Talk from SyScan 2015 about Apple Security failing to patch vulnerabilities over and over again, because they have apparently no QA at all on security patches.
This presentation will cover all you need to know about mobile and application device security.
With an introduction, threats, applications, security, and useful tips for people who need to know
So, let's get started. If you enjoy this and find the information beneficial, please like and share it with your friends.
Multi-factor authentication (or MFA) Learn all you need to know about what multi-factor authentication is, and why you need MFA to protect customer data.
https://bit.ly/3jowx1a
This presentation will cover all you need to know about mobile and application device security.
With an introduction, threats, applications, security, and useful tips for people who need to know
So, let's get started. If you enjoy this and find the information beneficial, please like and share it with your friends.
Multi-factor authentication (or MFA) Learn all you need to know about what multi-factor authentication is, and why you need MFA to protect customer data.
https://bit.ly/3jowx1a
Fidelis Endpoint combines rich endpoint visibility and multiple defenses with incident response workflow automation including deep interrogation and recorded playbacks reducing response time from hours to minutes for security analysts. The Fidelis Endpoint module is a component of the Fidelis Elevate platform that delivers automated detection and response.
Here’s some of what we’ll cover:
-Visibility into all threat activity at the endpoint
-Hunting for threats directly on the endpoint, in both file system and memory
-Key event recording and automatic timeline generation
-Automated endpoint response using scripts and playbooks
-Integration with Fidelis Network to improve your team's effectiveness and efficiency
The F5 DDoS Protection Reference Architecture (Technical White Paper)F5 Networks
F5 Networks offers guidance to security and network architects in designing, deploying, and managing architecture to protect against increasingly sophisticated, application-layer DDoS attacks.
The F5 DDoS Protection Reference Architecture (Technical White Paper)
IoT Security – Executing an Effective Security Testing Process EC-Council
Deral Heiland CISSP, serves as a the Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst. Over the last 10+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on a numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by several media outlets and publications including ABC World News Tonight, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.
We will discuss the following: CCNAS Overview, Threats Landscape, Hackers Tools, Tools. Kali Linux Parrot Linux Cisco Packet Tracer Wireshark Denial of Service
Distributed DoS
Man In The Middle
Phishing
Vishing
Smishing
Pharming
Sniffer
Password Attack
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedRaffael Marty
We are writing the year 2017. Cyber security has been a discipline for many years and thousands of security companies are offering solutions to deter and block malicious actors in order to keep our businesses operating and our data confidential. But fundamentally, cyber security has not changed during the last two decades. We are still running Snort and Bro. Firewalls are fundamentally still the same. People get hacked for their poor passwords and we collect logs that we don't know what to do with. In this talk I will paint a slightly provocative and dark picture of security. Fundamentally, nothing has really changed. We'll have a look at machine learning and artificial intelligence and see how those techniques are used today. Do they have the potential to change anything? How will the future look with those technologies? I will show some practical examples of machine learning and motivate that simpler approaches generally win. Maybe we find some hope in visualization? Or maybe Augmented reality? We still have a ways to go.
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
iOS 8 specific security talk given at Ruxcon 2014 security conference. Includes description of kernel vulnerability used to break KASLR in Pangu 7.1 + TAIG 8.1.1 jailbreaks.
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
This talk is about how to get into ICS security, whether you’re a control system engineer or an IT security analyst. It will cover the basic paths you can take to get involved, including some helpful resources and standards to help get you started. The ICS Security industry needs more people to help protect Critical Infrastructure!
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
Slides from our talk @Devoxx MA 2018.
We discuss Secure Software Development Lifecycle practices, recommendations, and tools, and we show practical examples of bad progamming habits that can be mitigated.
Infections cost organizations billions of dollars in lost time and productivity, as well as ransom payments and other indirect costs, like damage to a business’s reputation.
End-users will learn about password management, multi-factor authentication and how to secure their laptops and desktops while working remotely.
This session will teach professionals how to avoid becoming a statistic.
Agenda: Foundations of security awareness | Common threats | Three ways to secure your work environment | Best practices for users | The work from home checklist
If you don't already have a security training program, this presentation is a great tool for a new hire orientation or company-wide meeting. It includes all of our top 10 tips, plus examples of relevant news stories to drive home the point. You can customize it to include your own tips or insert individual slides in other presentations.
