wen eta jb
play

WEN ETA JB? A 2 million dollars problem Date: 05/06/2019 For: SSTIC - PowerPoint PPT Presentation

Aug 06, 2023 •468 likes •883 views

WEN ETA JB? A 2 million dollars problem Date: 05/06/2019 For: SSTIC Presenters: Eloi Benoist-Vanderbeken, Fabien Perigaud Who are we Eloi Benoist-Vanderbeken Fabien Perigaud @elvanderb @0xf4b Working for Synacktiv: Offensive

  1. WEN ETA JB? A 2 million dollars problem Date: 05/06/2019 For: SSTIC Presenters: Eloi Benoist-Vanderbeken, Fabien Perigaud

  2. Who are we  Eloi Benoist-Vanderbeken  Fabien Perigaud @elvanderb @0xf4b  Working for Synacktiv:  Offensive security company  55 ninjas  3 teams: pentest, reverse engineering, development  4 sites: Paris, Toulouse, Lyon, Rennes  Reverse engineering team coordinator and vice-coordinator  21 reversers  Focus on low level dev, reverse, vulnerability research/exploitation  If there is software in it, we can own it :)  We are hiring! 2 / 40

  3. Introduction

  4. Introduction  More and more interest in iOS security  High demand  High bounties – up to $2 million on Zerodium  More and more security features  Gigacage, S3_4_c15_c2_7, SEP, KTRR, RoRgn, PAC, APRR, PPL, etc.  Often hardware based  Hard to follow for a newcomer  Even if there is more and more public doc on the subject  Typical chain:  Initial code execution zeroclick / one click  LPE  Persistence 4 / 40

  5. Introduction  More and more interest in iOS security  High demand  High bounties – up to $2 million on Zerodium  More and more security features  Gigacage, S3_4_c15_c2_7, SEP, KTRR, RoRgn, PAC, APRR, PPL, etc.  Often hardware based  Hard to follow for a newcomer  Even if there is more and more public doc on the subject  Typical chain:  Initial code execution zeroclick / one click  LPE  Persistence 5 / 40

  6. Browser Exploitation

  7. Browser exploitation 101  Apple Safari  Uses open-source WebKit engine WebCore: rendering engine JavaScriptCore: JavaScript engine  First step: gain arbitrary R/W primitives  Abuse JavaScript objects allowing arbitrary data storage 7 / 40

  8. Browser exploitation 101  Array objects  Pointer to a storage buffer  Length on 32-bits  Arbitrary R/W (should be) easy  Corrupt storage buffer pointer using the vulnerability  Read or Write the content 8 / 40

  9. Gigacage  Enabled for “dangerous” objects  Idea: “encage” the dangerous storage buffers in a 32 GB zone  Size corruption? Still in the gigacage!  Pointer corruption? Still in the gigacage! For all accesses, pointer is masked and added to the gigacage base 9 / 40

  10. Browser exploitation 101 (again)  Second step: execute shellcode  Modern browsers use JIT  JIT page was allocated as RWX  Abuse JIT page!  Execution Howto:  Create function  Make it JIT  Copy shellcode over function code  Profit! (this still works on macOS) 10 / 40

  11. iOS RWX considerations  RWX mapping is forbidden by defaut  In every iOS process  Entitlement dynamic-codesigning  Allows a single RWX mapping mmap(…, MAP_JIT | … , …)  Only granted to Safari 11 / 40

  12. JIT Page protections (< A11)  Separated WX Heaps  JIT Page remapped as RW at a random address  Original JIT Page marked as RX  A jitted function is created in the RX mapping to write to the RW mapping  This function is marked as X-only  A R/W primitive can’t be used alone to write arbitrary code to the JIT Page 12 / 40

