speck & tech: attacking ios (a brief overview)
TRANSCRIPT
Attacking iOSA brief overview
• Computer Science student
• iOS: Cydia, App Store
• Product Security Intern
• Opinions are my own, etc.
iOS Security
–Forbes, Sep 21, 2015
“[…] CEO of Zerodium and Vupen, wants to pay out $1 million each to
those who can demonstrate a workable, remote and untethered
jailbreak that will persist even after reboot.”
–Forbes, Sep 21, 2015
“[…] CEO of Zerodium and Vupen, wants to pay out $1 million each to
those who can demonstrate a workable, remote and untethered jailbreak that will persist even after
reboot.”
• Code execution
• Privileged code execution
• Persistence
Code Signing
• Run only code signed by Apple
• Enforced by the kernel
Boot Chain of Trust
BootROM → LLB → iBoot → Kernel
Vulnerabilities Techniques Protections Defeated
Code Execution
?
Privileged Code Execution
?
?
Install the Implant
Getting in
• Main door: WebKit
• Huge attack surface: parsers, JS
• JavaScriptCore Use-After-Free
Getting in
• Main door: WebKit
• Huge attack surface: parsers, JS
• JavaScriptCore Use-After-Free
Use After Free
Use After Free
Buffer A
Buffer B
Object X
Use After Free
Buffer A
???
Heap Spray😈
Buffer A
😈
😈
😈
😈
😈
😈
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
?
Privileged Code Execution
?
?
Install the Implant
Code Execution
Sandbox
😈
Sandbox
👿
Getting some space
• Escape the Sandbox
• Implementation Bug
• Unguarded syscalls
• Lateral movement
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
Unrestricted Code Execution Sandbox Escape - Sandbox
Privileged Code Execution
?
?
Install the Implant
Unrestricted Code Execution
Elevate Privileges
• Get root
• Lateral movement: XPC, Daemons
• Stack Buffer Overflow
• Info Leak
Stack Buffer Overflow
Return AddressSaved RegistersSaved Registers
BufferBuffer
Stack Buffer Overflow
Return AddressSaved RegistersSaved Registers
BufferBuffer
ShellcodeShellcodeShellcodeShellcode
Shellcode address????????????????
Stack Cookies
CookieReturn AddressSaved RegistersSaved Registers
BufferBuffer
DEP/NX
• Data Execution Prevention
• Non-Executable Stack
ROP
• Point return address to a “gadget”
• Chain gadgets together
• Turing-complete
ROP
• Gadget location?
Mapping Executables
C
B
A
0x12340000
0x1234ffff
Mapping Executables
C
B
A0x12340000
0x1234ffff
ASLR
C
B
A
0x12340000
0x1234ffff
0x1234????
Elevate Privileges
• Get root
• Lateral movement: XPC, Daemons
• Stack Buffer Overflow
• Info Leak
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
Unrestricted Code Execution Sandbox Escape - Sandbox
Privileged Code Execution
Buffer Overflow Info Leak ROP
DEP SSP
ASLR
?
?
Install the Implant
Privileged Code Execution
Attacking the Kernel
• Maximum level of privilege
• Full control of the OS
Attacking the Kernel
• Huge attack surface
• Drivers, Mach, etc.
• All previous measures apply
Attacking the Kernel
• Double free in IOHID
• Similar to Use-After-Free
• Info Leak to defeat KASLR
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
Unrestricted Code Execution Sandbox Escape - Sandbox
Privileged Code Execution
Buffer Overflow Info Leak ROP
DEP SSP
ASLR
Kernel Code Execution
Double Free Kernel Info Leak ROP DEP
KASLR
?
Install the Implant
Kernel Code Execution
Patching the Kernel
• It’s the one enforcing
• Code signing
• Read-only /
• etc.
Patch me if you can
• “Kernel Patch Protector”
Bypassing KPP
• Timing Attacks
• Implementation Logic
• Data only attack
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
Unrestricted Code Execution Sandbox Escape - Sandbox
Privileged Code Execution
Buffer Overflow Info Leak ROP
DEP SSP
ASLR
Kernel Code Execution
Double Free Kernel Info Leak ROP DEP
KASLR
Patch the Kernel Impl. Logic Data Only Attack KPP
Install the Implant
Patch the Kernel
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
Unrestricted Code Execution Sandbox Escape - Sandbox
Privileged Code Execution
Buffer Overflow Info Leak ROP
DEP SSP
ASLR
Kernel Code Execution
Double Free Kernel Info Leak ROP DEP
KASLR
Patch the Kernel Impl. Logic Data Only Attack KPP
Install the Implant ✅ - ¯\_( )_/¯
Questions?