be nice to reverse and write about it, hope you will find it interesting :)
saaramar.github.io
Introduction to Firebloom (iBoot)
Saar Amar
@AmarSaar
Feb 5, 2020
checkra1n is a CRAZY life-changer for iOS security research. Now, @qwertyoruiopz (you rock man!) finished his talk @BlueHatIL with a port to Linux (and even a Windows video demo!)
Saar Amar
@AmarSaar
Aug 18, 2022
New blogpost - analysis of the ipc_kmsg_get_from_kernel vulnerability, patched in iOS 15.4 :) saaramar.github.io/ipc_kmsg_vuln_…
Saar Amar
@AmarSaar
Jan 28, 2019
As promised – part 2 of the Hyper-V series is here! Featuring our awesome friends from the Virtualization Security Team :) VMBus internals? vPCI guest-to-host vulnerabilities? Opensource tooling? We have it all! blogs.technet.microsoft.com/srd/2019/01/28…
Saar Amar
@AmarSaar
Jun 16, 2022
iOS 16 came with a lot of exciting changes in attack surface reduction. I wrote a short blogpost about an interesting change in IOSurfaceRoot and IOGPU. I hope you'll like it :) saaramar.github.io/ios16_restrict…
Saar Amar
@AmarSaar
Jan 4, 2018
My new vuln CVE-2018-0743 in WSL was patched today && it's tweetable! int main(void) { int n = 0xaaaaaaa; void **p = calloc(n, 8); for (; n; --n) p[n-1] = ""; execv("", p); } Full exploit at @bluehatil portal.msrc.microsoft.com/en-us/security…
Saar Amar
@AmarSaar
Jan 6, 2019
Published my exploits for the Winworld challenge I presented at #35C3! Pwn hard guys :) github.com/saaramar/35C3_…
Saar Amar
@AmarSaar
Apr 19, 2023
With bittersweet sadness and excitement, I say goodbye to MSFT, as I'll be joining Apple SEAR next month to focus on Apple device security. I can't express how excited I am to join such an outstanding, exceptionally talented security team!
44K