SlideShare a Scribd company logo

NYU Hacknight: iOS and OSX ABI

Mikhail Sosonkin
Mikhail Sosonkin

ISIS (Now OSIRIS) Lab at NYU Tandon school hosts weekly sessions for young hackers. They excelled at developing this talent. This week I gave a talk discussing where vulnerabilities occur, how people handle them as well as a deep dive into various technical aspects of the Application Binary Interface (ABI) for the XNU derived kernels. The deep dive also included covering the loading mechanisms for Mach-O though the kernel and DYLD. For the second part, I did a walk through which is recorded on youtube (https://www.youtube.com/watch?v=yg9svg9xE8g). It is about how we can use GCC to help you write assembly for your shellcode. It is especially useful for complex logic and for getting you bootstrapped on architectures you might not be familiar with. We use GCC to build up concise code for executing a system call. Just be aware that using GCC for this purpose will usually be enough to buildup ~90% of the work, you'd be responsible to shape it into something that meets all the requirements of your exploit. At the end, there is a challenge given. It is to build shellcode which downloads and loads a dylib into a process without touch disk. There is a template on github (https://github.com/nologic/shellcc) for downloading and loading from disk.

Software
1 of 50
Download to read offline
iOS and OS X ABI (Hacking in context) Mikhail Sosonkin
Security Researcher at SYNACK Working on low level emulation with QEMU and iPhone automation. Graduate of Polytechnic University a.k.a Polytechnic Institute of New York University a.k.a New York University Polytechnic School of Engineering a.k.a New York University Tandon School of Engineering
СССР 1986 Intel 8080 Clone 1.78MHz CPU 32KB RAM 2KB ROM 450 Rubles Wikipedia-RU
What’s a vulnerability Just crashes Bugs Vulnerabilities What we are used to Logic errors
Amazon Apple “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.” - http://www.wired.com/2012/08/apple-amazon-mat- honan-hacking/all/
It is not enough to just be careful with your interfaces. You must also have have mitigations and continuous analysis that includes “outsiders”. Security considerations and reviews should be part of every step of development lifecycle.
Where are the vulns?! Memory corruption - just won’t go away! That’s what a lot of CTFs seem to be focusing on. History thereof Memory Errors “Special feature” Backdooring yourself. Someone will eventually discover it.
Network man on the side http://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/ web where did I leave that session key again? https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents
Miscommunications The root of all bugs. Don’t be too paranoid It’s not healthy, but always ask: “what do you do if someone compromises this component?”
Targeting Classic: Browser, Remote, Phishing A little more advanced: Via AWS - managed services (Exploiting external relationships) USB - https://srlabs.de/badusb/ i.e. Stuxnet
Beg, borrow and steal Finding vulnerabilities Fuzzing (AFL, Many frameworks) Code reading (SourceInsight, Understand) Dynamic/Static analysis (Qira, Panda)
Exploit Control EIP Doesn’t have to be 100% Gain execution Binary protections like ASLR and DEP
Infect Run shell code Might have some ROPing to do And, stack pivoting Find the egg Bigger shellcode. Download implant Gain persistence i.e. launch daemon
No Disclosure Private Communities Full disclosure Responsible Disclosure Coordinated Disclosure Private Bug bounties: Google, Microsoft, Facebook Managed Bug Bounties: Bugcrowd, HackerOne, SYNACK
Black Market Bug Bounties: Zerodium, Vupen Cosinc (link) HackingTeam (Probably defunct) MitnickSecurity Lots of secretive companies (link) A few not so secretive (link)
SYNACK Private Targets Think easy targets Fortune 500 Companies Several Categories Host, Web, Mobile Average payout: $690 We provide a cyber platform, Hydra! https://www.synack.com/red-team/
Requires passing an assessment SYNACK Red Team entry If unable to pass try BugCrowd or HackerOne
Let’s say you gained execution
Goals Build shellcode that Downloads a dylib. Injects the dylib into process. Target OS X and iOS
Get initial info - OSX
Get initial info - iOS