  13. JIT Page protections (< A11)  A ROP Chain is required to be able to call jitWriteSeparateHeapsFunction() 13 / 40

  14. JIT Page protections (A11)  New system register S3_4_c15_c2_7  Allows changing permissions on RWX pages atomically  No more separated RX and RW mappings static inline void* performJITMemcpy(void *dst, const void *src, size_t n) { [...] if (useFastPermisionsJITCopy) { os_thread_self_restrict_rwx_to_rw(); memcpy(dst, src, n); os_thread_self_restrict_rwx_to_rx(); return dst; } [...] } 14 / 40

  15. JIT Page protections (>= A11)  PerformJITMemcpy is not exported  Inlined in functions using it  ROP made harder: have to jump in the middle of a function generating JIT code  Bypass still possible through ROP on A11  … but A12 prevents ROP! 15 / 40

  16. PAC (>= A12)  Pointer Authentication Code  Cryptographically sign “dangerous” pointers  Up to 5 different keys depending on pointer type and operation Instruction pointers → Key A and B Data pointers → Key A and B Signature of raw data → Key C  Specific instructions to sign and authenticate pointers  Signatures are context-dependent! 16 / 40

  17. PAC (>= A12)  In userland:  Pointers use 39-bits + 1-bit (for user/kernel pointer distinction)  24 bits can be used for signature  … but only 16 bits are used for userland pointers 17 / 40

  18. PAC (>= A12)  Examples:  PACIA X8, X9 → Sign X8 using Instruction Pointers Key A, with context X9  AUTIB X8, X9 → Authenticate X8 signature using Instruction Pointers Key B, with context X9  BLRAAZ X8 → Branch and Link on X8 after Authentication with Instruction Key A, and a null context 18 / 40

  19. PAC (>= A12)  Consequences  ROP is dead (unless ability to forge B-signed pointers)  Pointers substitution is dead if pointers are signed with a non-null context  Pointers substitution can still be performed if signed with a null context!  In iOS 12.0, JavaScriptCore objects vtables were signed with a null context 19 / 40

  20. PAC (>= A12) – Public attack  Attack from Brandon Azad (Google Project- Zero)  AUT* instructions only set a specific bit in the signature field if authentication is invalid  PAC* instructions only flips a bit after computing the signature if the given pointer is invalid  What happens if an attacker can call a function performing a signature context change? 20 / 40

  21. PAC (>= A12) – Public attack  LDR X10, [X11,#0x30]!  AUTIA X10, X11  PACIZA X10 21 / 40

  22. PAC (>= A12) – Public attack  LDR X10, [X11,#0x30]!  AUTIA X10, X11  PACIZA X10 Invalid signature (attacker-crafted) X10 0x0023fe71cc038fe8 22 / 40

  23. PAC (>= A12) – Public attack  LDR X10, [X11,#0x30]!  AUTIA X10, X11  PACIZA X10 Error code X10 0x40000001cc038fe8 23 / 40

  24. PAC (>= A12) – Public attack  LDR X10, [X11,#0x30]!  AUTIA X10, X11  PACIZA X10 Valid signature with bit 54 flipped X10 0x00f831a1cc038fe8 24 / 40

  25. PAC (>= A12) – Public attack  LDR X10, [X11,#0x30]!  AUTIA X10, X11  PACIZA X10 Valid signature with bit 54 flipped X10 0x00f831a1cc038fe8 Valid signature is retrieved X10 0x00b831a1cc038fe8 25 / 40

  26. PAC (>= A12) – Current state  No real bypass nowadays  Known weaknesses have been fixed by Apple  Only instruction pointers are signed in WebKit for now  In the future:  Gigacage pointers will be replaced by signed data pointers  We can expect more and more signed pointers 26 / 40

  27. Privilege Escalation

  28. Privilege escalation  Goal  To execute arbitrary code  With arbitrary entitlements  Attack surface  User daemons  Kernel extensions (KEXTs)  Kernel  Considerably reduced by the sandbox  More and more actions are restricted  More and more daemons are sandboxed  More and more restrictions on existing profiles 28 / 40

