![Page 1: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/1.jpg)
Attacking iOSA brief overview
![Page 2: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/2.jpg)
• Computer Science student
• iOS: Cydia, App Store
• Product Security Intern
• Opinions are my own, etc.
![Page 3: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/3.jpg)
iOS Security
![Page 4: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/4.jpg)
![Page 5: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/5.jpg)
–Forbes, Sep 21, 2015
“[…] CEO of Zerodium and Vupen, wants to pay out $1 million each to
those who can demonstrate a workable, remote and untethered
jailbreak that will persist even after reboot.”
![Page 6: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/6.jpg)
–Forbes, Sep 21, 2015
“[…] CEO of Zerodium and Vupen, wants to pay out $1 million each to
those who can demonstrate a workable, remote and untethered jailbreak that will persist even after
reboot.”
![Page 7: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/7.jpg)
• Code execution
• Privileged code execution
• Persistence
![Page 8: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/8.jpg)
Code Signing
• Run only code signed by Apple
• Enforced by the kernel
![Page 9: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/9.jpg)
Boot Chain of Trust
BootROM → LLB → iBoot → Kernel
![Page 10: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/10.jpg)
Vulnerabilities Techniques Protections Defeated
Code Execution
?
Privileged Code Execution
?
?
Install the Implant
![Page 11: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/11.jpg)
Getting in
• Main door: WebKit
• Huge attack surface: parsers, JS
• JavaScriptCore Use-After-Free
![Page 12: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/12.jpg)
Getting in
• Main door: WebKit
• Huge attack surface: parsers, JS
• JavaScriptCore Use-After-Free
![Page 13: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/13.jpg)
Use After Free
![Page 14: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/14.jpg)
Use After Free
Buffer A
Buffer B
Object X
![Page 15: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/15.jpg)
Use After Free
Buffer A
???
![Page 16: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/16.jpg)
Heap Spray😈
Buffer A
😈
😈
😈
😈
😈
😈
![Page 17: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/17.jpg)
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
?
Privileged Code Execution
?
?
Install the Implant
Code Execution
![Page 18: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/18.jpg)
Sandbox
😈
![Page 19: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/19.jpg)
Sandbox
👿
![Page 20: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/20.jpg)
Getting some space
• Escape the Sandbox
• Implementation Bug
• Unguarded syscalls
• Lateral movement
![Page 21: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/21.jpg)
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
Unrestricted Code Execution Sandbox Escape - Sandbox
Privileged Code Execution
?
?
Install the Implant
Unrestricted Code Execution
![Page 22: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/22.jpg)
Elevate Privileges
• Get root
• Lateral movement: XPC, Daemons
• Stack Buffer Overflow
• Info Leak
![Page 23: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/23.jpg)
Stack Buffer Overflow
Return AddressSaved RegistersSaved Registers
BufferBuffer
![Page 24: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/24.jpg)
Stack Buffer Overflow
Return AddressSaved RegistersSaved Registers
BufferBuffer
ShellcodeShellcodeShellcodeShellcode
Shellcode address????????????????
![Page 25: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/25.jpg)
Stack Cookies
CookieReturn AddressSaved RegistersSaved Registers
BufferBuffer
![Page 26: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/26.jpg)
DEP/NX
• Data Execution Prevention
• Non-Executable Stack
![Page 27: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/27.jpg)
ROP
• Point return address to a “gadget”
• Chain gadgets together
• Turing-complete
![Page 28: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/28.jpg)
ROP
• Gadget location?
![Page 29: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/29.jpg)
Mapping Executables
C
B
A
0x12340000
0x1234ffff
![Page 30: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/30.jpg)
Mapping Executables
C
B
A0x12340000
0x1234ffff
![Page 31: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/31.jpg)
ASLR
C
B
A
0x12340000
0x1234ffff
0x1234????
![Page 32: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/32.jpg)
Elevate Privileges
• Get root
• Lateral movement: XPC, Daemons
• Stack Buffer Overflow
• Info Leak
![Page 33: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/33.jpg)
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
Unrestricted Code Execution Sandbox Escape - Sandbox
Privileged Code Execution
Buffer Overflow Info Leak ROP
DEP SSP
ASLR
?
?
Install the Implant
Privileged Code Execution
![Page 34: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/34.jpg)
Attacking the Kernel
• Maximum level of privilege
• Full control of the OS
![Page 35: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/35.jpg)
Attacking the Kernel
• Huge attack surface
• Drivers, Mach, etc.
• All previous measures apply
![Page 36: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/36.jpg)
Attacking the Kernel
• Double free in IOHID
• Similar to Use-After-Free
• Info Leak to defeat KASLR
![Page 37: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/37.jpg)
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
Unrestricted Code Execution Sandbox Escape - Sandbox
Privileged Code Execution
Buffer Overflow Info Leak ROP
DEP SSP
ASLR
Kernel Code Execution
Double Free Kernel Info Leak ROP DEP
KASLR
?
Install the Implant
Kernel Code Execution
![Page 38: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/38.jpg)
Patching the Kernel
• It’s the one enforcing
• Code signing
• Read-only /
• etc.
![Page 39: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/39.jpg)
Patch me if you can
• “Kernel Patch Protector”
![Page 40: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/40.jpg)
Bypassing KPP
• Timing Attacks
• Implementation Logic
• Data only attack
![Page 41: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/41.jpg)
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
Unrestricted Code Execution Sandbox Escape - Sandbox
Privileged Code Execution
Buffer Overflow Info Leak ROP
DEP SSP
ASLR
Kernel Code Execution
Double Free Kernel Info Leak ROP DEP
KASLR
Patch the Kernel Impl. Logic Data Only Attack KPP
Install the Implant
Patch the Kernel
![Page 42: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/42.jpg)
Vulnerabilities Techniques Protections Defeated
Code Execution JSCore UAF Heap Spray -
Unrestricted Code Execution Sandbox Escape - Sandbox
Privileged Code Execution
Buffer Overflow Info Leak ROP
DEP SSP
ASLR
Kernel Code Execution
Double Free Kernel Info Leak ROP DEP
KASLR
Patch the Kernel Impl. Logic Data Only Attack KPP
Install the Implant ✅ - ¯\_( )_/¯
![Page 43: Speck & Tech: Attacking iOS (A brief overview)](https://reader036.vdocuments.us/reader036/viewer/2022062412/5881a91f1a28ab1a398b6f89/html5/thumbnails/43.jpg)
Questions?