Partial source XNU kernel https://opensource.apple.com/tarballs/xnu/ Dyld source https://opensource.apple.com/tarballs/dyld/ Can be compiled
ARM64 Registers 31 General purpose registers X0 … X30 or W0 … W30 X31 - (zr) The Zero register X30 - (lr) Procedure Link Register (RIP) X29 - (fp) Frame pointer (RBP) X18 - Reserved on iOS
ARM64 Instructions Conditional Branches B.EQ, B.NE, TBNZ (Test bit and Branch if Nonzero), etc. Unconditional Branches B, RET, SVC Conditional Select CSEL W9, W9, W10, EQ “W9 = EQ?W9:W10”
Introducing: IDARef https://github.com/nologic/idaref
Introducing: HopperRef https://github.com/zbuc/hopperref
Making system calls
Calling Convention On ARM64: X0 … X8 Contain function parameters X16 has the system call number Positive for Posix Negative for Mach Ports 0x80000000 for thread_set_self SVC 0x80; jumps to kernel
Let’s make a system call
Syscall numbers OSX: 0x01000000 - mach ports 0x02000000 - Posix 0x03000003 - pthread_set_self IOS 0x00000000 and below - mach ports 0x00000000 and above - Posix 0x80000000 - pthread_set_self
Loading Mach-O’s
Who does what? - Kernel: - Maps the main executable - Maps the loader - Passes control to the loader - DYLD: - “Maps” itself and the main executable - Maps and links dependency libraries.
File Structure: Header /usr/include/mach-o/loader.h
File Structure: Commands - Follow the header - ‘cmdsize’ is a multiple of 8 bytes.
Mach-O commands - LC_SEGMENT and LC_SEGMENT_64 - From file to virtual memory: __DATA, __TEXT, etc. - LC_UNIXTHREAD - Sets up initial registers and stack - Entry point - LC_LOAD_DYLINKER - Specifies the loader i.e. /usr/lib/dyld - LC_MAIN - Sets up the stack - etc
Setting up the stack OSX Arguments Environment variables Apple variable Generated by the kernel (LC_UNIXTHREAD)
Setting up the stack iOS Arguments Environment variables Apple variable Generated by the kernel (LC_UNIXTHREAD)
Segments
Let’s build some shellcode. (live exercise) Recorded session
`xcrun --sdk iphoneos --find gcc` -Os -fno-stack-protector - fomit-frame-pointer -fno-exceptions -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks - F`xcrun --sdk iphoneos --show-sdk- path`/System/Library/PrivateFrameworks -arch arm64 test_syscall.c -o test_syscall otool -t -v test_syscall
Build it using GCC - Easy to represent complex logic - Excellent way to learn assembly skills - Assist with reverse engineering - Port to different architectures - Optimization hints - Does 90% of the work for you
Cons of using GCC - Can get hard to make GCC avoid outputting certain bytes. - Give up a level of control - Can get into dependency hell - All the usual problems with C. - Optimizer could get too aggressive
The Challenge
ShellCC - https://github.com/nologic/shellcc - shellcode - extractshell.py: Gets the bytecodes from the macho as raw shellcode - Makefile has build commands for shellcode ARM/x86_64 - shellharness - reads a file and executes the buffer.
The challenge - Understand injectdyld_file.c - Figure out how to dynamically load a dylib - Can use injectdyld_file.c as a base - Hint: you will need to read the DYLD sourcecode.
Where to learn about security? - https://seccasts.com/ - http://www.opensecuritytraining.info/ - https://www.corelan.be - youtube for conference - Security meetups - Just practice - Read/follow walkthroughs - follow the reddits: - netsec - reverseengineering - malware - lowlevel - blackhat - securityCTF - rootkit - vrd
Getting started with iOS - Get iPhone 5s - Swappa - Apply Jailbreak - Install OpenSSH via Cydia - Use tcprelay to SSH over USB - Start exploring - debugserver - https://github.com/iosre/iOSAppReverseEngineering - https://nabla-c0d3.github.io/blog/2014/12/30/tcprelay-multiple-devices/
Thank you! Mikhail Sosonkin mikhail@synack.com Google+

Recommended

From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
virtualabs
 
Dissecting Android APK
Dissecting Android APKDissecting Android APK
Dissecting Android APK
Cysinfo Cyber Security Community
 
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Codemotion
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
Ricardo L0gan
 
Terminal share of FlashAir W-04
Terminal share of FlashAir W-04Terminal share of FlashAir W-04
Terminal share of FlashAir W-04
FlashAirデベロッパーズ
 
How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesFFRI, Inc.
 
