SlideShare a Scribd company logo

eu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdf

S
ssuser6e61b3

This document discusses research into running iOS on the QEMU emulator. It covers: - Past research by Worth Doing Badly that booted an iOS kernel on QEMU without patches. - The current project's progress in booting the secure monitor and kernel, running a user app via launchd, and running bash interactively. - Details on boot processes like loading the secure monitor and resolving issues with the kernel base address. - Techniques used like modifying the trust cache and dynamic linker cache to run non-Apple binaries. - Next steps involve improving hardware support, running more services via launchd, adding CPU/interrupt support, and continuing security research.

Software
1 of 69
Download to read offline
How current iOS research is done • Third party iOS emulator on a remote server • Development fused iPhone • Off the shelf iPhone – jailbroken • Off the shelf iPhone – no jailbreak
iPhone panic log
Jonathan Afek • Aleph Research group manager at HCL/AppScan • 15 years of experience in security research and low level development including vulnerability research, Linux kernel, storage systems, WiFi systems and FW, security systems and more.
iOS on QEMU work done by @zhuowei (Worth Doing Badly)
Past Research – Worth Doing Badly (@zhuowei) • Chosen version is iPhone X iOS 12 beta 4 • Extracted the kernel image and the device tree from the software update package • kernel, device tree and the kernel boot arguments were loaded in memory • iOS RAMDisk was loaded in memory • UART serial output was achieved • Kernel was booted • Launchd was executed
Past Research – Worth Doing Badly (@zhuowei)
Goals of our project • Booting iOS on QEMU with no kernel patches • Supporting hardware (disk, display, touch, sound, multiple CPUs, Interrupt controllers, etc…) • Supporting different iOS versions • Conducting iOS security research • Learning about iOS and QEMU internals
Status of our project • Booting Secure Monitor and the kernel (unpatched) • Executing a user-mode app over launchd • Running an interactive bash shell on an iOS kernel on QEMU • Supporting only on iOS 12.1 for iPhone 6s plus
DEMO - General use
Agenda • Past public research on iOS on QEMU • iOS kernel boot process • Execution of non-apple executables with Trust Cache • Bash execution with launchd • UART interactive I/O • Next steps
iOS kernel boot process • Start booting the kernelcache code in EL1 as done by @zhuowei • Crash on SMC instruction (Secure Monitor Call) e an
iOS kernel boot process from https://developer.arm.com/docs/den0024/a/fundamentals-of-armv8
iOS kernel boot process • Secure Monitor Loads at boot in EL3 • It resides in a secure memory location inaccessible from EL1 (kernel code) • It services SMC calls from the kernel (similar to how system calls from user apps to the kernel are serviced) • It is responsible for KPP (Kernel Patch Protection) in our system
iOS kernel boot process • The kernel needs a secure monitor to service its SMCs
iOS kernel boot process Any ideas?
iOS kernel boot process • iPhone X uses KTRR (hardware mechanism to prevent patches) and no longer uses a Secure Monitor for KPP (Kernel Patch Protection) • Loading the Secure Monitor image for iOS 12.1 for iPhone 6s plus in EL3 and start executing • Loading the image at its preferred address (secure memory) with the image’s boot args at the next page and start execution at the entry point in EL3
iOS kernel boot process • Loading the Secure Monitor image for iOS 12.1 for iPhone 6s plus in EL3 and start executing • Data abort for trying to parse the kernelcache Mach-O header to decide which areas need which protections
iOS kernel boot process
iOS kernel boot process Lowest address kernel part Kernel Mach-O header Rest of kernel Kernel address space grows this way -> Base address boot arg
iOS kernel boot process • The kernel needs a secure monitor to service its SMCs • The secure monitor requires the base address boot arg to point to the kernel Macho-O header
iOS kernel boot process Any ideas?
iOS kernel boot process Lowest address kernel part Kernel Mach-O header Rest of kernel Kernel address space grows this way -> Base address boot arg
iOS kernel boot process • Loading the Secure Monitor image for iOS 12.1 for iPhone 6s plus in EL3 and start executing • Tried many different solutions such as changing the base address to the loaded Mach- O header address (above the lowest loaded section/driver)
iOS kernel boot process • The kernel needs a secure monitor to service its SMCs • The secure monitor requires the base address boot arg to point to the kernel Macho-O header • The base address boot arg needs to point to the lowest kernel address in order for the kernel to operate properly
