| |
| |
Introduction | |
| |
| |
| |
iOS Security Basics | |
| |
| |
iOS Hardware/Device Types | |
| |
| |
How Apple Protects the App Store | |
| |
| |
Understanding Security Threats | |
| |
| |
Understanding iOS Security Architecture | |
| |
| |
The Reduced Attack Surface | |
| |
| |
The Stripped-Down iOS | |
| |
| |
Privilege Separation | |
| |
| |
Code Signing | |
| |
| |
Data Execution Prevention | |
| |
| |
Address Space Layout Randomization | |
| |
| |
Sandboxing | |
| |
| |
A Brief History of iOS Attacks | |
| |
| |
Libtiff | |
| |
| |
Fun with SMS | |
| |
| |
The Ikee Worm | |
| |
| |
Storm8 | |
| |
| |
SpyPhone | |
| |
| |
Pwn2Own2010 | |
| |
| |
Jailbreakme.com 2 ("Star") | |
| |
| |
Jailbreakme.com 3 ("Saffron") | |
| |
| |
Summary | |
| |
| |
| |
iOS in the Enterprise | |
| |
| |
iOS Configuration Management | |
| |
| |
Mobile Configuration Profiles | |
| |
| |
iPhone Configuration Utility | |
| |
| |
Creating a Configuration Profile | |
| |
| |
Installing the Configuration Profile | |
| |
| |
Updating Profiles | |
| |
| |
Removing Profiles | |
| |
| |
Applications and Provisioning Profiles | |
| |
| |
Mobile Device Management | |
| |
| |
MDM Network Communication | |
| |
| |
Lion Server Profile Manager | |
| |
| |
Setting Up Profile Manager | |
| |
| |
Creating Settings | |
| |
| |
Enrolling Devices | |
| |
| |
Summary | |
| |
| |
| |
Encryption | |
| |
| |
Data Protection | |
| |
| |
Data Protection API | |
| |
| |
Attacking Data Protection | |
| |
| |
Attacking User Passcodes | |
| |
| |
iPhone Data Protection Tools | |
| |
| |
Installation Prerequisites | |
| |
| |
Building the Ramdisk | |
| |
| |
Booting Ramdisk | |
| |
| |
Brute-Force Attacking Four-Digit Passcodes | |
| |
| |
Dumping Keychain | |
| |
| |
Dumping Data Partition | |
| |
| |
Decrypting Data Partition | |
| |
| |
Summary | |
| |
| |
| |
Code Signing and Memory Protections | |
| |
| |
Understanding Mandatory Access Control | |
| |
| |
AMFI Hooks | |
| |
| |
AMFI and execv | |
| |
| |
How Provisioning Works | |
| |
| |
Understanding the Provisioning Profile | |
| |
| |
How the Provisioning File Is Validated | |
| |
| |
Understanding Application Signing | |
| |
| |
Inside Entitlements | |
| |
| |
How Code Signing Enforcement Works | |
| |
| |
Collecting and Verifying Signing Information | |
| |
| |
How Signatures Are Enforced on Processes | |
| |
| |
How the iOS Ensures No Changes Are Made to Signed Pages | |
| |
| |
Discovering Dynamic Code Signing | |
| |
| |
Why MobileSafari Is So Special | |
| |
| |
How the Kernel Handles JIT | |
| |
| |
Attacking Inside MobileSafari | |
| |
| |
Breaking Code Signing | |
| |
| |
Altering iOS Shellcode | |
| |
| |
Using Meterpreter on iOS | |
| |
| |
Gaining App Store Approval | |
| |
| |
Summary | |
| |
| |
| |
Sandboxing | |
| |
| |
Understanding the Sandbox | |
| |
| |
Sandboxing Your Apps | |
| |
| |
Understanding the Sandbox Implementation | |
| |
| |
Understanding User Space Library Implementation | |
| |
| |
Into the Kernel | |
| |
| |
Implementing TrustedBSD | |
| |
| |
