speck & tech: attacking ios (a brief overview)

Attacking iOSA brief overview

• Computer Science student

• iOS: Cydia, App Store

• Product Security Intern

• Opinions are my own, etc.

iOS Security

–Forbes, Sep 21, 2015

“[…] CEO of Zerodium and Vupen, wants to pay out $1 million each to

those who can demonstrate a workable, remote and untethered

jailbreak that will persist even after reboot.”

–Forbes, Sep 21, 2015

“[…] CEO of Zerodium and Vupen, wants to pay out $1 million each to

those who can demonstrate a workable, remote and untethered jailbreak that will persist even after

reboot.”

• Code execution

• Privileged code execution

• Persistence

Code Signing

• Run only code signed by Apple

• Enforced by the kernel

Boot Chain of Trust

BootROM → LLB → iBoot → Kernel

Vulnerabilities Techniques Protections Defeated

Code Execution

Privileged Code Execution

Install the Implant

Getting in

• Main door: WebKit

• Huge attack surface: parsers, JS

• JavaScriptCore Use-After-Free

Getting in

• Main door: WebKit

• Huge attack surface: parsers, JS

• JavaScriptCore Use-After-Free

Use After Free

Buffer A

Buffer B

Object X

Use After Free

Buffer A

Heap Spray😈

Buffer A

Code Execution JSCore UAF Heap Spray -

Install the Implant

Code Execution

Sandbox

Getting some space

• Escape the Sandbox

• Implementation Bug

• Unguarded syscalls

• Lateral movement

Unrestricted Code Execution Sandbox Escape - Sandbox

Install the Implant

Unrestricted Code Execution

Elevate Privileges

• Get root

• Lateral movement: XPC, Daemons

• Stack Buffer Overflow

• Info Leak

Stack Buffer Overflow

Return AddressSaved RegistersSaved Registers

BufferBuffer

Stack Buffer Overflow

Return AddressSaved RegistersSaved Registers

BufferBuffer

ShellcodeShellcodeShellcodeShellcode

Shellcode address????????????????

Stack Cookies

CookieReturn AddressSaved RegistersSaved Registers

BufferBuffer

DEP/NX

• Data Execution Prevention

• Non-Executable Stack

• Point return address to a “gadget”

• Chain gadgets together

• Turing-complete

• Gadget location?

Mapping Executables

0x12340000

0x1234ffff

Mapping Executables

A0x12340000

0x1234ffff

0x12340000

0x1234ffff

0x1234????

Elevate Privileges

• Get root

• Lateral movement: XPC, Daemons

• Stack Buffer Overflow

• Info Leak

Buffer Overflow Info Leak ROP

DEP SSP

Install the Implant

Attacking the Kernel

• Maximum level of privilege

• Full control of the OS

• Huge attack surface

• Drivers, Mach, etc.

• All previous measures apply

• Double free in IOHID

• Similar to Use-After-Free

• Info Leak to defeat KASLR

DEP SSP

Kernel Code Execution

Double Free Kernel Info Leak ROP DEP

Install the Implant

Patching the Kernel

• It’s the one enforcing

• Code signing

• Read-only /

• etc.

Patch me if you can

• “Kernel Patch Protector”

Bypassing KPP

• Timing Attacks

• Implementation Logic

• Data only attack

DEP SSP

Patch the Kernel Impl. Logic Data Only Attack KPP

Install the Implant

Patch the Kernel

DEP SSP

Patch the Kernel Impl. Logic Data Only Attack KPP

Install the Implant ✅ - ¯\_( )_/¯

Questions?

speck & tech: attacking ios (a brief overview)

Software

speck pumpen

revisiting ios kernel (in)security: attacking the early...

speck ecg & patient monitor

macbook-colors-october - speck...

circulation - speck pumps

thomas speck: biomimetic architecture

speck & bitcoin

inside - speck pumpen · 2 company speck pumps south africa...

attacking authentication

12 - speck-bombas.com

speck pumps catalogue inner final 201201

20 attacking drills - association de soccer de - · pdf...

attacking voip

speck malacara

attacking and defending apple ios devices

speck detectives!!

model eq16 - speck electronics

attacking soccer

cnit 128 hacking mobile devices · 2020-04-29 · hacking...

richard speck