Tarea 4 – uso de cinahl
Tarea 4 – uso de cinahlTarea 4 – uso de cinahl
Tarea 4 – uso de cinahl
Bea Panini
 
Distribucion binomial
Distribucion binomialDistribucion binomial
Distribucion binomial
daenma23
 

Recommended

From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
virtualabs
 
Dissecting Android APK
Dissecting Android APKDissecting Android APK
Dissecting Android APK
Cysinfo Cyber Security Community
 
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Codemotion
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
Ricardo L0gan
 
Terminal share of FlashAir W-04
Terminal share of FlashAir W-04Terminal share of FlashAir W-04
Terminal share of FlashAir W-04
FlashAirデベロッパーズ
 
How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesFFRI, Inc.
 
Tarea 4 – uso de cinahl
Tarea 4 – uso de cinahlTarea 4 – uso de cinahl
Tarea 4 – uso de cinahl
Bea Panini
 
Distribucion binomial
Distribucion binomialDistribucion binomial
Distribucion binomial
daenma23
 
ECE 505 Final project
ECE 505 Final project ECE 505 Final project
ECE 505 Final project ?? ?
 
We in the European union
We in the European unionWe in the European union
We in the European union
read in europe
 
ciclo del azufre
ciclo del azufre ciclo del azufre
ciclo del azufre
ernestoperezgonzalez
 
Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016
Mikhail Sosonkin
 
CV-022516-Linkedin
CV-022516-LinkedinCV-022516-Linkedin
CV-022516-LinkedinAmin Khatib
 
Strategic Planning Class
Strategic Planning ClassStrategic Planning Class
Strategic Planning Class
Carol Gray, MHA
 
Photography planning
Photography planningPhotography planning
Photography planning
Denton Snowden
 
Question 7
Question 7Question 7
Question 7
christycy
 
work life balance
work life balancework life balance
work life balance
KUN CAPITAL, ASHOK LEYLAND AS A INTERN
 
Database management system
Database management systemDatabase management system
Database management system
Midhun Abraham
 
Portfolio 2017
Portfolio 2017Portfolio 2017
Portfolio 2017Kevin Hustings
 
Catalogo crv
Catalogo crvCatalogo crv
Catalogo crv
Eduardo Abbas
 
Media institutions powerpoint 1
Media institutions powerpoint 1Media institutions powerpoint 1
Media institutions powerpoint 1
Denton Snowden
 
Proyecto de-informatica grupo 4
Proyecto de-informatica grupo 4Proyecto de-informatica grupo 4
Proyecto de-informatica grupo 4
Eripam26
 
CV_Vitor_Silva
CV_Vitor_SilvaCV_Vitor_Silva
CV_Vitor_SilvaVitor Silva
 
Spartireklama Prezentacija
Spartireklama PrezentacijaSpartireklama Prezentacija
Spartireklama PrezentacijaRytis Fedaravicius
 
TIVRA TARUN -Commercial & Contract
TIVRA TARUN -Commercial & Contract TIVRA TARUN -Commercial & Contract
TIVRA TARUN -Commercial & Contract Tivra Tarun
 
Bonfim studio-7-dicas-imbativeis-logo
Bonfim studio-7-dicas-imbativeis-logoBonfim studio-7-dicas-imbativeis-logo
Bonfim studio-7-dicas-imbativeis-logo
Bonfim Studio
 
Cvv222222
Cvv222222Cvv222222
Cvv222222
mikscott
 
OWASP: iOS Spelunking
OWASP: iOS SpelunkingOWASP: iOS Spelunking
OWASP: iOS Spelunking
Mikhail Sosonkin
 
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
Vlatko Kosturjak
 

More Related Content

Viewers also liked

ECE 505 Final project
ECE 505 Final project ECE 505 Final project
ECE 505 Final project ?? ?
 