Handling Configuration from User Space | |
| |
| |
Policy Enforcement | |
| |
| |
How Profile Bytecode Works | |
| |
| |
How Sandboxing Impacts App Store versus Platform Applications | |
| |
| |
Summary | |
| |
| |
| |
Fuzzing iOS Applications | |
| |
| |
How Fuzzing Works | |
| |
| |
The Recipe for Fuzzing | |
| |
| |
Mutation-Based ("Dumb") Fuzzing | |
| |
| |
Generation-Based ("Smart") Fuzzing | |
| |
| |
Submitting and Monitoring the Test Cases | |
| |
| |
Fuzzing Safari | |
| |
| |
Choosing an Interface | |
| |
| |
Generating Test Cases | |
| |
| |
Testing and Monitoring the Application | |
| |
| |
Adventures in PDF Fuzzing | |
| |
| |
Quick Look Fuzzing | |
| |
| |
Fuzzing with the Simulator | |
| |
| |
Fuzzing MobileSafari | |
| |
| |
Selecting the Interface to Fuzz | |
| |
| |
Generating the Test Case | |
| |
| |
Fuzzing and Monitoring MobileSafari | |
| |
| |
PPT Fuzzing Fun | |
| |
| |
SMS Fuzzing | |
| |
| |
SMS Basics | |
| |
| |
Focusing on the Protocol Data Unit Mode | |
| |
| |
Using PDUspy | |
| |
| |
Using User Data Header Information | |
| |
| |
Working with Concatenated Messages | |
| |
| |
Using Other Types of UDH Data | |
| |
| |
Generation-Based Fuzzing with Sulley | |
| |
| |
SMS iOS Injection | |
| |
| |
Monitoring SMS | |
| |
| |
SMS Bugs | |
| |
| |
Summary | |
| |
| |
| |
Exploitation | |
| |
| |
Exploiting Bug Classes | |
| |
| |
Object Lifetime Vulnerabilities | |
| |
| |
Understanding the iOS System Allocator | |
| |
| |
Regions | |
| |
| |
Allocation | |
| |
| |
Deallocation | |
| |
| |
Taming the iOS Allocator | |
| |
| |
Tools of the Trade | |
| |
| |
Learning Alloc/Dealloc Basics | |
| |
| |
Exploiting Arithmetic Vulnerabuities | |
| |
| |
Exploiting Object Lifetime Issues | |
| |
| |
Understanding TCMalloc | |
| |
| |
Large Object Allocation and Deallocation | |
| |
| |
Small Object Allocation | |
| |
| |
Small Object Deallocation | |
| |
| |
Taming TCMalloc | |
| |
| |
Obtaining a Predictable Heap Layout | |
| |
| |
Tools for Debugging Heap Manipulation Code | |
| |
| |
Exploiting Arithmetic Vulnerabilities with TCMalloc - Heap Feng Shui | |
| |
| |
Exploiting Object Lifetime Issues with TCMalloc | |
| |
| |
ASLR Challenges | |
| |
| |
Case Study: Pwn20wn 2010 | |
| |
| |
Testing Infrastructure | |
| |
| |
Summary | |
| |
| |
| |
Return-Oriented Programming | |
| |
| |
ARM Basics | |
| |
| |
iOS Calling Convention | |
| |
| |
System Calls Calling Convention | |
| |
| |
ROP Introduction | |
| |
| |
ROP and Heap Bugs | |
| |
| |
Manually Constructing a ROP Payload | |
| |
| |
Automating ROP Payload Construction | |
| |
| |
What Can You Do with ROP on iOS? | |
| |
| |
Testing ROP Payloads | |
| |
| |
Examples of ROP Shellcode on iOS | |
| |
| |
Exfiltrate File Content Payload | |
| |
| |
Using ROP to Chain Two Exploits (JailBreakMe v3) | |
| |
| |
Summary | |
| |
| |
| |
Kernel Debugging and Exploitation | |
| |
| |
Kernel Structure | |
| |
| |
Kernel Debugging | |
| |
| |
Kernel Extensions and IOKit Drivers | |
| |
| |
Reversing the IOKit Driver Object Tree | |
| |
| |