Download a customizable PPT here: www.sophos.com/staysafe
Fidelis Endpoint combines rich endpoint visibility and multiple defenses with incident response workflow automation including deep interrogation and recorded playbacks reducing response time from hours to minutes for security analysts. The Fidelis Endpoint module is a component of the Fidelis Elevate platform that delivers automated detection and response.
Here’s some of what we’ll cover:
-Visibility into all threat activity at the endpoint
-Hunting for threats directly on the endpoint, in both file system and memory
-Key event recording and automatic timeline generation
-Automated endpoint response using scripts and playbooks
-Integration with Fidelis Network to improve your team's effectiveness and efficiency
The F5 DDoS Protection Reference Architecture (Technical White Paper)F5 Networks
F5 Networks offers guidance to security and network architects in designing, deploying, and managing architecture to protect against increasingly sophisticated, application-layer DDoS attacks.
The F5 DDoS Protection Reference Architecture (Technical White Paper)
IoT Security – Executing an Effective Security Testing Process EC-Council
Deral Heiland CISSP, serves as a the Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst. Over the last 10+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on a numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by several media outlets and publications including ABC World News Tonight, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.
We will discuss the following: CCNAS Overview, Threats Landscape, Hackers Tools, Tools. Kali Linux Parrot Linux Cisco Packet Tracer Wireshark Denial of Service
Distributed DoS
Man In The Middle
Phishing
Vishing
Smishing
Pharming
Sniffer
Password Attack
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedRaffael Marty
We are writing the year 2017. Cyber security has been a discipline for many years and thousands of security companies are offering solutions to deter and block malicious actors in order to keep our businesses operating and our data confidential. But fundamentally, cyber security has not changed during the last two decades. We are still running Snort and Bro. Firewalls are fundamentally still the same. People get hacked for their poor passwords and we collect logs that we don't know what to do with. In this talk I will paint a slightly provocative and dark picture of security. Fundamentally, nothing has really changed. We'll have a look at machine learning and artificial intelligence and see how those techniques are used today. Do they have the potential to change anything? How will the future look with those technologies? I will show some practical examples of machine learning and motivate that simpler approaches generally win. Maybe we find some hope in visualization? Or maybe Augmented reality? We still have a ways to go.
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
iOS 8 specific security talk given at Ruxcon 2014 security conference. Includes description of kernel vulnerability used to break KASLR in Pangu 7.1 + TAIG 8.1.1 jailbreaks.
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
This talk is about how to get into ICS security, whether you’re a control system engineer or an IT security analyst. It will cover the basic paths you can take to get involved, including some helpful resources and standards to help get you started. The ICS Security industry needs more people to help protect Critical Infrastructure!
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
Slides from our talk @Devoxx MA 2018.
We discuss Secure Software Development Lifecycle practices, recommendations, and tools, and we show practical examples of bad progamming habits that can be mitigated.
Infections cost organizations billions of dollars in lost time and productivity, as well as ransom payments and other indirect costs, like damage to a business’s reputation.
End-users will learn about password management, multi-factor authentication and how to secure their laptops and desktops while working remotely.
This session will teach professionals how to avoid becoming a statistic.
Agenda: Foundations of security awareness | Common threats | Three ways to secure your work environment | Best practices for users | The work from home checklist
If you don't already have a security training program, this presentation is a great tool for a new hire orientation or company-wide meeting. It includes all of our top 10 tips, plus examples of relevant news stories to drive home the point. You can customize it to include your own tips or insert individual slides in other presentations.
Download a customizable PPT here: www.sophos.com/staysafe
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
With the release of iOS6 Apple has cracked down on all published iOS exploitation information. It seems that nearly every trick and technique discussed in talks/papers or books of the last years has been taken care of by Apple in order to stop exploitation for jailbreaking or more malicious purposes.
This talk will tie in with the iOS6 Security talk by Azimuth Security that discussed various kernel hardenings performed by Apple, and discuss further security relevant changes in iOS 6.1 kernel affecting kernel exploitation and user space exploitation.
Attacking and Defending Apple iOS DevicesTom Eston
IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise.
