revisiting ios kernel in security attacking the early
play

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG - PowerPoint PPT Presentation

Sep 20, 2022 •472 likes •1.24k views

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014 tm@azimuthsecurity.com @kernelpool About Me Senior Security Researcher at Azimuth Security Masters degree in Information Security

  1. Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014 tm@azimuthsecurity.com @kernelpool

  2. About Me • Senior Security Researcher at Azimuth Security • Master’s degree in Information Security • Interested in operating system security and mitigation technology • Recent focus on mobile device security ▫ iOS 6 Kernel Security: A Hacker’s Guide • Occasionally blog on security topics ▫ http://blog.azimuthsecurity.com

  3. Introduction • Several new kernel mitigations introduced in iOS 6 and OS X Mountain Lion ▫ Stack and heap cookies ▫ Memory layout randomization ▫ Pointer obfuscation • Require random (non-predictable) data generated at boot time ▫ Introduced the early random PRNG

  4. Early Random PRNG • Boot time pseudorandom number generator ▫ Intended for use before the kernel entropy pool is available • Primarily designed to support kernel level mitigations ▫ Also used to seed the Yarrow PRNG • Platform dependent ▫ Implemented differently in OS X and iOS

  5. Robustness • Strength of deployed mitigations depend on the robustness of the early random PRNG ▫ Must provide sufficient entropy ▫ Must produce non-predictable output • iOS 6 implementation had some notable flaws ▫ E.g. suffered from time correlation issues • iOS 7 attempts to resolve these issues ▫ Leverages an entirely new generator

  6. Talk Outline • Part 1: Early Random PRNG ▫ iOS and OS X differences ▫ Seed generation (iOS) ▫ Improvements made in iOS 7 • Part 2: PRNG Analysis ▫ Weaknesses ▫ Attacks ▫ Remedies

  7. Recommended Reading • Black-Box Assessment of Pseudorandom Algorithms ▫ Derek Soeder et al., BH USA 2013 • PRNG: Pwning Random Number Generators ▫ George Argyros, Aggelos Kiayias, BH USA 2012 • iOS 6 Kernel Security: A Hacker’s Guide ▫ Mark Dowd, Tarjei Mandt, HitB KL 2012

  8. Revisiting iOS Kernel (In)Security

  9. Early Random PRNG • Two platform specific versions ▫ Mac OS X (Intel) ▫ iOS (ARM/ARM64) • Primarily relies on entropy from low-level components ▫ CPU clock information ▫ Hardware embedded RNG

  10. Early Random in OS X • Returns the output from RDRAND if available ▫ Intel Ivy Bridge and later • Otherwise derives a value from the time stamp counter and KASLR entropy ▫ Distributes the lower order bits (more random) ▫ Successive outputs are well-correlated • Provided in the XNU source ▫ osfmk/x86_64/machine_routines_asm.s

  11. Early Random in OS X CPUID ¡(EAX=1) ¡and ¡ early_random( ¡) check ¡processor ¡ feature ¡bit ¡30 ¡in ¡ECX RDRAND ¡ Execute ¡ Yes supported? RDRAND Returns ¡a ¡random ¡64-­‑ bit ¡value ¡in ¡RAX Return No Execute ¡ Distribute ¡low ¡ Incorporate ¡KASLR ¡ Rotate ¡high ¡ RDTSC order ¡bits entropy order ¡bits Returns ¡current ¡ Rotate ¡constant ¡ XORs ¡lower ¡bits ¡with ¡ Leverages ¡lower ¡8 ¡bits ¡ processor ¡tick ¡count ¡ retrieved ¡from ¡lower ¡ higher ¡bits of ¡KASLR ¡entropy in ¡EAX:EDX bits

  12. Early Random in iOS • No hardware embedded RNG ▫ Output derived from CPU clock counter • Two different implementations ▫ iOS 6: initial version ▫ iOS 7: improved version • Leverages a seed generated by iBoot ▫ Provided to the kernel via the I/O device tree ▫ IODeviceTree:/chosen/random-seed

