| |
| |
| Introduction | |
| |
| |
| |
| iOS Security Basics | |
| |
| |
| iOS Hardware/Device Types | |
| |
| |
| How Apple Protects the App Store | |
| |
| |
| Understanding Security Threats | |
| |
| |
| Understanding iOS Security Architecture | |
| |
| |
| The Reduced Attack Surface | |
| |
| |
| The Stripped-Down iOS | |
| |
| |
| Privilege Separation | |
| |
| |
| Code Signing | |
| |
| |
| Data Execution Prevention | |
| |
| |
| Address Space Layout Randomization | |
| |
| |
| Sandboxing | |
| |
| |
| A Brief History of iOS Attacks | |
| |
| |
| Libtiff | |
| |
| |
| Fun with SMS | |
| |
| |
| The Ikee Worm | |
| |
| |
| Storm8 | |
| |
| |
| SpyPhone | |
| |
| |
| Pwn2Own2010 | |
| |
| |
| Jailbreakme.com 2 ("Star") | |
| |
| |
| Jailbreakme.com 3 ("Saffron") | |
| |
| |
| Summary | |
| |
| |
| |
| iOS in the Enterprise | |
| |
| |
| iOS Configuration Management | |
| |
| |
| Mobile Configuration Profiles | |
| |
| |
| iPhone Configuration Utility | |
| |
| |
| Creating a Configuration Profile | |
| |
| |
| Installing the Configuration Profile | |
| |
| |
| Updating Profiles | |
| |
| |
| Removing Profiles | |
| |
| |
| Applications and Provisioning Profiles | |
| |
| |
| Mobile Device Management | |
| |
| |
| MDM Network Communication | |
| |
| |
| Lion Server Profile Manager | |
| |
| |
| Setting Up Profile Manager | |
| |
| |
| Creating Settings | |
| |
| |
| Enrolling Devices | |
| |
| |
| Summary | |
| |
| |
| |
| Encryption | |
| |
| |
| Data Protection | |
| |
| |
| Data Protection API | |
| |
| |
| Attacking Data Protection | |
| |
| |
| Attacking User Passcodes | |
| |
| |
| iPhone Data Protection Tools | |
| |
| |
| Installation Prerequisites | |
| |
| |
| Building the Ramdisk | |
| |
| |
| Booting Ramdisk | |
| |
| |
| Brute-Force Attacking Four-Digit Passcodes | |
| |
| |
| Dumping Keychain | |
| |
| |
| Dumping Data Partition | |
| |
| |
| Decrypting Data Partition | |
| |
| |
| Summary | |
| |
| |
| |
| Code Signing and Memory Protections | |
| |
| |
| Understanding Mandatory Access Control | |
| |
| |
| AMFI Hooks | |
| |
| |
| AMFI and execv | |
| |
| |
| How Provisioning Works | |
| |
| |
| Understanding the Provisioning Profile | |
| |
| |
| How the Provisioning File Is Validated | |
| |
| |
| Understanding Application Signing | |
| |
| |
| Inside Entitlements | |
| |
| |
| How Code Signing Enforcement Works | |
| |
| |
| Collecting and Verifying Signing Information | |
| |
| |
| How Signatures Are Enforced on Processes | |
| |
| |
| How the iOS Ensures No Changes Are Made to Signed Pages | |
| |
| |
| Discovering Dynamic Code Signing | |
| |
| |
| Why MobileSafari Is So Special | |
| |
| |
| How the Kernel Handles JIT | |
| |
| |
| Attacking Inside MobileSafari | |
| |
| |
| Breaking Code Signing | |
| |
| |
| Altering iOS Shellcode | |
| |
| |
| Using Meterpreter on iOS | |
| |
| |
| Gaining App Store Approval | |
| |
| |
| Summary | |
| |
| |
| |
| Sandboxing | |
| |
| |
| Understanding the Sandbox | |
| |
| |
| Sandboxing Your Apps | |
| |
| |
| Understanding the Sandbox Implementation | |
| |
| |
| Understanding User Space Library Implementation | |
| |
| |
| Into the Kernel | |
| |
| |
| Implementing TrustedBSD | |
| |
| |
