This document discusses research into running iOS on the QEMU emulator. It covers:
- Past research by Worth Doing Badly that booted an iOS kernel on QEMU without patches.
- The current project's progress in booting the secure monitor and kernel, running a user app via launchd, and running bash interactively.
- Details on boot processes like loading the secure monitor and resolving issues with the kernel base address.
- Techniques used like modifying the trust cache and dynamic linker cache to run non-Apple binaries.
- Next steps involve improving hardware support, running more services via launchd, adding CPU/interrupt support, and continuing security research.
I have tried to present maximum detail on android booting sequence in a very abstract way. I hope it would be useful. If you find any correction needed please mention it on comments. Happy Coding :)
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
EFI is a very hot topic now because more and more hardware vendors are providing some new systems with it. The long term goal is a total removal of legacy BIOS support. It means that Xen should be prepared for that case. Indeed it is mostly ready. During this presentation it will be shown what EFI is in real and how Xen and other required pieces use EFI infrastructure. However, there are still some shortcomings in Xen and they will be described too. There will be also some guidance how to efficiently start Xen on EFI platform. Some guests topics related to EFI also will be covered.
I have tried to present maximum detail on android booting sequence in a very abstract way. I hope it would be useful. If you find any correction needed please mention it on comments. Happy Coding :)
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
EFI is a very hot topic now because more and more hardware vendors are providing some new systems with it. The long term goal is a total removal of legacy BIOS support. It means that Xen should be prepared for that case. Indeed it is mostly ready. During this presentation it will be shown what EFI is in real and how Xen and other required pieces use EFI infrastructure. However, there are still some shortcomings in Xen and they will be described too. There will be also some guidance how to efficiently start Xen on EFI platform. Some guests topics related to EFI also will be covered.
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device.
This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried.
Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
Running services in virtualized systems provides many benefits, but has often presented performance and flexibility drawbacks. This has become critical when managing large databases, where resource usage and performance are paramount. We will explore a case study in the use of Docker to roll out multiple database servers distributed across multiple physical servers.
Talk given at the OCP Open System Firmware engineering workshop on 5/17/22. Talk was recorded; video at https://www.youtube.com/watch?v=eNI0wFgBNmY#t=7044s
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
Spot Trading - A case study in continuous delivery for mission critical finan...SaltStack
This is a presentation given by Jeremy Alons, Spot Trading, at the DevOps Summit Chicago in August 2014. Jeremy shares how Spot Trading does automated deployments for mission-critical financial services with a case study in continuous delivery.
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device.
This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried.
Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
Running services in virtualized systems provides many benefits, but has often presented performance and flexibility drawbacks. This has become critical when managing large databases, where resource usage and performance are paramount. We will explore a case study in the use of Docker to roll out multiple database servers distributed across multiple physical servers.
Talk given at the OCP Open System Firmware engineering workshop on 5/17/22. Talk was recorded; video at https://www.youtube.com/watch?v=eNI0wFgBNmY#t=7044s
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
Spot Trading - A case study in continuous delivery for mission critical finan...SaltStack
This is a presentation given by Jeremy Alons, Spot Trading, at the DevOps Summit Chicago in August 2014. Jeremy shares how Spot Trading does automated deployments for mission-critical financial services with a case study in continuous delivery.
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Understanding Nidhi Software Pricing: A Quick Guide 🌟
Choosing the right software is vital for Nidhi companies to streamline operations. Our latest presentation covers Nidhi software pricing, key factors, costs, and negotiation tips.
📊 What You’ll Learn:
Key factors influencing Nidhi software price
Understanding the true cost beyond the initial price
Tips for negotiating the best deal
Affordable and customizable pricing options with Vector Nidhi Software
🔗 Learn more at: www.vectornidhisoftware.com/software-for-nidhi-company/
#NidhiSoftwarePrice #NidhiSoftware #VectorNidhi
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
2. How current iOS research is done
• Third party iOS emulator on a remote server
• Development fused iPhone
• Off the shelf iPhone – jailbroken
• Off the shelf iPhone – no jailbreak
4. Jonathan Afek
• Aleph Research group manager at HCL/AppScan
• 15 years of experience in security research and low level development
including vulnerability research, Linux kernel, storage systems, WiFi systems
and FW, security systems and more.
5. iOS on QEMU work done by
@zhuowei (Worth Doing Badly)
6.