We in the European union
We in the European unionWe in the European union
We in the European union
read in europe
 
ciclo del azufre
ciclo del azufre ciclo del azufre
ciclo del azufre
ernestoperezgonzalez
 
Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016
Mikhail Sosonkin
 
CV-022516-Linkedin
CV-022516-LinkedinCV-022516-Linkedin
CV-022516-LinkedinAmin Khatib
 
Strategic Planning Class
Strategic Planning ClassStrategic Planning Class
Strategic Planning Class
Carol Gray, MHA
 
Photography planning
Photography planningPhotography planning
Photography planning
Denton Snowden
 
Question 7
Question 7Question 7
Question 7
christycy
 
Database management system
Database management systemDatabase management system
Database management system
Midhun Abraham
 
Catalogo crv
Catalogo crvCatalogo crv
Catalogo crv
Eduardo Abbas
 
Media institutions powerpoint 1
Media institutions powerpoint 1Media institutions powerpoint 1
Media institutions powerpoint 1
Denton Snowden
 
Proyecto de-informatica grupo 4
Proyecto de-informatica grupo 4Proyecto de-informatica grupo 4
Proyecto de-informatica grupo 4
Eripam26
 
TIVRA TARUN -Commercial & Contract
TIVRA TARUN -Commercial & Contract TIVRA TARUN -Commercial & Contract
TIVRA TARUN -Commercial & Contract Tivra Tarun
 
Bonfim studio-7-dicas-imbativeis-logo
Bonfim studio-7-dicas-imbativeis-logoBonfim studio-7-dicas-imbativeis-logo
Bonfim studio-7-dicas-imbativeis-logo
Bonfim Studio
 
Cvv222222
Cvv222222Cvv222222
Cvv222222
mikscott
 

Viewers also liked (19)

ECE 505 Final project
ECE 505 Final project ECE 505 Final project
ECE 505 Final project
 
We in the European union
We in the European unionWe in the European union
We in the European union
 
ciclo del azufre
ciclo del azufre ciclo del azufre
ciclo del azufre
 
Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016
 
CV-022516-Linkedin
CV-022516-LinkedinCV-022516-Linkedin
CV-022516-Linkedin
 
Strategic Planning Class
Strategic Planning ClassStrategic Planning Class
Strategic Planning Class
 
Photography planning
Photography planningPhotography planning
Photography planning
 
Question 7
Question 7Question 7
Question 7
 
work life balance
work life balancework life balance
work life balance
 
Database management system
Database management systemDatabase management system
Database management system
 
Portfolio 2017
Portfolio 2017Portfolio 2017
Portfolio 2017
 
Catalogo crv
Catalogo crvCatalogo crv
Catalogo crv
 
Media institutions powerpoint 1
Media institutions powerpoint 1Media institutions powerpoint 1
Media institutions powerpoint 1
 
Proyecto de-informatica grupo 4
Proyecto de-informatica grupo 4Proyecto de-informatica grupo 4
Proyecto de-informatica grupo 4
 
CV_Vitor_Silva
CV_Vitor_SilvaCV_Vitor_Silva
CV_Vitor_Silva
 
Spartireklama Prezentacija
Spartireklama PrezentacijaSpartireklama Prezentacija
Spartireklama Prezentacija
 
TIVRA TARUN -Commercial & Contract
TIVRA TARUN -Commercial & Contract TIVRA TARUN -Commercial & Contract
TIVRA TARUN -Commercial & Contract
 
Bonfim studio-7-dicas-imbativeis-logo
Bonfim studio-7-dicas-imbativeis-logoBonfim studio-7-dicas-imbativeis-logo
Bonfim studio-7-dicas-imbativeis-logo
 
Cvv222222
Cvv222222Cvv222222
Cvv222222
 

Similar to NYU Hacknight: iOS and OSX ABI

OWASP: iOS Spelunking
OWASP: iOS SpelunkingOWASP: iOS Spelunking
OWASP: iOS Spelunking
Mikhail Sosonkin
 
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
Vlatko Kosturjak
 
英文【Xu hao chen xiaobo】find your_own_ios_kernel_bug
英文【Xu hao chen xiaobo】find your_own_ios_kernel_bug英文【Xu hao chen xiaobo】find your_own_ios_kernel_bug
英文【Xu hao chen xiaobo】find your_own_ios_kernel_bugWang Hao Lee
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!
Codemotion
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
Synack
 
EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.
Eric Monti
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Android OS Porting: Introduction
Android OS Porting: IntroductionAndroid OS Porting: Introduction
Android OS Porting: Introduction
Jollen Chen
 
Understand study
Understand studyUnderstand study
Understand study
Antonio Costa aka Cooler_
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
PROIDEA
 
Falco meetup OpenShift
Falco meetup OpenShiftFalco meetup OpenShift
Falco meetup OpenShift
Stephane Woillez
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
ratnalajaggu
 