iOS kernel boot process Any ideas?
iOS kernel boot process Lowest address kernel part Kernel Mach-O header Rest of kernel Kernel address space grows this way -> Base address boot arg Another copy of raw kernel file beginning with the Mach-O header
iOS kernel boot process And it works!
Agenda • Past public research on iOS on QEMU • iOS kernel boot process • Execution of non-apple executables with Trust Cache • Bash execution with launchd • UART interactive I/O • Next steps
Trust Cache Trust Cache Executables Hash List Executable 1 34CB ? Execution denied! 52F8 1EC4 A971
Trust Cache Trust Cache Executables Hash List Executable 2 1EC4 ? Execution allowed! 52F8 1EC4 A971
Trust Cache • iOS has 3 different types of trust caches • A list of hardcoded hashes approved in the kernelcache • A dynamic trust cache that can be loaded at runtime from a file • A static trust cache in memory pointed from the device tree
Trust Cache • Top level CoreTrust validation where execution is decided
Trust Cache • From there dive deeper into the static trust cache lookup
Trust Cache • Using XREFs we can see that the static trust cache is set from here
Trust Cache • RE on the previous function reveals this trust cache structure
Trust Cache • Using XREFs we can see that this structure is read from the device tree
• Which Apple released the source code for Trust Cache
Trust Cache • Always works when only 1 hash in the list • Only some items work when more than 1 item is in the list
Trust Cache Any ideas?
Trust Cache • Reversing this code revealed a binary search code which means the hashes are expected to be sorted in this list
Trust Cache And it works!
Agenda • Past public research on iOS on QEMU • iOS kernel boot process • Execution of non-apple executables with Trust Cache • Bash execution with launchd • UART interactive I/O • Next steps
Bash on Launchd • Mount the RAMDisk image on OSX • Remove all files in /System/Library/LaunchDaemons/ • Add a single file there for running bash (com.apple.bash.plist) • Add the bash executable to the RAMDisk • Add the bash executable to the Trust Cache • Unmount the RAMDisk and run QEMU
Bash on Launchd
Bash on Launchd • System tries to execute bash • Logs show missing libraries required for bash
Bash on Launchd Any ideas?
Bash on Launchd • The RAMDisk image comes without the dynamic loader cache on it, which is a file that holds most of the common runtime libs for iOS • Copy this file into the RAMDisk at the correct path from the full disk images
Bash on Launchd Any ideas?
Bash on Launchd • Debug /usr/lib/dyld (the dynamic loader) which is responsible for loading the dynamic loader cache
Bash on Launchd
Bash on Launchd • Stepping through the execution path with gdb showed the error was in here
Bash on Launchd • Since we have a kernel debugger in gdb we can step into the system call in the kernel
Bash on Launchd • Stepping through this function we see that the call to _shared_region_map_and_slide() is the part that fails
Bash on Launchd • Stepping in that function reveals the error here
Bash on Launchd • The code validates that the cache file is owned by root • Mount the RAMDisk image in a different way to allow permission editing • Copy the cache file and chown to root
Bash on Launchd And it works!
Agenda • Past public research on iOS on QEMU • iOS kernel boot process • Execution of non-apple executables with Trust Cache • Bash execution with launchd • UART interactive I/O • Next steps
Interactive UART • UART output only was already possible with previous research • Found where UART input is decided on in the kernel
Interactive UART • Enabling UART input is decided based on bit #1 of a global var • The global var is read from the “serial” kernel boot arg
Interactive UART • Setting the “serial” boot arg to 2
Interactive UART And it works!
DEMO - Ghidra trace
Demo – Research a vulnerability – voucher_swap • Research done by Brandon Azad • iOS 12.1 jailbreak • Trigger the vulnerability while debugging
Agenda • Past public research on iOS on QEMU • iOS kernel boot process • Execution of non-apple executables with Trust Cache • Bash execution with launchd • UART interactive I/O • Next steps
Next steps and challenges • IP communication • Non RAMDisk disk support • More hardware devices (disk, screen, touch, sound, comms, etc..) • Load all the regular iOS services in the original launchd dir instead of just bash • More than a single CPU and an interrupt controller • More iOS versions and devices including KTRR, PAC and other features • More gdb scripts (allocation zones info, objects info, etc…) • Security research
Black Hat Sound Bytes • Use the the project and contribute! https://github.com/alephsecurity • Check out our blog: https://alephsecurity.com • Follow us on twitter: @alephsecurity @JonathanAfek • Questions?