  13. Seed Generation • iBoot implements its own random data generator ▫ Used to generate the early random seed • Also used to support other tasks ▫ Boot nonce generation ▫ KASLR slide offset calculation • Comprises two major components ▫ Entropy accumulator ▫ Output generator

  14. Entropy Accumulator • Gathers source entropy from CPU clock information ▫ Reads clock counter in physical memory ▫ E.g. 0x20E101020 on S5L8960X (Apple A7) • Generates a 32-bit value ▫ Reads lowest bit of clock value ▫ Loops ‘remaining number of bits’ times between each read ▫ Repeats until 32 bits read

  15. Entropy Accumulator Start Yes Read ¡ Left ¡shift ¡ OR ¡lowest ¡bit ¡ Spin ¡cycles CPU ¡clock ¡ More ¡bits? (previous) ¡result into ¡result counter No Requests ¡32 ¡bits ¡ in ¡total Loops ¡‘remaining ¡ Accessed ¡via ¡address ¡ Return number ¡of ¡bits’ ¡times in ¡physical ¡memory

  16. Output Generator • Computes a SHA-1 hash over a stream of gathered entropy ▫ 64-bit (e.g. iPhone 5S): 4000 bytes ▫ 32-bit (e.g. iPhone 4): 9600 bytes • Outputs the requested number of bytes from the hash itself ▫ 20 bytes per hash • Generates additional hashes if needed ▫ Gathers new entropy and repeats the process

  17. iBoot Random Data Generator iBoot_GetRandomBytes( ¡) Has ¡remaining ¡ Accumulate ¡ No hash ¡bytes? entropy Returns ¡a ¡32-­‑bit ¡value ¡ each ¡round Yes Copy ¡out ¡ Compute ¡SHA-­‑1 ¡ Yes hash ¡bytes hash More ¡bytes ¡ No Return needed?

  18. Early Random in iOS 6 • Similar to the OS X implementation • Output derived from the current Mach absolute time ▫ Platform dependent processor tick counter • Attempts to address weak entropy in higher order bits ▫ Mixes lower order (less predictable) with higher order bits • Leverages a 2-byte seed

  19. Early Random in iOS 6 – Overview Get ¡CPU ¡ early_random( ¡) tick ¡count Returns ¡a ¡64-­‑bit ¡ timestamp Seeded? Yes Return No Obtain ¡seed ¡ Distribute ¡low ¡ Incorporate ¡seed ¡ Rotate ¡high ¡ value order ¡bits entropy order ¡bits Rotate ¡constant ¡ Retrieves ¡2-­‑byte ¡value ¡ ¡ XORs ¡lower ¡bits ¡with ¡ Leverages ¡lower ¡8 ¡bits ¡ retrieved ¡from ¡lower ¡ from ¡IODeviceTree higher ¡bits of ¡seed ¡byte bits

  20. Early Random in iOS 6 – Issues • Successive outputs are well-correlated ▫ Poor entropy source ▫ Highly sensitive to time of generation • Poor use of seed data ▫ Only one (lower) byte is used ▫ Seed only affects higher 32 bits of output ▫ E.g. rarely used on 32-bit devices

  21. Early Random in iOS 6 – Issues /* * Initialize backup pointer random cookie for poisoned elements * Try not to call early_random() back to back, it may return * the same value if mach_absolute_time doesn't have sufficient time * to tick over between calls. <rdar://problem/11597395> * (This is only a problem on embedded devices) */ zp_init() [ osfmk/kern/zalloc.c ] #if MACH_ASSERT if (zp_poisoned_cookie == zp_nopoison_cookie) panic("early_random() is broken: %p and %p are not random\n", (void *) zp_poisoned_cookie, (void *) zp_nopoison_cookie); #endif