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelStefan Esser
Targeting the iOS Kernel
Although the iPhone user land is locked down very tightly, previous talks about iPhone security have concentrated on user land attacks only. Therefore demonstrated exploit payloads have been very limited in what they can do or cannot do. More complicated work like user land rootkits or the addition of ASLR protection therefore relied entirely on kernel exploitation help from the jailbreaking community.
This presentation will introduce the audience into finding security bugs in iOS kernelspace and how this is different from hunting kernel bugs in Mac OS X. Reverse engineering will be used to extract a lot of information from the kernelcache and then this information is used to enumerate the kernel's attack surface and the corresponding code is located. In addition to that the secrets of activating the iOS internal kernel debugger will be revealed and it will be demonstrated by debugging a previous disclosed iOS kernel exploit.
Pressetation about how to find vulnerabilities and do reversing to the iOS Operating System. The author is Steffan Esser and the talk was delivered in SyScan 2011 in Singapur
In the last years several things have chaned in the world of iOS forensics, both in terms of acquisition and in terms of analysis. The objective of this presentation is to provide an overview of the state of the art in terms of acquisition techniques and overcoming of the device's protection mechanisms, in particular the access code chosen by the user. In addition, the presentation aims to highlight what information we are missing by using the techniques and tools available on the market and what are the alternative paths we can use to overcome this problem
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPStefan Esser
With the release of OS X El Capitan Apple has introduced a new protection to the OS X kernel called System Integrity Protection (SIP). The purpose of this new mitigation is to lock down the system from attackers who have already gained root access.
In the first part of this session we will elaborate what exactly SIP tries to protect against and how its features are implemented and integrated into the kernel. In the second part of this presentation we will then dive into obvious shortcomings of this implementation and discuss design weaknesses and actual bugs that allow to bypass it. All weaknesses will be demoed to the audience.
iOS Ecosystem @ Fiera del Radioamatore PordenoneKlaus Lanzarini
An introduction to the iOS ecosystem and iOS apps development.
From #pragmamark Bootcamp at Fiera di Pordenenone, 26/04/2014.
TL;DR Introduction, environment, hardware specs, requirements, skills and resources to start developing on the Apple mobile platform.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Securing your Kubernetes cluster_ a step-by-step guide to success !
SyScan 2015 - iOS 678 Security - A Study in Fail
1. iOS 678 Security
—== A Study in Fail ==—
Stefan Esser <stefan.esser@sektioneins.de>
http://www.sektioneins.de
2. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Who am I?
Stefan Esser
• from Cologne / Germany
• in information security since 1998
• invested in PHP security from 2001 to 20xx
• since 2010 focused on iPhone security (ASLR/jailbreak)
• founder of SektionEins GmbH
2
3. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Lots of Fail, but this talk is not about …
• Apple releasing an iOS 8.0.1 update that would kill cell service on iPhone 6/6p
• Apple adding unsecured double linked lists as meta-data to the iOS 7 kernel
heap that made kernel heap exploitation easy (safe unlink in iOS 8)
• Apple “improving” their iOS 7 early random number generator so that Tarjei
Mandt would totally rip it apart and calculate all past and future numbers
• Apple having a double “goto fail” in their SSL for iOS 6 - iOS 7.0.5 that broke it
completely
• … so yes I am skipping a lot of fail but what I cover is already too much for 45 minutes
3
4. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
So what is it about?
this talk is about iOS jailbreaks
and Apple fixing the bugs within
4
5. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Fixing Bugs …
5
6. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
BUT APPLE SECURITY
AIN’T NO JEDI
6
BUT APPLE SECURITY
AIN’T NO JEDI
7. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
So actually …
this talk is about iOS jailbreaks
and Apple not fixing the bugs within
7
8. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Before we start …
what are the ingredients
of an iOS jailbreak?
8
9. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Ingredients
Initial Injection Vector
Persistency
9
10. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Not talking about that
Initial Injection Vector
but apparently Apple had
to issue several updates to fix those bugs, too
10
11. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Concentrating on
Jailbreak
Persistency
11
12. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Jailbreak Persistency (I)
• why concentrate on persistency?
