Dive into Apple UserFS (Userspace Filesystem)

Apple UserFS: A comprehensive dive into the new file system technology, including vulnerabilities and attack surfaces, and the possibilities of remote exploitation.

Key takeaways
  • Apple UserFS is a new file system technology that runs file system code in userspace, allowing iOS to support various file systems beyond APFS and HFS.
  • In UserFS, the file system kernel extension (LIFS) forwards kernel calls to user space demons, which in turn call file system plugins such as ExFAT.
  • UserFS is designed to work with external storage devices, such as USB drives, but Apple’s sandboxing mechanism is always on, making it hard to access LiveFS kernel extensions directly.
  • There are vulnerabilities found in UserFS, including a NULL pointer dereference bug and lack of checks on entries offset in AttrHeader and loadF methods.
  • It is possible to exploit these vulnerabilities remotely, but it requires a lot of extra work and knowledge of the file system to create a reliable exploit.
  • New features and plugins in UserFS lead to increased attack surfaces, making UserFS more vulnerable to attacks.

More talks

Why Security Initiatives Are Doomed to Fail & What You Can Do About It • Josh Armitage • YOW! 2023

How NOT to Train Your Hack Bot: Dos and Don'ts of Building Offensive GPTs

LinkDoor: A Hidden Attack Surface in the Android Netlink Kernel Modules

37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide

CRA and friends: EU product, service and software regulation

Attacking Debug Modules In The Android Ecosystem

Attack on Titan M, Reloaded: Vulnerability Research on a Modern Security Chip

Google Reimagined a Phone. It was Our Job to Red Team and Secure it.