| Handling Configuration from User Space | |
| |
| |
| Policy Enforcement | |
| |
| |
| How Profile Bytecode Works | |
| |
| |
| How Sandboxing Impacts App Store versus Platform Applications | |
| |
| |
| Summary | |
| |
| |
| |
| Fuzzing iOS Applications | |
| |
| |
| How Fuzzing Works | |
| |
| |
| The Recipe for Fuzzing | |
| |
| |
| Mutation-Based ("Dumb") Fuzzing | |
| |
| |
| Generation-Based ("Smart") Fuzzing | |
| |
| |
| Submitting and Monitoring the Test Cases | |
| |
| |
| Fuzzing Safari | |
| |
| |
| Choosing an Interface | |
| |
| |
| Generating Test Cases | |
| |
| |
| Testing and Monitoring the Application | |
| |
| |
| Adventures in PDF Fuzzing | |
| |
| |
| Quick Look Fuzzing | |
| |
| |
| Fuzzing with the Simulator | |
| |
| |
| Fuzzing MobileSafari | |
| |
| |
| Selecting the Interface to Fuzz | |
| |
| |
| Generating the Test Case | |
| |
| |
| Fuzzing and Monitoring MobileSafari | |
| |
| |
| PPT Fuzzing Fun | |
| |
| |
| SMS Fuzzing | |
| |
| |
| SMS Basics | |
| |
| |
| Focusing on the Protocol Data Unit Mode | |
| |
| |
| Using PDUspy | |
| |
| |
| Using User Data Header Information | |
| |
| |
| Working with Concatenated Messages | |
| |
| |
| Using Other Types of UDH Data | |
| |
| |
| Generation-Based Fuzzing with Sulley | |
| |
| |
| SMS iOS Injection | |
| |
| |
| Monitoring SMS | |
| |
| |
| SMS Bugs | |
| |
| |
| Summary | |
| |
| |
| |
| Exploitation | |
| |
| |
| Exploiting Bug Classes | |
| |
| |
| Object Lifetime Vulnerabilities | |
| |
| |
| Understanding the iOS System Allocator | |
| |
| |
| Regions | |
| |
| |
| Allocation | |
| |
| |
| Deallocation | |
| |
| |
| Taming the iOS Allocator | |
| |
| |
| Tools of the Trade | |
| |
| |
| Learning Alloc/Dealloc Basics | |
| |
| |
| Exploiting Arithmetic Vulnerabuities | |
| |
| |
| Exploiting Object Lifetime Issues | |
| |
| |
| Understanding TCMalloc | |
| |
| |
| Large Object Allocation and Deallocation | |
| |
| |
| Small Object Allocation | |
| |
| |
| Small Object Deallocation | |
| |
| |
| Taming TCMalloc | |
| |
| |
| Obtaining a Predictable Heap Layout | |
| |
| |
| Tools for Debugging Heap Manipulation Code | |
| |
| |
| Exploiting Arithmetic Vulnerabilities with TCMalloc - Heap Feng Shui | |
| |
| |
| Exploiting Object Lifetime Issues with TCMalloc | |
| |
| |
| ASLR Challenges | |
| |
| |
| Case Study: Pwn20wn 2010 | |
| |
| |
| Testing Infrastructure | |
| |
| |
| Summary | |
| |
| |
| |
| Return-Oriented Programming | |
| |
| |
| ARM Basics | |
| |
| |
| iOS Calling Convention | |
| |
| |
| System Calls Calling Convention | |
| |
| |
| ROP Introduction | |
| |
| |
| ROP and Heap Bugs | |
| |
| |
| Manually Constructing a ROP Payload | |
| |
| |
| Automating ROP Payload Construction | |
| |
| |
| What Can You Do with ROP on iOS? | |
| |
| |
| Testing ROP Payloads | |
| |
| |
| Examples of ROP Shellcode on iOS | |
| |
| |
| Exfiltrate File Content Payload | |
| |
| |
| Using ROP to Chain Two Exploits (JailBreakMe v3) | |
| |
| |
| Summary | |
| |
| |
| |
| Kernel Debugging and Exploitation | |
| |
| |
| Kernel Structure | |
| |
| |
| Kernel Debugging | |
| |
| |
| Kernel Extensions and IOKit Drivers | |
| |
| |
| Reversing the IOKit Driver Object Tree | |
| |
| |