• attack surface for injection is just extremely = huge no chance of win
• injection vectors for iOS can be easily exchanged
• USB, mobile safari, malicious apps
• some injections would require more powerful kernel bugs than public
jailbreaks, but those do exist and are traded in the underground
12
13. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Jailbreak Persistency (II)
• attack surface for jailbreak persistency is in comparison extremely small
• could be made even smaller and smaller if Apple would do it right
• i just want the public to pressure Apple into changing
• PUBLIC PERSISTENCE EXPLOITS CAN BE EASILY REUSED IN STATE
SPONSORED ATTACKS = LOT CHEAPER + NOT WASTE BUGS
13
14. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
AMFI trickery
14
15. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
AMFI Trickery
• whole story starts with the exploit chain evad3rs “invented” for iOS 6
• for signature verification
• kernel asks AMFI driver
• AMFI driver asks AMFID user space daemon
• AMFID uses libmis.dylib
• Attack:
inject a malicious library into AMFID that makes libmis.dylib return “true”
15
16. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Injecting a malicious dylib AMFI attack
• injecting malicious dylib / replacing libmis.dylib not as easy at it sounds
• need to trick dynamic linker into attempting to do it
• need to trick dynamic linker into accepting a not signed library
• Idea:
use launch daemon config + DYLD_INSERT_LIBRARIES for first part
use incomplete codesigning bypass for second part
16
17. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Putting the full chain together
17
18. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Apple “trying” to fix evasi0n
• launchd.conf no longer loaded
• __restrict in AMFID stops DYLD_INSERT_LIBRARIES
• apply patch to fix incomplete code signing bypass (patient ALPHA)
• fix kernel info leak and memory corruption
18
19. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
evad3rs needed new tricks
• patch of incomplete code signing trick (patient ALPHA) required new
incomplete code signing trick
➡ evad3rs unnecessarily burned a new vulnerability some gave to them
• __restrict in AMFID required new way to replace/inject library
➡ just use dyld feature enable-dylibs-to-override-cache
(makes dyld load a replacement library instead of original one)
19
20. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
evad3rs needed new tricks (II)
• removal of launchd.conf required trick to inject launch daemons beside
launch daemon codesigning
• just use previous two also load a malicious xpcd_cache.dylib
• kernel bugs required to be replaced
• they just used some new bugs (because there are plenty)
20
21. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
New chain for evasi0n 7
21
22. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Apple fixing evasi0n7 *LESS AGGRESSIVE*
• new incomplete codesigning bypass trick fixed
• kernel bugs are fixed
• rest of chain is left completely untouched
22
23. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Pangu7 Jailbreak
• Pangu realised that original bug Patient ALPHA was fixed incorrectly
• used new kernel bugs
23
DejaVu
24. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Apple “trying to fix” Pangu7
• they try to fix their broken fix for the codesigning
• kernel bugs are claimed fixed
• rest of chain is still completely untouched
24
DejaVu
25. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Pangu8 Jailbreak
• Pangu realised that fix for fix for Patient ALPHA is still incorrect
• also their kernel bugs were apparently not patched correctly
25
DejaVu
26. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Apple “trying to fix” Pangu8
• they try to fix their broken fix for the broken fix for the codesigning
• kernel bugs are claimed fixed again
• rest of chain is still completely untouched
26
DejaVu
27. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
TaiG Jailbreak
• Pangu TaiG realised that fix for fix for fix for Patient ALPHA is still incorrect
• used other kernel bugs
27
DejaVu
28. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
enable-dylibs-to-override-cache
28
29. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
enable-dylibs-to-override-cache
• a flag file in /System/Library/Caches/com.apple.dyld
• when present libraries on disk will be loaded instead of a cached copy
• used by jailbreaks to trick dyld into loading
• malicious libmis.dylib into AMFID
• malicious list of launchd daemons xpcd_cache.dylib into launchctl
29
30. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
enable-dylibs-to-override-cache
• see how enable-dylibs-to-override-cache is in center of everything?