  29. The Sandbox KEXT  Based on MACF framework  Inherited from TrustedBSD  Hooks in the kernel called before sensitive operations  Can also be called via special syscalls  For example by launchd to verify if a process can interact with a daemon  Decisions are based on rules  Written in SandBox Profile Language (SBPL) Scheme-based language  Decide whether an action/a privilege is authorized/granted  Since iOS 10, there is a system-wide sandbox profile  Always evaluated even if the process is already sandboxed 29 / 40

  30. Code signature  Enforced on iOS  Is used to grant entitlements  Root of lots of security mechanisms  Checked by the AppleMobileFileIntegrity (AMFI) KEXT  Two possibilities  Hash of the binary is stored in the kernel (Trust Cache) → platform binaries  Hash is signed by a trusted certificate → 3 rd party apps  Certificate checks are complicated  Delegated to a userland daemon, amfid  Target of choice for years  Apple considerably reduced amfid power over the years  Impossible to fake a platform-binary from amfid  Since iOS12, certificate chain is validated by CoreTrust, a KEXT 30 / 40

  31. Userland daemons  “Easy” target  A “lot” of code is reachable ~120 services from WebKit ~280 from a normal application  Versatile code base  Can be used to reach a less sandboxed context  To later attack an other, more privileged daemon or a KEXT for example  Or to directly get access to sensitive data 31 / 40

  32. Userland daemons – mitigations  Platform binaries (PB)  Have their hashes directly embedded in the kernel Not checked by amfid  Gives special rights and restrictions  All daemons are platform binaries  Mach API hardening  Task ports give complete control over the corresponding task A little bit like process handles on Windows Simplifies a lot the post-exploit steps  Since iOS 10, a non-PB binary cannot use PB task ports 32 / 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ticagrelor vs Aspirin in Patients undergoing Coronary- Artery Bypass Grafting Herib eribert

Ticagrelor vs Aspirin in Patients undergoing Coronary- Artery Bypass Grafting Herib eribert

The TiCAB Trial Ticagrelor vs Aspirin in Patients undergoing Coronary- Artery Bypass Grafting Herib eribert Schun unker ert, M , MD on behalf of the e TiCAB Investigators TiCAB an investigator initiated trial Sponsor Deutsches

822 views • 26 slides
universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 .

universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 .

universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 . Example: Set intersection A B ( function evaluation ) Generate a fair coin toss ( randomized ) Online poker without a dealer ( reactive ) secure

882 views • 48 slides
for General Purpose Processors Zhengrong Wang Prof. Tony Nowatzki 1 Computation &amp; Memory

for General Purpose Processors Zhengrong Wang Prof. Tony Nowatzki 1 Computation &amp; Memory

Stream-based Memory Specialization for General Purpose Processors Zhengrong Wang Prof. Tony Nowatzki 1 Computation &amp; Memory Specialization SIMD Dataflow + + + + + + New ISA abstraction for / certain computation pattern. Core

774 views • 32 slides
Buffer Pools Lecture # 05 Database Systems Andy Pavlo AP AP Computer Science 15-445/15-645

Buffer Pools Lecture # 05 Database Systems Andy Pavlo AP AP Computer Science 15-445/15-645

Buffer Pools Lecture # 05 Database Systems Andy Pavlo AP AP Computer Science 15-445/15-645 Carnegie Mellon Univ. Fall 2018 2 UPCO M IN G DATABASE EVEN TS Relational AI Talk Wednesday Sep 12 th @ 4:00pm GHC 8102 MapD Talk

770 views • 76 slides
BIOS in 2015 Oleksandr Bazhaniuk, Yuriy Bulygin (presenting) , Andrew Furtak , Mikhail Gorobets,

BIOS in 2015 Oleksandr Bazhaniuk, Yuriy Bulygin (presenting) , Andrew Furtak , Mikhail Gorobets,