Finding Vulnerabilities in Kernel Extensions | |
| |
| |
Finding Vulnerabilities in IOKit Drivers | |
| |
| |
Attacking through Device Properties | |
| |
| |
Attacking through External Traps and Methods | |
| |
| |
Kernel Exploitation | |
| |
| |
Arbitrary Memory Overwrite | |
| |
| |
Patching a Vulnerability into the Kernel | |
| |
| |
Choosing a Target to Overwrite | |
| |
| |
Locating the System Call Table | |
| |
| |
Constructing the Exploit | |
| |
| |
Uninitialized Kernel Variables | |
| |
| |
Kernel Stack Buffer Overflows | |
| |
| |
Kernel Heap Buffer Overflows | |
| |
| |
Kernel Heap Zone Allocator | |
| |
| |
Kernel Heap Feng Shui | |
| |
| |
Detecting the State of the Kernel Heap | |
| |
| |
Exploiting the Kernel Heap Buffer Overflow | |
| |
| |
Summary | |
| |
| |
| |
Jailbreaking | |
| |
| |
Why Jailbreak? | |
| |
| |
Jailbreak Types | |
| |
| |
Jailbreak Persistence | |
| |
| |
Tethered Jailbreaks | |
| |
| |
Untethered Jailbreaks | |
| |
| |
Exploit Type | |
| |
| |
Bootrom Level | |
| |
| |
iBoot Level | |
| |
| |
Userland Level | |
| |
| |
Understanding the Jailbreaking Process | |
| |
| |
Exploiting the Bootrom | |
| |
| |
Booting the Ramdisk | |
| |
| |
Jailbreaking the Filesystem | |
| |
| |
Installing the Untethering Exploit | |
| |
| |
Installing the AFC2 Service | |
| |
| |
mstalling Base Utilities | |
| |
| |
Application Stashing | |
| |
| |
Bundle Installation | |
| |
| |
Post-Installation Process | |
| |
| |
Executing Kernel Payloads and Patches | |
| |
| |
Kernel State Reparation | |
| |
| |
Privilege Escalation | |
| |
| |
Kernel Patching | |
| |
| |
security.mac.proc_enforce | |
| |
| |
cs_enforcement_disable (kernel) | |
| |
| |
cs_enforcement_disable (AMFI) | |
| |
| |
PE_i_can_has_debugger | |
| |
| |
vm_map_enter | |
| |
| |
vm_map_protect | |
| |
| |
AMFI Binary Trust Cache | |
| |
| |
Task_for_pid 0 | |
| |
| |
Sandbox Patches | |
| |
| |
Clearing the Caches | |
| |
| |
Clean Return | |
| |
| |
Summary | |
| |
| |
| |
Baseband Attacks | |
| |
| |
GSM Basics | |
| |
| |
Setting up OpenBTS | |
| |
| |
Hardware Required | |
| |
| |
OpenBTS Installation and Configuration | |
| |
| |
Closed Configuration and Asterisk Dialing Rules | |
| |
| |
RTOSes Underneath the Stacks | |
| |
| |
Nucleus PLUS | |
| |
| |
ThreadX | |
| |
| |
REX/OKL4/Iguana | |
| |
| |
Heap Implementations | |
| |
| |
Dynamic Memory in Nucleus PLUS | |
| |
| |
Byte Pools in ThreadX | |
| |
| |
The Qualcomm Modem Heap | |
| |
| |
Vulnerability Analysis | |
| |
| |
Obtaining and Extracting Baseband Firmware | |
| |
| |
Loading Firmware Images into IDA Pro | |
| |
| |
Application/Baseband Processor Interface | |
| |
| |
Stack Traces and Baseband Core Dumps | |
| |
| |
Attack Surface | |
| |
| |
Static Analysis on Binary Code Like it's 1999 | |
| |
| |
Specification-Guided Fuzz Testing | |
| |
| |
Exploiting the Baseband | |
| |
| |
A Local Stack Buffer Overflow: AT+XAPP | |
| |
| |
The ultrasn0w Unlock | |
| |
| |
An Overflow Exploitable Over the Air | |
| |
| |
Summary | |
| |
| |
Appendix References | |
| |
| |
Index | |