• without this element the whole chain would have been destroyed
30
31. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
enable-dylibs-to-override-cache
• first abused in iOS 7.0 jailbreak by evad3rs (December 2013)
• without it the whole exploit chains of all jailbreaks since then would have fallen apart
• after 14 months still unfixed
• from a strategic standpoint it is unbelievable that Apple did not fix this
• by not fixing this for 14 months Apple made persistence on device easier
• fixing this bug would have made iOS far more secure than the
security by obscurity patches that Apple implemented to stop
the root filesystem from being writable or the team identifier hack
31
32. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Patient Alpha
(incomplete codesigning)
32
33. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Incomplete Codesigning
• simplified:
• if a page is not executable a missing code sig is not a problem
• if a page is executable there must be a code sig on first access
• prior to iOS 5 therefore jailbreaks would use ALL DATA dylibs to
exploit dyld via various meta-data structures
• around the end of iOS 4 Apple added checks to dyld to enforce load
commands are in an executable segment
• therefore while header parsing (first access) code sig is required
33
34. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
mach-o dynamic library loading
• mach-o dynamic libraries loaded by dyld
• load commands describe i.a. layout of
segments in memory
• virtual address and
virtual size of segments
• file position and
file size of segment
34
35. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Ohhh really?
• actually it is not that simple
• mach-o header is first loaded into stack
• initial LC parse is performed to collect info
• this info is used to map the file into memory
• segments are touched to enforce code sig
• another LC parse is performed to make dyld
use the mach-o header from paged memory
• more and more parsing
35
36. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
evad3rs come along
• and then the evad3rs came along
• for evasi0n (iOS 6) they used a
TOCTOU trick to bypass the checks
• attack logic between
sniffLoadCommands and
crashIfInvalidCodesignature
• just trick mapSegments
36
37. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
mapSegments
• mapSegments uses mmap()
• mmap allows to override previous mappings
• just have two mappings at same virtual address
• 1st contains LC and is R+X
• 2nd contains fake LC and is R / RW
• therefore at time of later access to page it will not
require a code signature
37
38. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Apple’s first fix
• Apple added a detection for
overlapping segments
• code tests LC segment against all others so
that it does not get overlapped by other
segment
• test uses virtual address and virtual size
38
39. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Problem with Apple’s first fix
• the security check by Apple did not account for
integer wraps
• a segment with vmaddr at end of address space
and wrapping around is not detected as
overlapping
• in reality the mapping is not wrapping around the
address space due to being slid for ASLR
39
40. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Apple’s second fix
• Apple added a detection for LC segment
wrapping around
• such a setup will be detected and disallowed
40
41. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Problem with Apple’s second fix
• the integer wrap check was only done on the
LC segment
• just doing the same trick again but letting the other
segment wrap around would still do the trick
• what was Apple thinking?
41
42. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Apple’s third fix
• Apple added a detection for other segments
wrapping around
• such a setup will now also be detected and
disallowed
42
43. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Problem with Apple’s third fix
• all these battles by Apple security with Chinese
jailbreakers were for nothing
• the security checks by Apple all did detect
overlaps by checking vmaddr + vmsize
• however mapSegments never used vmsize
• mapping into memory uses filesize
• filesize could be a lot larger than vmsize
• overlapping would never be detected
43
44. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Apple’s fourth fix
• Apple now detects when filesize is bigger
than vmsize
• such segments are now forbidden
• they now added a number of other checks
that also killed another bypass by accident
(will be disclosed in my blog)
• it took Apple only 2 years to realise this ;-)
44
• DISCLAIMER: I am absolutely NOT claiming that this is the end
45. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
mach_port_kobject
45
46. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
mach_port_kobject
• debugging Mach API call
• returns kobject associated with a mach port
• kobject filled with different values depending on type of port
• IOKit object ports: a kernel heap address containing a function table
• Host ports: address of realhost variable in kernel
• other ports: something else
• SECURITY PROBLEM: leaked addresses very useful for exploitation
46
*typep = (unsigned int) ip_kotype(port);
kaddr = (mach_vm_address_t)port->ip_kobject;
ip_unlock(port);
if (0 != kaddr && is_ipc_kobject(*typep))
*addrp = kaddr;
else
*addrp = 0;
47. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Fix 1
47
48. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
mach_port_kobject in iOS 6.0
• Apple added kernel address obfuscation
• random 32 / 64 bit secret vm_kernel_addrperm
• added to all returned addresses
• should stop leakage of valid kernel pointers
48
*typep = (unsigned int) ip_kotype(port);
kaddr = (mach_vm_address_t)port->ip_kobject;
ip_unlock(port);
if (0 != kaddr && is_ipc_kobject(*typep))
*addrp = VM_KERNEL_ADDRPERM(VM_KERNEL_UNSLIDE(kaddr));
else
*addrp = 0;
49. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Weakness of ADD Obfuscation
• all returned addresses are obfuscated with the same secret summand
• ADDR + SECRET = OBFUSCATED_ADDR
• a single pair of ADDR and its OBFUSCATED_ADDR break the security
• if SECRET is known all obfuscated addresses can be easily decrypted
49
50. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Houston we have a problem …
• Remember this?