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/LinuxIoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
Samsung Open Source Group
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Raising the Bar on Robotics Code Quality
Raising the Bar on Robotics Code QualityRaising the Bar on Robotics Code Quality
Raising the Bar on Robotics Code Quality
Thomas Moulard
 

Similar to NYU Hacknight: iOS and OSX ABI (20)

OWASP: iOS Spelunking
OWASP: iOS SpelunkingOWASP: iOS Spelunking
OWASP: iOS Spelunking
 
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
 
英文【Xu hao chen xiaobo】find your_own_ios_kernel_bug
英文【Xu hao chen xiaobo】find your_own_ios_kernel_bug英文【Xu hao chen xiaobo】find your_own_ios_kernel_bug
英文【Xu hao chen xiaobo】find your_own_ios_kernel_bug
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
 
EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Android OS Porting: Introduction
Android OS Porting: IntroductionAndroid OS Porting: Introduction
Android OS Porting: Introduction
 
Os Selbak
Os SelbakOs Selbak
Os Selbak
 
Understand study
Understand studyUnderstand study
Understand study
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
 
Falco meetup OpenShift
Falco meetup OpenShiftFalco meetup OpenShift
Falco meetup OpenShift
 
Debuging tech
Debuging techDebuging tech
Debuging tech
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/LinuxIoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Raising the Bar on Robotics Code Quality
Raising the Bar on Robotics Code QualityRaising the Bar on Robotics Code Quality
Raising the Bar on Robotics Code Quality
 

Recently uploaded

In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
KrzysztofKkol1
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
Peter Caitens
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024
Sharepoint Designs
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Hivelance Technology
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 

Recently uploaded (20)