  22. Early Random in iOS 7 • Attempts to address the inherent weaknesses of early random in iOS 6 ▫ Avoids time-based correlation issues • Output derived from the initial seed ▫ Seed extended to 8 bytes in iOS 7.0.3 and later • Leverages a linear congruential generator ▫ Algorithm for generating a sequence of pseudorandom numbers

  23. Early Random in iOS 7 – Overview early_random( ¡) No Seeded? Return IODeviceTree:/ Collect ¡seed ¡ chosen/random-­‑seed entropy Yes Set ¡initial ¡ Process ¡LCG Construct ¡output LCG ¡state <= ¡iOS ¡7.0.2: ¡2 ¡bytes Records ¡output ¡from ¡ ¡ Concatenates ¡four ¡ >= ¡iOS ¡7.0.3: ¡8 ¡bytes four ¡LCG ¡rounds 16-­‑bit ¡LCG ¡outputs

  24. Linear Congruential Generator • In an LCG, the next pseudorandom number is generated from the current one such that ▫ x n+1 = ( ax n + c ) mod m • Where x is the sequence of pseudorandom values, and ▫ m = modulus and m > 0 ▫ a = the multiplier and 0 < a < m ▫ c = the increment and 0 <= c < m ▫ x 0 = the starting seed value and 0 <= x 0 < m

  25. Period • An LCG’s period is defined as the longest non- repeating sequence of output numbers ▫ Should ideally be as large as possible • When c ≠ 0, the maximum period m is only possible if ▫ 1. c and m are relatively prime ▫ 2. a – 1 is divisible by all prime factors of m ▫ 3. a – 1 is a multiple of 4 if m is a multiple of 4

  26. LCG Parameters • Early random in iOS 7 implements a mixed linear congruential generator ▫ Non-zero increment • LCG parameters are similar to ANSI C rand() ▫ Multiplier (a): 1103515245 ▫ Increment (c): 12345 ▫ Modulus (m): 2 64 • Seed used as initial state x 0

  27. Deriving Output • Derives output by leveraging information from four successive states ( x n … x n+3 ) • Each state produces 16 bits of the output ▫ Discards the lower 3 bits of each state ▫ Outputs the remaining lower 16 bits • Full output (64-bit) generated by concatenating the retrieved outputs ▫ ( x n-3 >> 3 ) & 0xffff || ( x n-2 >> 3 ) & 0xffff || ( x n-1 >> 3 ) & 0xffff || ( x n >> 3 ) & 0xffff

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who Am I Hold two degrees nobody likes these days: Economics &amp; MBA. Ex-hacker for .pt banking system (www.sibs.pt). Security

1.16k views • 91 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis Introduction Limited to Windows, and aimed at IA32: Outline of protected mode and the kernel Attack vectors Useful tools Examples

672 views • 36 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab

JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab

JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab louis@pentesterlab.com About me Security Engineer Pentester/Code Reviewer/Security consultant/Security architect/IANAC Run a website to help people learn security

1.28k views • 79 slides
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4 Linux Kernel (patch) 2002: LSM 2003:

764 views • 43 slides
Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions

Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions

Presenting a live 90-minute webinar with interactive Q&amp;A Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions TUESDAY, MARCH 29, 2016 1pm Eastern | 12pm Central | 11am Mountain |

532 views • 51 slides
Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf) @360Vulcan Team About US Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2015 .pwned IE pwn2own

1.29k views • 54 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi Talbi Security researcher at Stormshield haka-security project. Past life: academia (phd, postdoc, ) Main research topics: advanced

1.61k views • 94 slides
Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

ATTACK &amp; &amp; ATTACK labs DEFENSE DEFENSE Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and

577 views • 28 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Importance of checking every step of the process Simple ways to defend against this attack Data from an analysis of

368 views • 19 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Just like fishing, it can be frustrating at times most needed multiple attempts, which is fine casting