• kobject filled with different values depending on type of port
• IOKit object ports: a kernel heap address containing a function table
• Host ports: address of realhost variable in kernel
• other ports: something else
• SECURITY PROBLEM:
we know realhost’s address and can break obfuscation
50
we know
plain address of
this variable
therefore we can break obfuscation
51. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Fix 2
51
52. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
mach_port_kobject in iOS 8.0
• Apple now detects pointers inside kernel and does not obfuscate
• stops attack via e.g. host ports
52
*typep = (unsigned int) ip_kotype(port);
kaddr = (mach_vm_address_t)port->ip_kobject;
ip_unlock(port);
if (0 != kaddr && is_ipc_kobject(*typep))
*addrp = VM_KERNEL_UNSLIDE_OR_PERM(kaddr);
else
*addrp = 0;
53. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Houston we have a problem …
• Remember this?
• kobject filled with different values depending on type of port
• IOKit object ports: a kernel heap address containing a function table
• Host ports: address of realhost variable in kernel
• other ports: something else
• master ports: the value of kobject is 1
• SECURITY PROBLEM:
Obfuscation secret is mach_port_kobject(master)-1
53
54. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Fun Fact
• master port attack was taught to Pangu in SektionEins’ iOS training
• Pangu used it in their jailbreak in June 2014
• This means this attack was used in public 3 MONTHS before iOS 8.0 release*
• TaiG reused this trick in November 2014 for their jailbreak
54
* this means when fix 2 was released to public this was already known to be insufficient
55. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Fix 3
55
56. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
mach_port_kobject in iOS 8.1.3
• Apple released iOS 8.1.3 at end of January
• they fixed the problem the Apple’s wayTM
• they just removed the function altogether
• removing the function took them ONLY 7 MONTHS
• This bug was assigned CVE-2014-4496 and Apple wrongly credits TaiG for it
56
57. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
kext_request
57
58. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
kext_request()
• Mach API call
• allows applications to request information about kernel modules
• active operations are locked down (load, unload, start, stop, …)
• passive operations partially working from even within the sandbox
• Apple fixed it to unslide load addresses to protect against KASLR leaks
58
59. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
kext_request() - Get Loaded Kext Info
• of special interest is a sub request called
• Get Loaded Kext Info
• returns a serialised dictionary with information about all loaded Kext
• information contained includes the mach-o headers
• Apple even modifies those headers to protect KASLR
59
60. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
kext_request() - Get Loaded Kext Info
60
mach_msg_type_number_t reqlen, resplen = 0, loglen = 0;
char *request, *response = NULL, *log = NULL;
kern_return_t kr;
request =
"<dict><key>Kext Request Predicate</key><string>Get Loaded Kext Info</string></dict>";
reqlen = strlen(request) + 1;
kext_request(mach_host_self(), 0, request, reqlen, &response,
&resplen, &log, &loglen, &kr);
62. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
kext_request() vs. Mark Dowd
• so in October 2012 Mark Dowd disclosed that Apple forgot to unslide
addresses in mach-o section defintion
• Apple released a fix in iOS 6.0.1
• so KASLR was easy to defeat in iOS 6.0
• at this point everyone was auditing this function
62
I was informed by Mark Dowd
that disclosure of bug
was actually done by Tarjei Mandt.
So I am sorry for crediting it to the wrong person :)
63. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
However …
• however there were ADDITIONAL bugs
• macro Apple used did only unslide main kernel and
pre-loaded kernel extensions
• but there are parts in the kernelcache that were in
between and therefore not unslid
• leaks KASLR slide once again => KASLR broken
63
#define VM_KERNEL_UNSLIDE(_v)
((VM_KERNEL_IS_SLID(_v) ||
VM_KERNEL_IS_KEXT(_v)) ?