Attacking and Defending BIOS in 2015 Oleksandr Bazhaniuk, Yuriy Bulygin (presenting) , Andrew Furtak , Mikhail Gorobets, John Loucaides , Alex Matrosov, Mickey Shkatov Advanced Threat Research Agenda State of BIOS/EFI Firmware Security Recent

1.21k views • 98 slides
:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2

:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2

:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2 Nick Sullivan 3 George Tankersley 4 Filippo Valsorda 4 1 Royal Holloway, University of London 2 University of Waterloo 3 Cloudflare 4 Independent PETS

591 views • 55 slides
Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502

Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502

Spring 2015 :: CSE 502 Computer Architecture Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502 Computer Architecture Big Picture I-cache Instruction Branch FETCH Flow Predictor

381 views • 19 slides
Strata: A Cross Media File System Youngjin Kwon , Henrique Fingler, Tyler Hunt, Simon Peter,

Strata: A Cross Media File System Youngjin Kwon , Henrique Fingler, Tyler Hunt, Simon Peter,

Strata: A Cross Media File System Youngjin Kwon , Henrique Fingler, Tyler Hunt, Simon Peter, Emmett Witchel, Thomas Anderson 1 Lets build a fast server NoSQL store, Database, File server, Mail server Requirements Small updates (1

1.07k views • 79 slides
4B Geriatric Hip Fracture 6A Gastric Bypass Abdominal Laparoscopic Results Geriatric Hip

4B Geriatric Hip Fracture 6A Gastric Bypass Abdominal Laparoscopic Results Geriatric Hip

4B Geriatric Hip Fracture 6A Gastric Bypass Abdominal Laparoscopic Results Geriatric Hip Fracture Results Onset Refer to Attached Ofirmev Brochure

84 views • 5 slides
Auditing hooks and security transparency for CPython Steve Dower, Christian Heimes EuroPython

Auditing hooks and security transparency for CPython Steve Dower, Christian Heimes EuroPython

Auditing hooks and security transparency for CPython Steve Dower, Christian Heimes EuroPython 2019, Basel, Switzerland Auditing Hooks and Security Transparency for Python Why is SkelSec so sad? @zooba @christianheimes EuroPython 2019, Basel -

845 views • 55 slides
IX:$A$Protected$Dataplane$Opera3ng$ System$for$High$Throughput$and$ Low$Latency$ Adam%Belay

IX:$A$Protected$Dataplane$Opera3ng$ System$for$High$Throughput$and$ Low$Latency$ Adam%Belay

IX:$A$Protected$Dataplane$Opera3ng$ System$for$High$Throughput$and$ Low$Latency$ Adam%Belay ,$George$Prekas,$$ Samuel$Grossman,$Ana$Klimovic,$$ Christos$Kozyrakis,$Edouard$Bugnion$ HW$is$fast,$but$SW$is$a$BoLleneck$ $ $ 64Obyte$TCP$Echo:$

490 views • 24 slides
CIS 371 Computer Organization and Design Unit 9: Superscalar Pipelines Slides developed by Milo

CIS 371 Computer Organization and Design Unit 9: Superscalar Pipelines Slides developed by Milo

CIS 371 Computer Organization and Design Unit 9: Superscalar Pipelines Slides developed by Milo Martin &amp; Amir Roth at the University of Pennsylvania with sources that included University of Wisconsin slides by Mark Hill, Guri Sohi, Jim

818 views • 26 slides
So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele

So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele

So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele Spagnuolo Senior Information Security Engineer rosettaflash.com bitiodine.net Recap what happened last year Summary CSP is mostly used to

591 views • 47 slides
Network stack challenges at increasing speeds The 100Gbit/s challenge Jesper Dangaard Brouer

Network stack challenges at increasing speeds The 100Gbit/s challenge Jesper Dangaard Brouer