Recommended

Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)
Gaurav Aggarwal
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
Ramin Farajpour Cami
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
Android bootup process
Android bootup processAndroid bootup process
Android bootup process
Sanjay Kumar
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting Sequence
Jayanta Ghoshal
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleXPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
The Linux Foundation
 
Linux booting process, Dual booting, Components involved
Linux booting process, Dual booting, Components involvedLinux booting process, Dual booting, Components involved
Linux booting process, Dual booting, Components involved
divyammo
 

Recommended

Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)
Gaurav Aggarwal
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
Ramin Farajpour Cami
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
Android bootup process
Android bootup processAndroid bootup process
Android bootup process
Sanjay Kumar
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting Sequence
Jayanta Ghoshal
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleXPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
The Linux Foundation
 
Linux booting process, Dual booting, Components involved
Linux booting process, Dual booting, Components involvedLinux booting process, Dual booting, Components involved
Linux booting process, Dual booting, Components involved
divyammo
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
Sam Bowne
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Building an iOS Build Server
Building an iOS Build ServerBuilding an iOS Build Server
Building an iOS Build Server
Attila Tamás Zimler
 
Os lectures
Os lecturesOs lectures
Os lectures
Adnan Ghafoor
 
Stateless Hypervisors at Scale
Stateless Hypervisors at ScaleStateless Hypervisors at Scale
Stateless Hypervisors at Scale
Antony Messerl
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
Deep Dive into the AOSP
Deep Dive into the AOSPDeep Dive into the AOSP
Deep Dive into the AOSP
Dr. Ketan Parmar
 
CoreOS introduction - Johann Romefort
CoreOS introduction - Johann RomefortCoreOS introduction - Johann Romefort
CoreOS introduction - Johann RomefortStylight
 
CoreOS introduction - by johann romefort
CoreOS introduction - by johann romefortCoreOS introduction - by johann romefort
CoreOS introduction - by johann romefort
Johann Romefort
 
Docking postgres
Docking postgresDocking postgres
Docking postgres
rycamor
 
Towards Holistic Systems
Towards Holistic SystemsTowards Holistic Systems
Towards Holistic Systems
bcantrill
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 
Spot Trading - A case study in continuous delivery for mission critical finan...
Spot Trading - A case study in continuous delivery for mission critical finan...Spot Trading - A case study in continuous delivery for mission critical finan...
Spot Trading - A case study in continuous delivery for mission critical finan...
SaltStack
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitation
kyaw thiha
 
lecture1 details of operating system abraham silberchatz
lecture1 details of operating system abraham silberchatzlecture1 details of operating system abraham silberchatz
lecture1 details of operating system abraham silberchatz
MrsKAVITHASAsstProfC
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatToorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for That
Eric Monti
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Process
darshhingu
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 

More Related Content

Similar to eu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdf

2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
Sam Bowne
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Building an iOS Build Server
Building an iOS Build ServerBuilding an iOS Build Server
Building an iOS Build Server
Attila Tamás Zimler
 