7. Past Research – Worth Doing Badly (@zhuowei)
• Chosen version is iPhone X iOS 12 beta 4
• Extracted the kernel image and the device tree from the software update
package
• kernel, device tree and the kernel boot arguments were loaded in memory
• iOS RAMDisk was loaded in memory
• UART serial output was achieved
• Kernel was booted
• Launchd was executed
9. Goals of our project
• Booting iOS on QEMU with no kernel patches
• Supporting hardware (disk, display, touch, sound, multiple CPUs, Interrupt
controllers, etc…)
• Supporting different iOS versions
• Conducting iOS security research
• Learning about iOS and QEMU internals
10. Status of our project
• Booting Secure Monitor and the kernel (unpatched)
• Executing a user-mode app over launchd
• Running an interactive bash shell on an iOS kernel on QEMU
• Supporting only on iOS 12.1 for iPhone 6s plus
12. Agenda
• Past public research on iOS on QEMU
• iOS kernel boot process
• Execution of non-apple executables with Trust Cache
• Bash execution with launchd
• UART interactive I/O
• Next steps
13. iOS kernel boot process
• Start booting the kernelcache code in EL1 as done by @zhuowei
• Crash on SMC instruction
(Secure Monitor Call)
e an
14. iOS kernel boot process
from https://developer.arm.com/docs/den0024/a/fundamentals-of-armv8
15. iOS kernel boot process
• Secure Monitor Loads at boot in EL3
• It resides in a secure memory location inaccessible from EL1 (kernel code)
• It services SMC calls from the kernel (similar to how system calls from user
apps to the kernel are serviced)
• It is responsible for KPP (Kernel Patch Protection) in our system
16. iOS kernel boot process
• The kernel needs a secure monitor to service its SMCs
18. iOS kernel boot process
• iPhone X uses KTRR (hardware mechanism to prevent patches) and no
longer uses a Secure Monitor for KPP (Kernel Patch Protection)
• Loading the Secure Monitor image for iOS 12.1 for iPhone 6s plus in EL3 and
start executing
• Loading the image at its preferred address (secure memory) with the image’s boot
args at the next page and start execution at the entry point in EL3
19. iOS kernel boot process
• Loading the Secure Monitor image for iOS 12.1 for iPhone 6s plus in EL3 and
start executing
• Data abort for trying to parse the kernelcache Mach-O header to decide which areas
need which protections
21. iOS kernel boot process
Lowest address kernel part Kernel Mach-O header Rest of kernel
Kernel address space grows this way ->
Base address boot arg
22. iOS kernel boot process
• The kernel needs a secure monitor to service its SMCs
• The secure monitor requires the base address boot arg to point to the kernel
Macho-O header
24. iOS kernel boot process
Lowest address kernel part Kernel Mach-O header Rest of kernel
Kernel address space grows this way ->
Base address boot arg
25. iOS kernel boot process
• Loading the Secure Monitor image for iOS 12.1 for iPhone 6s plus in EL3 and
start executing
• Tried many different solutions such as changing the base address to the loaded Mach-
O header address (above the lowest loaded section/driver)
26. iOS kernel boot process
• The kernel needs a secure monitor to service its SMCs
• The secure monitor requires the base address boot arg to point to the kernel
Macho-O header
• The base address boot arg needs to point to the lowest kernel address in
order for the kernel to operate properly
28. iOS kernel boot process
Lowest address
kernel part
Kernel Mach-O header Rest of kernel
Kernel address space grows this way ->
Base address boot arg
Another copy of raw kernel
file beginning with the
Mach-O header
30. Agenda
• Past public research on iOS on QEMU
• iOS kernel boot process
• Execution of non-apple executables with Trust Cache
• Bash execution with launchd
• UART interactive I/O
• Next steps
33. Trust Cache
• iOS has 3 different types of trust caches
• A list of hardcoded hashes approved in the kernelcache
• A dynamic trust cache that can be loaded at runtime from a file
• A static trust cache in memory pointed from the device tree
34. Trust Cache
• Top level CoreTrust validation where execution is decided
44. Agenda
• Past public research on iOS on QEMU
• iOS kernel boot process
• Execution of non-apple executables with Trust Cache
• Bash execution with launchd
• UART interactive I/O
• Next steps
45. Bash on Launchd
• Mount the RAMDisk image on OSX
• Remove all files in /System/Library/LaunchDaemons/
• Add a single file there for running bash (com.apple.bash.plist)
• Add the bash executable to the RAMDisk
• Add the bash executable to the Trust Cache
• Unmount the RAMDisk and run QEMU
49. Bash on Launchd
• The RAMDisk image comes without the dynamic loader cache on it, which is
a file that holds most of the common runtime libs for iOS
• Copy this file into the RAMDisk at the correct path from the full disk images
57. Bash on Launchd
• The code validates that the cache file is owned by root
• Mount the RAMDisk image in a different way to allow permission editing
• Copy the cache file and chown to root
59. Agenda
• Past public research on iOS on QEMU
• iOS kernel boot process
• Execution of non-apple executables with Trust Cache
• Bash execution with launchd
• UART interactive I/O
• Next steps
60. Interactive UART
• UART output only was already possible with previous research
• Found where UART input is decided on in the kernel
61. Interactive UART
• Enabling UART input is decided based on bit #1 of a global var
• The global var is read from the “serial” kernel boot arg
65. Demo – Research a vulnerability – voucher_swap
• Research done by Brandon Azad
• iOS 12.1 jailbreak
• Trigger the vulnerability while debugging
66.
67. Agenda
• Past public research on iOS on QEMU
• iOS kernel boot process
• Execution of non-apple executables with Trust Cache
• Bash execution with launchd
• UART interactive I/O
• Next steps
68. Next steps and challenges
• IP communication
• Non RAMDisk disk support
• More hardware devices (disk, screen, touch, sound, comms, etc..)
• Load all the regular iOS services in the original launchd dir instead of just
bash
• More than a single CPU and an interrupt controller
• More iOS versions and devices including KTRR, PAC and other features
• More gdb scripts (allocation zones info, objects info, etc…)
• Security research
69. Black Hat Sound Bytes
• Use the the project and contribute! https://github.com/alephsecurity
• Check out our blog: https://alephsecurity.com
• Follow us on twitter: @alephsecurity @JonathanAfek
• Questions?