Linux has this great tool called strace, on OSX there’s a tool called dtruss - based on dtrace. Dtruss is great in functionality, it gives pretty much everything you need. It is just not as nice to use as strace. However, on Linux there is also ltrace for library tracing. That is arguably more useful because you can see much more granular application activity. Unfortunately, there isn’t such a tool on OSX. So, I decided to make one - albeit a simpler version for now. I called it objc_trace.
2. Security Researcher at SYNACK
Working on low level emulation with QEMU and iPhone automation.
Graduate of Polytechnic University
a.k.a Polytechnic Institute of New York University
a.k.a New York University Polytechnic School of Engineering
a.k.a New York University Tandon School of Engineering
3. Getting started with iOS
- Get iPhone 5s
- Swappa
- Apply Jailbreak
- Install OpenSSH via Cydia
- Use tcprelay to SSH over USB
- Start exploring
- Debugserver
- Objective-c: Phrack 0x42
- http://phrack.org/issues/66/4.html
- https://github.com/iosre/iOSAppReverseEngineering
- https://nabla-c0d3.github.io/blog/2014/12/30/tcprelay-multiple-devices/
5. Where are the vulns?!
Jailbreaks are basically chains of memory corruptions going all the way down to the
kernel.
Memory corruption - just won’t go away!
That’s what a lot of CTFs seem to be focusing on.
History thereof
Memory Errors
6. Beg, borrow and steal
Finding vulnerabilities
Fuzzing (AFL, Many frameworks)
Code reading (SourceInsight, Understand)
Dynamic/Static analysis (Qira, Panda)
Code coverage is important for this type
8. ARM64 Registers
31 General purpose registers
X0 … X30 or W0 … W30
X31 - (zr) The Zero register
X30 - (lr) Procedure Link Register (RIP)
X29 - (fp) Frame pointer (RBP)
X18 - Reserved on iOS
9. ARM64 Instructions
Conditional Branches
B.EQ, B.NE, TBNZ (Test bit and Branch if Nonzero), etc.
Unconditional Branches
B, RET, SVC
Conditional Select
CSEL W9, W9, W10, EQ
“W9 = EQ?W9:W10”
10. Calling Convention
On ARM64:
X0 … X8 Contain function parameters
X16 has the system call number
Positive for Posix
Negative for Mach Ports
0x80000000 for thread_set_self
SVC 0x80; jumps to kernel
18. Steps
1. Allocate a page - a jump page
2. Set objc_msgSend readable and writable
3. Copy bytes from objc_msgSend
4. Check for branch instructions in preamble
5. Modify objc_msgSend preamble
6. Set jump page to readable and executable
7. Set objc_msgSend readable and executable
Repository: https://github.com/nologic/objc_trace
29. Step 5 - Jump patch destination
__attribute__((naked)) id objc_msgSend_trace(id self, SEL op) { __asm__ __volatile__ (
"stp fp, lr, [sp, #-16]!;n"
"mov fp, sp;n"
"sub sp, sp, #(10*8 + 8*16);n"
"stp q0, q1, [sp, #(0*16)];n"
...
"stp x0, x1, [sp, #(8*16+0*8)];n"
..
"BL _hook_callback64_pre;n"
"mov x9, x0;n"
// Restore all the parameter registers to the initial state.
"ldp q0, q1, [sp, #(0*16)];n"
...
"ldp x0, x1, [sp, #(8*16+0*8)];n"
// Restore the stack pointer, frame pointer and link register
"mov sp, fp;n"
"ldp fp, lr, [sp], #16;n"
"BR x9;n" // call the original ); }
30. Step 6 - Set jump page to readable and executable
// set permissions to exec
if(mprotect((void*)t_func, 4096, PROT_READ | PROT_EXEC) != 0) {
perror("Unable to change trampoline permissions to exec");
return NULL;
}
34. Attaching to a process
iPhone:~ root# ./debugserver *:1234 --attach=DamnVulnerableIOSApp
MacBook-Pro-2:~ nl$ lldb
(lldb) process connect connect://127.0.0.1:3234
Process 2826 stopped
* thread #1: tid = 0x463b0, 0x0000000196c9f0c0 libsystem_kernel.
dylib`__psynch_mutexwait + 8, queue = 'com.apple.main-thread', stop reason = signal
SIGSTOP
frame #0: 0x0000000196c9f0c0 libsystem_kernel.dylib`__psynch_mutexwait + 8
libsystem_kernel.dylib`__psynch_mutexwait:
-> 0x196c9f0c0 <+8>: b.lo 0x196c9f0d8
35. The Challenge
1. Make function tracing work for another architecture:
a. ARMv7, x86_64, PPC, etc.
2. Make function tracing work from shell code.
a. ShellCC might be of help
36. Where to learn about security?
- iOS Reverse Engineering Book
- https://seccasts.com/
- http://www.opensecuritytraining.info/
- https://www.corelan.be
- youtube for conference
- Security meetups
- Just practice
- Read/follow walkthroughs
- follow the reddits:
- netsec
- reverseengineering
- malware
- lowlevel
- blackhat
- securityCTF
- rootkit
- vrd