In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 

NYU Hacknight: iOS and OSX ABI

  • 1. iOS and OS X ABI (Hacking in context) Mikhail Sosonkin
  • 2. Security Researcher at SYNACK Working on low level emulation with QEMU and iPhone automation. Graduate of Polytechnic University a.k.a Polytechnic Institute of New York University a.k.a New York University Polytechnic School of Engineering a.k.a New York University Tandon School of Engineering
  • 3. СССР 1986 Intel 8080 Clone 1.78MHz CPU 32KB RAM 2KB ROM 450 Rubles Wikipedia-RU
  • 4. What’s a vulnerability Just crashes Bugs Vulnerabilities What we are used to Logic errors
  • 5. Amazon Apple “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.” - http://www.wired.com/2012/08/apple-amazon-mat- honan-hacking/all/
  • 6. It is not enough to just be careful with your interfaces. You must also have have mitigations and continuous analysis that includes “outsiders”. Security considerations and reviews should be part of every step of development lifecycle.
  • 7. Where are the vulns?! Memory corruption - just won’t go away! That’s what a lot of CTFs seem to be focusing on. History thereof Memory Errors “Special feature” Backdooring yourself. Someone will eventually discover it.
  • 8. Network man on the side http://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/ web where did I leave that session key again? https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents
  • 9. Miscommunications The root of all bugs. Don’t be too paranoid It’s not healthy, but always ask: “what do you do if someone compromises this component?”
  • 10. Targeting Classic: Browser, Remote, Phishing A little more advanced: Via AWS - managed services (Exploiting external relationships) USB - https://srlabs.de/badusb/ i.e. Stuxnet
  • 11. Beg, borrow and steal Finding vulnerabilities Fuzzing (AFL, Many frameworks) Code reading (SourceInsight, Understand) Dynamic/Static analysis (Qira, Panda)
  • 12. Exploit Control EIP Doesn’t have to be 100% Gain execution Binary protections like ASLR and DEP
  • 13. Infect Run shell code Might have some ROPing to do And, stack pivoting Find the egg Bigger shellcode. Download implant Gain persistence i.e. launch daemon
  • 14. No Disclosure Private Communities Full disclosure Responsible Disclosure Coordinated Disclosure Private Bug bounties: Google, Microsoft, Facebook Managed Bug Bounties: Bugcrowd, HackerOne, SYNACK
  • 15. Black Market Bug Bounties: Zerodium, Vupen Cosinc (link) HackingTeam (Probably defunct) MitnickSecurity Lots of secretive companies (link) A few not so secretive (link)
  • 16. SYNACK Private Targets Think easy targets Fortune 500 Companies Several Categories Host, Web, Mobile Average payout: $690 We provide a cyber platform, Hydra! https://www.synack.com/red-team/
  • 17. Requires passing an assessment SYNACK Red Team entry If unable to pass try BugCrowd or HackerOne
  • 18. Let’s say you gained execution
  • 19. Goals Build shellcode that Downloads a dylib. Injects the dylib into process. Target OS X and iOS
  • 22. Partial source XNU kernel https://opensource.apple.com/tarballs/xnu/ Dyld source https://opensource.apple.com/tarballs/dyld/ Can be compiled
  • 23. ARM64 Registers 31 General purpose registers X0 … X30 or W0 … W30 X31 - (zr) The Zero register X30 - (lr) Procedure Link Register (RIP) X29 - (fp) Frame pointer (RBP) X18 - Reserved on iOS
  • 24. ARM64 Instructions Conditional Branches B.EQ, B.NE, TBNZ (Test bit and Branch if Nonzero), etc. Unconditional Branches B, RET, SVC Conditional Select CSEL W9, W9, W10, EQ “W9 = EQ?W9:W10”
  • 28. Calling Convention On ARM64: X0 … X8 Contain function parameters X16 has the system call number Positive for Posix Negative for Mach Ports 0x80000000 for thread_set_self SVC 0x80; jumps to kernel
  • 29. Let’s make a system call
  • 30.
  • 31. Syscall numbers OSX: 0x01000000 - mach ports 0x02000000 - Posix 0x03000003 - pthread_set_self IOS 0x00000000 and below - mach ports 0x00000000 and above - Posix 0x80000000 - pthread_set_self
  • 33. Who does what? - Kernel: - Maps the main executable - Maps the loader - Passes control to the loader - DYLD: - “Maps” itself and the main executable - Maps and links dependency libraries.
  • 35. File Structure: Commands - Follow the header - ‘cmdsize’ is a multiple of 8 bytes.
  • 36. Mach-O commands - LC_SEGMENT and LC_SEGMENT_64 - From file to virtual memory: __DATA, __TEXT, etc. - LC_UNIXTHREAD - Sets up initial registers and stack - Entry point - LC_LOAD_DYLINKER - Specifies the loader i.e. /usr/lib/dyld - LC_MAIN - Sets up the stack - etc
  • 37.
  • 38. Setting up the stack OSX Arguments Environment variables Apple variable Generated by the kernel (LC_UNIXTHREAD)
  • 39. Setting up the stack iOS Arguments Environment variables Apple variable Generated by the kernel (LC_UNIXTHREAD)
  • 41. Let’s build some shellcode. (live exercise) Recorded session
  • 42. `xcrun --sdk iphoneos --find gcc` -Os -fno-stack-protector - fomit-frame-pointer -fno-exceptions -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks - F`xcrun --sdk iphoneos --show-sdk- path`/System/Library/PrivateFrameworks -arch arm64 test_syscall.c -o test_syscall otool -t -v test_syscall
  • 43. Build it using GCC - Easy to represent complex logic - Excellent way to learn assembly skills - Assist with reverse engineering - Port to different architectures - Optimization hints - Does 90% of the work for you
  • 44. Cons of using GCC - Can get hard to make GCC avoid outputting certain bytes. - Give up a level of control - Can get into dependency hell - All the usual problems with C. - Optimizer could get too aggressive
  • 46. ShellCC - https://github.com/nologic/shellcc - shellcode - extractshell.py: Gets the bytecodes from the macho as raw shellcode - Makefile has build commands for shellcode ARM/x86_64 - shellharness - reads a file and executes the buffer.
  • 47. The challenge - Understand injectdyld_file.c - Figure out how to dynamically load a dylib - Can use injectdyld_file.c as a base - Hint: you will need to read the DYLD sourcecode.
  • 48. Where to learn about security? - https://seccasts.com/ - http://www.opensecuritytraining.info/ - https://www.corelan.be - youtube for conference - Security meetups - Just practice - Read/follow walkthroughs - follow the reddits: - netsec - reverseengineering - malware - lowlevel - blackhat - securityCTF - rootkit - vrd
  • 49. Getting started with iOS - Get iPhone 5s - Swappa - Apply Jailbreak - Install OpenSSH via Cydia - Use tcprelay to SSH over USB - Start exploring - debugserver - https://github.com/iosre/iOSAppReverseEngineering - https://nabla-c0d3.github.io/blog/2014/12/30/tcprelay-multiple-devices/