Os lectures
Os lecturesOs lectures
Os lectures
Adnan Ghafoor
 
Stateless Hypervisors at Scale
Stateless Hypervisors at ScaleStateless Hypervisors at Scale
Stateless Hypervisors at Scale
Antony Messerl
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
Deep Dive into the AOSP
Deep Dive into the AOSPDeep Dive into the AOSP
Deep Dive into the AOSP
Dr. Ketan Parmar
 
CoreOS introduction - Johann Romefort
CoreOS introduction - Johann RomefortCoreOS introduction - Johann Romefort
CoreOS introduction - Johann RomefortStylight
 
CoreOS introduction - by johann romefort
CoreOS introduction - by johann romefortCoreOS introduction - by johann romefort
CoreOS introduction - by johann romefort
Johann Romefort
 
Docking postgres
Docking postgresDocking postgres
Docking postgres
rycamor
 
Towards Holistic Systems
Towards Holistic SystemsTowards Holistic Systems
Towards Holistic Systems
bcantrill
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 
Spot Trading - A case study in continuous delivery for mission critical finan...
Spot Trading - A case study in continuous delivery for mission critical finan...Spot Trading - A case study in continuous delivery for mission critical finan...
Spot Trading - A case study in continuous delivery for mission critical finan...
SaltStack
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitation
kyaw thiha
 
lecture1 details of operating system abraham silberchatz
lecture1 details of operating system abraham silberchatzlecture1 details of operating system abraham silberchatz
lecture1 details of operating system abraham silberchatz
MrsKAVITHASAsstProfC
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatToorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for That
Eric Monti
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Process
darshhingu
 

Similar to eu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdf (20)

2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Building an iOS Build Server
Building an iOS Build ServerBuilding an iOS Build Server
Building an iOS Build Server
 
Os lectures
Os lecturesOs lectures
Os lectures
 
Stateless Hypervisors at Scale
Stateless Hypervisors at ScaleStateless Hypervisors at Scale
Stateless Hypervisors at Scale
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Deep Dive into the AOSP
Deep Dive into the AOSPDeep Dive into the AOSP
Deep Dive into the AOSP
 
CoreOS introduction - Johann Romefort
CoreOS introduction - Johann RomefortCoreOS introduction - Johann Romefort
CoreOS introduction - Johann Romefort
 
CoreOS introduction - by johann romefort
CoreOS introduction - by johann romefortCoreOS introduction - by johann romefort
CoreOS introduction - by johann romefort
 
Docking postgres
Docking postgresDocking postgres
Docking postgres
 
Towards Holistic Systems
Towards Holistic SystemsTowards Holistic Systems
Towards Holistic Systems
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
 
Spot Trading - A case study in continuous delivery for mission critical finan...
Spot Trading - A case study in continuous delivery for mission critical finan...Spot Trading - A case study in continuous delivery for mission critical finan...
Spot Trading - A case study in continuous delivery for mission critical finan...
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitation
 
lecture1 details of operating system abraham silberchatz
lecture1 details of operating system abraham silberchatzlecture1 details of operating system abraham silberchatz
lecture1 details of operating system abraham silberchatz
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatToorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for That
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Process
 

Recently uploaded

Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
abdulrafaychaudhry
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
vrstrong314
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 

Recently uploaded (20)

Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 

eu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdf

  • 1.
  • 2. How current iOS research is done • Third party iOS emulator on a remote server • Development fused iPhone • Off the shelf iPhone – jailbroken • Off the shelf iPhone – no jailbreak
  • 4. Jonathan Afek • Aleph Research group manager at HCL/AppScan • 15 years of experience in security research and low level development including vulnerability research, Linux kernel, storage systems, WiFi systems and FW, security systems and more.
  • 5. iOS on QEMU work done by @zhuowei (Worth Doing Badly)
  • 6.
  • 7. Past Research – Worth Doing Badly (@zhuowei) • Chosen version is iPhone X iOS 12 beta 4 • Extracted the kernel image and the device tree from the software update package • kernel, device tree and the kernel boot arguments were loaded in memory • iOS RAMDisk was loaded in memory • UART serial output was achieved • Kernel was booted • Launchd was executed
  • 8. Past Research – Worth Doing Badly (@zhuowei)
  • 9. Goals of our project • Booting iOS on QEMU with no kernel patches • Supporting hardware (disk, display, touch, sound, multiple CPUs, Interrupt controllers, etc…) • Supporting different iOS versions • Conducting iOS security research • Learning about iOS and QEMU internals
  • 10. Status of our project • Booting Secure Monitor and the kernel (unpatched) • Executing a user-mode app over launchd • Running an interactive bash shell on an iOS kernel on QEMU • Supporting only on iOS 12.1 for iPhone 6s plus
  • 12. Agenda • Past public research on iOS on QEMU • iOS kernel boot process • Execution of non-apple executables with Trust Cache • Bash execution with launchd • UART interactive I/O • Next steps
  • 13. iOS kernel boot process • Start booting the kernelcache code in EL1 as done by @zhuowei • Crash on SMC instruction (Secure Monitor Call) e an
  • 14. iOS kernel boot process from https://developer.arm.com/docs/den0024/a/fundamentals-of-armv8
  • 15. iOS kernel boot process • Secure Monitor Loads at boot in EL3 • It resides in a secure memory location inaccessible from EL1 (kernel code) • It services SMC calls from the kernel (similar to how system calls from user apps to the kernel are serviced) • It is responsible for KPP (Kernel Patch Protection) in our system
  • 16. iOS kernel boot process • The kernel needs a secure monitor to service its SMCs
  • 17. iOS kernel boot process Any ideas?
  • 18. iOS kernel boot process • iPhone X uses KTRR (hardware mechanism to prevent patches) and no longer uses a Secure Monitor for KPP (Kernel Patch Protection) • Loading the Secure Monitor image for iOS 12.1 for iPhone 6s plus in EL3 and start executing • Loading the image at its preferred address (secure memory) with the image’s boot args at the next page and start execution at the entry point in EL3
  • 19. iOS kernel boot process • Loading the Secure Monitor image for iOS 12.1 for iPhone 6s plus in EL3 and start executing • Data abort for trying to parse the kernelcache Mach-O header to decide which areas need which protections
  • 20. iOS kernel boot process
  • 21. iOS kernel boot process Lowest address kernel part Kernel Mach-O header Rest of kernel Kernel address space grows this way -> Base address boot arg
  • 22. iOS kernel boot process • The kernel needs a secure monitor to service its SMCs • The secure monitor requires the base address boot arg to point to the kernel Macho-O header
  • 23. iOS kernel boot process Any ideas?
  • 24. iOS kernel boot process Lowest address kernel part Kernel Mach-O header Rest of kernel Kernel address space grows this way -> Base address boot arg
  • 25. iOS kernel boot process • Loading the Secure Monitor image for iOS 12.1 for iPhone 6s plus in EL3 and start executing • Tried many different solutions such as changing the base address to the loaded Mach- O header address (above the lowest loaded section/driver)
  • 26. iOS kernel boot process • The kernel needs a secure monitor to service its SMCs • The secure monitor requires the base address boot arg to point to the kernel Macho-O header • The base address boot arg needs to point to the lowest kernel address in order for the kernel to operate properly
  • 27. iOS kernel boot process Any ideas?
  • 28. iOS kernel boot process Lowest address kernel part Kernel Mach-O header Rest of kernel Kernel address space grows this way -> Base address boot arg Another copy of raw kernel file beginning with the Mach-O header
  • 29. iOS kernel boot process And it works!