| Finding Vulnerabilities in Kernel Extensions | |
| |
| |
| Finding Vulnerabilities in IOKit Drivers | |
| |
| |
| Attacking through Device Properties | |
| |
| |
| Attacking through External Traps and Methods | |
| |
| |
| Kernel Exploitation | |
| |
| |
| Arbitrary Memory Overwrite | |
| |
| |
| Patching a Vulnerability into the Kernel | |
| |
| |
| Choosing a Target to Overwrite | |
| |
| |
| Locating the System Call Table | |
| |
| |
| Constructing the Exploit | |
| |
| |
| Uninitialized Kernel Variables | |
| |
| |
| Kernel Stack Buffer Overflows | |
| |
| |
| Kernel Heap Buffer Overflows | |
| |
| |
| Kernel Heap Zone Allocator | |
| |
| |
| Kernel Heap Feng Shui | |
| |
| |
| Detecting the State of the Kernel Heap | |
| |
| |
| Exploiting the Kernel Heap Buffer Overflow | |
| |
| |
| Summary | |
| |
| |
| |
| Jailbreaking | |
| |
| |
| Why Jailbreak? | |
| |
| |
| Jailbreak Types | |
| |
| |
| Jailbreak Persistence | |
| |
| |
| Tethered Jailbreaks | |
| |
| |
| Untethered Jailbreaks | |
| |
| |
| Exploit Type | |
| |
| |
| Bootrom Level | |
| |
| |
| iBoot Level | |
| |
| |
| Userland Level | |
| |
| |
| Understanding the Jailbreaking Process | |
| |
| |
| Exploiting the Bootrom | |
| |
| |
| Booting the Ramdisk | |
| |
| |
| Jailbreaking the Filesystem | |
| |
| |
| Installing the Untethering Exploit | |
| |
| |
| Installing the AFC2 Service | |
| |
| |
| mstalling Base Utilities | |
| |
| |
| Application Stashing | |
| |
| |
| Bundle Installation | |
| |
| |
| Post-Installation Process | |
| |
| |
| Executing Kernel Payloads and Patches | |
| |
| |
| Kernel State Reparation | |
| |
| |
| Privilege Escalation | |
| |
| |
| Kernel Patching | |
| |
| |
| security.mac.proc_enforce | |
| |
| |
| cs_enforcement_disable (kernel) | |
| |
| |
| cs_enforcement_disable (AMFI) | |
| |
| |
| PE_i_can_has_debugger | |
| |
| |
| vm_map_enter | |
| |
| |
| vm_map_protect | |
| |
| |
| AMFI Binary Trust Cache | |
| |
| |
| Task_for_pid 0 | |
| |
| |
| Sandbox Patches | |
| |
| |
| Clearing the Caches | |
| |
| |
| Clean Return | |
| |
| |
| Summary | |
| |
| |
| |
| Baseband Attacks | |
| |
| |
| GSM Basics | |
| |
| |
| Setting up OpenBTS | |
| |
| |
| Hardware Required | |
| |
| |
| OpenBTS Installation and Configuration | |
| |
| |
| Closed Configuration and Asterisk Dialing Rules | |
| |
| |
| RTOSes Underneath the Stacks | |
| |
| |
| Nucleus PLUS | |
| |
| |
| ThreadX | |
| |
| |
| REX/OKL4/Iguana | |
| |
| |
| Heap Implementations | |
| |
| |
| Dynamic Memory in Nucleus PLUS | |
| |
| |
| Byte Pools in ThreadX | |
| |
| |
| The Qualcomm Modem Heap | |
| |
| |
| Vulnerability Analysis | |
| |
| |
| Obtaining and Extracting Baseband Firmware | |
| |
| |
| Loading Firmware Images into IDA Pro | |
| |
| |
| Application/Baseband Processor Interface | |
| |
| |
| Stack Traces and Baseband Core Dumps | |
| |
| |
| Attack Surface | |
| |
| |
| Static Analysis on Binary Code Like it's 1999 | |
| |
| |
| Specification-Guided Fuzz Testing | |
| |
| |
| Exploiting the Baseband | |
| |
| |
| A Local Stack Buffer Overflow: AT+XAPP | |
| |
| |
| The ultrasn0w Unlock | |
| |
| |
| An Overflow Exploitable Over the Air | |
| |
| |
| Summary | |
| |
| |
| Appendix References | |
| |
| |
| Index | |