(vm_offset_t)(_v) - vm_kernel_slide :
(vm_offset_t)(_v))
#define VM_KERNEL_IS_SLID(_o)
(((vm_offset_t)(_o) >= vm_kernel_base) &&
((vm_offset_t)(_o) < vm_kernel_top))
#define VM_KERNEL_IS_KEXT(_o)
(((vm_offset_t)(_o) >= vm_kext_base) &&
((vm_offset_t)(_o) < vm_kext_top))
64. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Apple Releases a Fix
• end of January 2015 Apple releases iOS 8.1.3 to fix this
• fixed it the Apple way: they remove the OSBundleMachOHeaders altogether
• but they lie about it in the release announcement (claim it was fixed/not removed)
• took them only more than 2 years to realize this 2nd vulnerability
• and only 7 months from it being publicly used in a jailbreak
• people in training saw this within 10 min when checking out fix for Dowd’s 2012 bug
64
Tarjei Mandt's
65. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
one more thing
65
66. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
one more thing
• Of course all of these bugs also apply to OS X
• so no surprise that Apple fixed kext_request() in OS X 10.10.2
• but for 10.10.2 they keep the OSBundleMachOHeaders and try to do it correctly
66
67. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
one more thing
• at this point it might not surprise the audience anymore
• kext_request KASLR info leak is still not fully fixed in Mac OS X 10.10.2
• the slide still leaks through the contained OSBundleMachOHeaders
• reason is that they use < instead of <= in the code
• therefore __LAST::__last (the last kernel symbol) is not unslid
67
#define VM_KERNEL_UNSLIDE(_v)
((VM_KERNEL_IS_SLID(_v) ||
VM_KERNEL_IS_KEXT(_v)) ?
(vm_offset_t)(_v) - vm_kernel_slide :
(vm_offset_t)(_v))
#define VM_KERNEL_IS_SLID(_o)
(((vm_offset_t)(_o) >= vm_kernel_base) &&
((vm_offset_t)(_o) < vm_kernel_top))
#define VM_KERNEL_IS_KEXT(_o)
(((vm_offset_t)(_o) >= vm_kext_base) &&
((vm_offset_t)(_o) < vm_kext_top))
68. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Jailbreak made in China
68
69. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Jailbreak made in China
• there has been a change in guard
• recent Jailbreaks are no longer developed by “Westeners”
• now Chinese teams seem to rule the scene
• but why?
69
70. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Jailbreak made in China - Why?
• “Western” Jailbreak developers
• shared a lot of tools and techniques
• now have to deal with exploit export control regulations
• worked hard for nearly nothing (few donations)
• while information security companies made millions of their work
• on top of that had to deal with greedy JB community
70
71. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Jailbreak made in China - Why?
• “Chinese” Jailbreak developers
• are paid by Chinese companies with app
stores ( e.g. 1 Mio USD )
• use money to buy vulnerabilities /
exploits ( from the west )
• use questionable methods like stolen
enterprise certificates
• use public & non public code ignoring
software licenses / copyright
71
at the moment I have no permission to disclose identity of jailbreaker who wrote this
if you can offer 100.000 USD for buying a vulnerability / exploit this means you must get a lot for the end product
72. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Jailbreak made in China - and Apple
• so far “Chinese” Jailbreakers
• had a lucky time because of Apple security’s total lack of QA
• have mostly relied on techniques invented by westerners
• could reuse the same vulnerabilities over and over
72
73. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Jailbreak made in China - Community
• so far “Chinese” Jailbreakers have
• not released any code to advance the iOS research community
• instead have heavily obfuscated their jailbreaks
• intentionally removed patches to hinder work of other researchers
• have destructive kernel patches that overwrite part of kernel binary
• they are in it for the money and don’t want competition
73
74. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Conclusion
74
75. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Conclusion
• looking at how Apple security fails over and over again shows they are
not taking it seriously and have no QA on their security fixes AT ALL.
• Basically Apple Security’s failed patches made the Chinese jb possible
• IMHO the fact that media is celebrating Jailbreaks instead of taking
them as what they are: exploits for vulnerabilities is partly the reason
why Apple does not take fixing them seriously
• media should stress the fact that every unfixed jailbreak makes it CHEAP
for state sponsored attackers to spy on people
• actually it has been shown that several iOS surveillance tools fully rely
on release of public jailbreaks
75
76. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •
Questions
?
76