Network stack challenges at increasing speeds The 100Gbit/s challenge Jesper Dangaard Brouer Red Hat inc. LinuxCon North America, Aug 2015 1/39 Challenge: 100Gbit/s around the corner Overview Understand 100Gbit/s challenge and time

784 views • 45 slides
Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher

Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher

Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher at DEVCORE Speaker at Black Hat US/ASIA , DEFCON , HITB , CODEBLUE CTF player (Captain of HITCON CTF team and member of 217 ) Bounty

1.32k views • 103 slides
ECE 550D Fundamentals of Computer Systems and Engineering Fall 2016 Pipelines Tyler Bletsch

ECE 550D Fundamentals of Computer Systems and Engineering Fall 2016 Pipelines Tyler Bletsch

ECE 550D Fundamentals of Computer Systems and Engineering Fall 2016 Pipelines Tyler Bletsch Duke University Slides are derived from work by Andrew Hilton (Duke) and Amir Roth (Penn) Clock Period and CPI Single-cycle datapath Low CPI:

965 views • 60 slides
Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Computer Science 161 Fall 2016 Nicholas Weaver Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 Nicholas Weaver You really really really

944 views • 50 slides
How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad

How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad

How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, Christo Wilson Northeastern University Online Tracking 2 Online Tracking Surge in online

1.11k views • 80 slides
Host Ambiguities Host of Troubles: Multiple Ho in HTTP Implementations Jianjun Chen , Jian Jiang,

Host Ambiguities Host of Troubles: Multiple Ho in HTTP Implementations Jianjun Chen , Jian Jiang,

Host Ambiguities Host of Troubles: Multiple Ho in HTTP Implementations Jianjun Chen , Jian Jiang, Haixin Duan, Nicholas Weaver, Tao Wan, Vern Paxson 1 Multiparty interactions in current Internet Website Transparent Firewall Forward Browser

731 views • 33 slides
NetGAN without GAN: From Random Walks to Low-Rank Approximations Luca Rendsburg, Holger Heidrich,

NetGAN without GAN: From Random Walks to Low-Rank Approximations Luca Rendsburg, Holger Heidrich,

NetGAN without GAN: From Random Walks to Low-Rank Approximations Luca Rendsburg, Holger Heidrich, Ulrike von Luxburg ICML 2020 1 3 Input 1 8 1 4 1 1 5 6 9 1 2 1 7 1 9 } 3 1 } NetGAN: Generating Graphs via Random Walks 1 8

2.88k views • 67 slides
Better Buildings Webinar Series Well be starting in just a few minutes. Tell us What

Better Buildings Webinar Series Well be starting in just a few minutes. Tell us What

Better Buildings Webinar Series Well be starting in just a few minutes. Tell us What topics are you interested in for future webinars? Please send your response to the webinar organizers via the question box. 1 Solutions for Small-

914 views • 47 slides
Computer Systems Research Daniel A. Jimnez Department of Computer Science &amp; Engineering

Computer Systems Research Daniel A. Jimnez Department of Computer Science &amp; Engineering

Machine Learning in Computer Systems Research Daniel A. Jimnez Department of Computer Science &amp; Engineering Texas A&amp;M University What Is This? Improving computer systems with machine learning Computer systems: Architecture /

594 views • 26 slides
rmalloc() and rpipe() a uGNI-based Distributed Remote Memory Allocator and Access Library for

rmalloc() and rpipe() a uGNI-based Distributed Remote Memory Allocator and Access Library for

rmalloc() and rpipe() a uGNI-based Distributed Remote Memory Allocator and Access Library for One-sided Messaging Udayanga Wickramasinghe Andrew Lumsdaine Indiana University Pacific Northwest Na&lt;onal Laboratory Overview

892 views • 46 slides
CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and

CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and

CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and optimizations] Day7: January 25, 2000 Precise Exceptions ILP intro Caltech CS184b Winter2001 -- DeHon 1 Today Handling Exceptions ILP

392 views • 25 slides

More recommend