483 views • 19 slides
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999 which led to Netfilter,

798 views • 48 slides
TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone @uffeux Principal Consultant @ NCC Group Focus on hardware and embedded systems security Previously: 10 years product security @

1.41k views • 54 slides
Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems Lab 3 Review on CSRF &amp; Path Traversal Hacker Wall of Fame (Lab 3 members in italics) Jacob Buckheit (2x) Jenny Zhu Ti ff any Chen

238 views • 13 slides
PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst,

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst,

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst, Oracle + NetSuite Agenda Basic intro No assembly required No malware (de)obfuscation magic How does the OS look inside?

847 views • 57 slides
ASSURE Authentication Scheme for SecURE Energy Efficient Non-Volatile Memories Joydeep Rakshit

ASSURE Authentication Scheme for SecURE Energy Efficient Non-Volatile Memories Joydeep Rakshit

ASSURE Authentication Scheme for SecURE Energy Efficient Non-Volatile Memories Joydeep Rakshit Kartik Mohanram Non-Volatile Memories Workshop March 12, 2018 San Diego, CA Electrical and Computer Engineering University of Pittsburgh

971 views • 50 slides
Graph Analytics on Massively Parallel Processing Databases Frank McQuillan Feb 2017 MPP

Graph Analytics on Massively Parallel Processing Databases Frank McQuillan Feb 2017 MPP

Graph Analytics on Massively Parallel Processing Databases Frank McQuillan Feb 2017 MPP databases effective for graph analytics at scale in the enterprise 2 Database Engine Popularity http://db-engines.com/en/ranking 3 Graph Engine Trends

583 views • 46 slides
Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software Architect 1 Agenda Problem Description Fileless Attacks Overview Common Injection Techniques Current Challenges with memory

870 views • 22 slides
A Sentence is a Sentence is a Sentence? Zarah Weiss Introduction Parallels and Differences

A Sentence is a Sentence is a Sentence? Zarah Weiss Introduction Parallels and Differences

Segmenting Oral and Historical Language Data A Sentence is a Sentence is a Sentence? Zarah Weiss Introduction Parallels and Differences between the Defining Sentences Written Language Bias Segmentation of Oral and Historical Defining

1.44k views • 110 slides
Yongdae Kim KAIST Admin q Student Information Survey https://goo.gl/forms/VnjAyN5N1bmswLNP2 q

Yongdae Kim KAIST Admin q Student Information Survey https://goo.gl/forms/VnjAyN5N1bmswLNP2 q

EE817/IS893 Blockchain and Cryptocurrency Peer-to-Peer Systems Yongdae Kim KAIST Admin q Student Information Survey https://goo.gl/forms/VnjAyN5N1bmswLNP2 q Paper Presentation Survey https://goo.gl/forms/pGhbDPJqBr4MNff92 q Paper

393 views • 24 slides
Attacking a Big Data Developer Dr. Olaf Flebbe of t oflebbe.de ApacheCon Bigdata Europe

Attacking a Big Data Developer Dr. Olaf Flebbe of t oflebbe.de ApacheCon Bigdata Europe

Attacking a Big Data Developer Dr. Olaf Flebbe of t oflebbe.de ApacheCon Bigdata Europe 16.Nov.2016 Seville About me PhD in computational physics Former projects: Minix68k (68k FP Emulation), Linux libm.so.5 (High Precision FP), perl and

1.12k views • 56 slides
IC ICL Evangelism lism and Disc iscip iple lesh ship ip Timothy R. Valentino What is the

IC ICL Evangelism lism and Disc iscip iple lesh ship ip Timothy R. Valentino What is the

IC ICL Evangelism lism and Disc iscip iple lesh ship ip Timothy R. Valentino What is the gospel? We will endeavor to start answering this question over the next two weeks. Resources: Handout: Clarifying the Gospel A

1.02k views • 41 slides

More recommend