Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Speck & Tech: Attacking iOS (A brief overview)

359 views

Published on

A brief overview of the iOS security model for non-security people.

Published in: Software
  • Be the first to comment

Speck & Tech: Attacking iOS (A brief overview)

  1. 1. Attacking iOS A brief overview
  2. 2. • Computer Science student • iOS: Cydia, App Store •  Product Security Intern • Opinions are my own, etc.
  3. 3. iOS Security
  4. 4. –Forbes, Sep 21, 2015 “[…] CEO of Zerodium and Vupen, wants to pay out $1 million each to those who can demonstrate a workable, remote and untethered jailbreak that will persist even after reboot.”
  5. 5. –Forbes, Sep 21, 2015 “[…] CEO of Zerodium and Vupen, wants to pay out $1 million each to those who can demonstrate a workable, remote and untethered jailbreak that will persist even after reboot.”
  6. 6. • Code execution • Privileged code execution • Persistence
  7. 7. Code Signing • Run only code signed by Apple • Enforced by the kernel
  8. 8. Boot Chain of Trust BootROM → LLB → iBoot → Kernel
  9. 9. Vulnerabilities Techniques Protections Defeated Code Execution ? Privileged Code Execution ? ? Install the Implant
  10. 10. Getting in • Main door: WebKit • Huge attack surface: parsers, JS • JavaScriptCore Use-After-Free
  11. 11. Getting in • Main door: WebKit • Huge attack surface: parsers, JS • JavaScriptCore Use-After-Free
  12. 12. Use After Free
  13. 13. Use After Free Buffer A Buffer B Object X
  14. 14. Use After Free Buffer A ???
  15. 15. Heap Spray 😈 Buffer A 😈 😈 😈 😈 😈 😈
  16. 16. Vulnerabilities Techniques Protections Defeated Code Execution JSCore UAF Heap Spray - ? Privileged Code Execution ? ? Install the Implant Code Execution
  17. 17. Sandbox 😈
  18. 18. Sandbox 👿
  19. 19. Getting some space • Escape the Sandbox • Implementation Bug • Unguarded syscalls • Lateral movement
  20. 20. Vulnerabilities Techniques Protections Defeated Code Execution JSCore UAF Heap Spray - Unrestricted Code Execution Sandbox Escape - Sandbox Privileged Code Execution ? ? Install the Implant Unrestricted Code Execution
  21. 21. Elevate Privileges • Get root • Lateral movement: XPC, Daemons • Stack Buffer Overflow • Info Leak
  22. 22. Stack Buffer Overflow Return Address Saved Registers Saved Registers Buffer Buffer
  23. 23. Stack Buffer Overflow Return Address Saved Registers Saved Registers Buffer Buffer Shellcode Shellcode Shellcode Shellcode Shellcode address ???? ???? ???? ????
  24. 24. Stack Cookies Cookie Return Address Saved Registers Saved Registers Buffer Buffer
  25. 25. DEP/NX • Data Execution Prevention • Non-Executable Stack
  26. 26. ROP • Point return address to a “gadget” • Chain gadgets together • Turing-complete
  27. 27. ROP • Gadget location?
  28. 28. Mapping Executables C B A 0x12340000 0x1234ffff
  29. 29. Mapping Executables C B A 0x12340000 0x1234ffff
  30. 30. ASLR C B A 0x12340000 0x1234ffff 0x1234????
  31. 31. Elevate Privileges • Get root • Lateral movement: XPC, Daemons • Stack Buffer Overflow • Info Leak
  32. 32. Vulnerabilities Techniques Protections Defeated Code Execution JSCore UAF Heap Spray - Unrestricted Code Execution Sandbox Escape - Sandbox Privileged Code Execution Buffer Overflow Info Leak ROP DEP SSP ASLR ? ? Install the Implant Privileged Code Execution
  33. 33. Attacking the Kernel • Maximum level of privilege • Full control of the OS
  34. 34. Attacking the Kernel • Huge attack surface • Drivers, Mach, etc. • All previous measures apply
  35. 35. Attacking the Kernel • Double free in IOHID • Similar to Use-After-Free • Info Leak to defeat KASLR
  36. 36. Vulnerabilities Techniques Protections Defeated Code Execution JSCore UAF Heap Spray - Unrestricted Code Execution Sandbox Escape - Sandbox Privileged Code Execution Buffer Overflow Info Leak ROP DEP SSP ASLR Kernel Code Execution Double Free Kernel Info Leak ROP DEP KASLR ? Install the Implant Kernel Code Execution
  37. 37. Patching the Kernel • It’s the one enforcing • Code signing • Read-only / • etc.
  38. 38. Patch me if you can • “Kernel Patch Protector”
  39. 39. Bypassing KPP • Timing Attacks • Implementation Logic • Data only attack
  40. 40. Vulnerabilities Techniques Protections Defeated Code Execution JSCore UAF Heap Spray - Unrestricted Code Execution Sandbox Escape - Sandbox Privileged Code Execution Buffer Overflow Info Leak ROP DEP SSP ASLR Kernel Code Execution Double Free Kernel Info Leak ROP DEP KASLR Patch the Kernel Impl. Logic Data Only Attack KPP Install the Implant Patch the Kernel
  41. 41. Vulnerabilities Techniques Protections Defeated Code Execution JSCore UAF Heap Spray - Unrestricted Code Execution Sandbox Escape - Sandbox Privileged Code Execution Buffer Overflow Info Leak ROP DEP SSP ASLR Kernel Code Execution Double Free Kernel Info Leak ROP DEP KASLR Patch the Kernel Impl. Logic Data Only Attack KPP Install the Implant ✅ - ¯_( )_/¯
  42. 42. Questions?

×