Pointer Authentication (in short, PAuth) is the latest security mechanism in iOS. It is proposed to protect the integrity of pointers with hardwareassisted encryption, thus eliminating the threats of codereuse attacks. In PAuth, a cryptographic signature called PAC is calculated from a pointer value and inserted into the pointer. When the pointer is about to be used, the PAC is extracted and verified whether it is consistent with the original pointer value. In this way, PAuth is able to ensure that the pointers are not tampered. iOS deployed PAuth in userspace system services, protecting pointers that may affect the control flow and preventing codereuse attacks like ROP and JOP.

However, in our study, we found that a fatal flaw in the implementation of iOS PAuth makes userspace system services till vulnerable to codereuse attacks. The flaw is: iOS uses the same signing key in different userspace processes. This flaw allows a signed pointer from a malicious process can be correctly verified in a system service, thus making it possible to launch JOP. In this talk, we will explain how we found the flaw and why it is inevitable. In advance, we will demonstrate how to leverage this flaw and launch JOP attacks in a PAuthprotected system service. Also, we will propose a new tool, PACgadget, to automatically find JOP gadgets in PAuthprotected binaries.