  • 30. Agenda • Past public research on iOS on QEMU • iOS kernel boot process • Execution of non-apple executables with Trust Cache • Bash execution with launchd • UART interactive I/O • Next steps
  • 31. Trust Cache Trust Cache Executables Hash List Executable 1 34CB ? Execution denied! 52F8 1EC4 A971
  • 32. Trust Cache Trust Cache Executables Hash List Executable 2 1EC4 ? Execution allowed! 52F8 1EC4 A971
  • 33. Trust Cache • iOS has 3 different types of trust caches • A list of hardcoded hashes approved in the kernelcache • A dynamic trust cache that can be loaded at runtime from a file • A static trust cache in memory pointed from the device tree
  • 34. Trust Cache • Top level CoreTrust validation where execution is decided
  • 35. Trust Cache • From there dive deeper into the static trust cache lookup
  • 36. Trust Cache • Using XREFs we can see that the static trust cache is set from here
  • 37. Trust Cache • RE on the previous function reveals this trust cache structure
  • 38. Trust Cache • Using XREFs we can see that this structure is read from the device tree
  • 39. • Which Apple released the source code for Trust Cache
  • 40. Trust Cache • Always works when only 1 hash in the list • Only some items work when more than 1 item is in the list
  • 42. Trust Cache • Reversing this code revealed a binary search code which means the hashes are expected to be sorted in this list
  • 44. Agenda • Past public research on iOS on QEMU • iOS kernel boot process • Execution of non-apple executables with Trust Cache • Bash execution with launchd • UART interactive I/O • Next steps
  • 45. Bash on Launchd • Mount the RAMDisk image on OSX • Remove all files in /System/Library/LaunchDaemons/ • Add a single file there for running bash (com.apple.bash.plist) • Add the bash executable to the RAMDisk • Add the bash executable to the Trust Cache • Unmount the RAMDisk and run QEMU
  • 47. Bash on Launchd • System tries to execute bash • Logs show missing libraries required for bash
  • 49. Bash on Launchd • The RAMDisk image comes without the dynamic loader cache on it, which is a file that holds most of the common runtime libs for iOS • Copy this file into the RAMDisk at the correct path from the full disk images
  • 51. Bash on Launchd • Debug /usr/lib/dyld (the dynamic loader) which is responsible for loading the dynamic loader cache
  • 53. Bash on Launchd • Stepping through the execution path with gdb showed the error was in here
  • 54. Bash on Launchd • Since we have a kernel debugger in gdb we can step into the system call in the kernel
  • 55. Bash on Launchd • Stepping through this function we see that the call to _shared_region_map_and_slide() is the part that fails
  • 56. Bash on Launchd • Stepping in that function reveals the error here
  • 57. Bash on Launchd • The code validates that the cache file is owned by root • Mount the RAMDisk image in a different way to allow permission editing • Copy the cache file and chown to root
  • 58. Bash on Launchd And it works!
  • 59. Agenda • Past public research on iOS on QEMU • iOS kernel boot process • Execution of non-apple executables with Trust Cache • Bash execution with launchd • UART interactive I/O • Next steps
  • 60. Interactive UART • UART output only was already possible with previous research • Found where UART input is decided on in the kernel
  • 61. Interactive UART • Enabling UART input is decided based on bit #1 of a global var • The global var is read from the “serial” kernel boot arg
  • 62. Interactive UART • Setting the “serial” boot arg to 2
  • 64. DEMO - Ghidra trace
  • 65. Demo – Research a vulnerability – voucher_swap • Research done by Brandon Azad • iOS 12.1 jailbreak • Trigger the vulnerability while debugging
  • 66.
  • 67. Agenda • Past public research on iOS on QEMU • iOS kernel boot process • Execution of non-apple executables with Trust Cache • Bash execution with launchd • UART interactive I/O • Next steps
  • 68. Next steps and challenges • IP communication • Non RAMDisk disk support • More hardware devices (disk, screen, touch, sound, comms, etc..) • Load all the regular iOS services in the original launchd dir instead of just bash • More than a single CPU and an interrupt controller • More iOS versions and devices including KTRR, PAC and other features • More gdb scripts (allocation zones info, objects info, etc…) • Security research
  • 69. Black Hat Sound Bytes • Use the the project and contribute! https://github.com/alephsecurity • Check out our blog: https://alephsecurity.com • Follow us on twitter: @alephsecurity @JonathanAfek • Questions?