speck & tech: attacking ios (a brief overview)

Attacking iOSA brief overview

• Computer Science student

• iOS: Cydia, App Store

• Product Security Intern

• Opinions are my own, etc.

iOS Security

–Forbes, Sep 21, 2015

“[…] CEO of Zerodium and Vupen, wants to pay out $1 million each to

those who can demonstrate a workable, remote and untethered

jailbreak that will persist even after reboot.”

–Forbes, Sep 21, 2015

“[…] CEO of Zerodium and Vupen, wants to pay out $1 million each to

those who can demonstrate a workable, remote and untethered jailbreak that will persist even after

reboot.”

• Code execution

• Privileged code execution

• Persistence

Code Signing

• Run only code signed by Apple

• Enforced by the kernel

Boot Chain of Trust

BootROM → LLB → iBoot → Kernel

Vulnerabilities Techniques Protections Defeated

Code Execution

?

Privileged Code Execution

?

?

Install the Implant

Getting in

• Main door: WebKit

• Huge attack surface: parsers, JS

• JavaScriptCore Use-After-Free

Use After Free

Use After Free

Buffer A

Buffer B

Object X

Use After Free

Buffer A

???

Heap Spray😈

Buffer A

😈

😈

😈

😈

😈

😈


Code Execution JSCore UAF Heap Spray -

?


?

?

Install the Implant

Code Execution

Sandbox

😈

Sandbox

👿

Getting some space

• Escape the Sandbox

• Implementation Bug

• Unguarded syscalls

• Lateral movement



Unrestricted Code Execution Sandbox Escape - Sandbox


?

?

Install the Implant

Unrestricted Code Execution

Elevate Privileges

• Get root

• Lateral movement: XPC, Daemons

• Stack Buffer Overflow

• Info Leak

Stack Buffer Overflow

Return AddressSaved RegistersSaved Registers

BufferBuffer

Stack Buffer Overflow

Return AddressSaved RegistersSaved Registers

BufferBuffer

ShellcodeShellcodeShellcodeShellcode

Shellcode address????????????????

Stack Cookies

CookieReturn AddressSaved RegistersSaved Registers

BufferBuffer

DEP/NX

• Data Execution Prevention

• Non-Executable Stack

ROP

• Point return address to a “gadget”

• Chain gadgets together

• Turing-complete

ROP

• Gadget location?

Mapping Executables

C

B

A

0x12340000

0x1234ffff

Mapping Executables

C

B

A0x12340000

0x1234ffff

ASLR

C

B

A

0x12340000

0x1234ffff

0x1234????

Elevate Privileges

• Get root

• Lateral movement: XPC, Daemons

• Stack Buffer Overflow

• Info Leak





Buffer Overflow Info Leak ROP

DEP SSP

ASLR

?

?

Install the Implant


Attacking the Kernel

• Maximum level of privilege

• Full control of the OS


• Huge attack surface

• Drivers, Mach, etc.

• All previous measures apply


• Double free in IOHID

• Similar to Use-After-Free

• Info Leak to defeat KASLR






DEP SSP

ASLR

Kernel Code Execution

Double Free Kernel Info Leak ROP DEP

KASLR

?

Install the Implant


Patching the Kernel

• It’s the one enforcing

• Code signing

• Read-only /

• etc.

Patch me if you can

• “Kernel Patch Protector”

Bypassing KPP

• Timing Attacks

• Implementation Logic

• Data only attack






DEP SSP

ASLR



KASLR

Patch the Kernel Impl. Logic Data Only Attack KPP

Install the Implant

Patch the Kernel






DEP SSP

ASLR



KASLR

Patch the Kernel Impl. Logic Data Only Attack KPP

Install the Implant ✅ - ¯\_( )_/¯

Questions?

speck & tech: attacking ios (a brief overview)

Software