Behind the Scenes with iOS Security

Recommendations

Info

void initializeSeparatedWXHeaps(void* stubBase, size_t stubSize, void* jitBase, size_t jitSize) { mach_vm_address_t writableAddr = 0; // 1. Create a second mapping of the JIT region at a random address. vm_prot_t cur, max; kern_return_t ret = mach_vm_remap(mach_task_self(), &writableAddr, jitSize, 0, VM_FLAGS_ANYWHERE | VM_FLAGS_RANDOM_ADDR, mach_task_self(), (mach_vm_address_t)jitBase, FALSE, &cur, &max, VM_INHERIT_DEFAULT); bool remapSucceeded = (ret == KERN_SUCCESS); if (!remapSucceeded) return; // 2. Assemble specialized memcpy function for writing into the JIT region. MacroAssemblerCodeRef writeThunk = jitWriteThunkGenerator(reinterpret_cast(writableAddr), stubBase, stubSize); int result = 0; #if USE(EXECUTE_ONLY_JIT_WRITE_FUNCTION) // 3. Prevent reading the memcpy code we just generated. result = mprotect(stubBase, stubSize, VM_PROT_EXECUTE_ONLY); RELEASE_ASSERT(!result); #endif
4. Prevent writing into the executable JIT mapping. result = mprotect(jitBase, jitSize, VM_PROT_READ | VM_PROT_EXECUTE); RELEASE_ASSERT(!result); // 5. Prevent execution in the writable JIT mapping. result = mprotect((void*)writableAddr, jitSize, VM_PROT_READ | VM_PROT_WRITE); RELEASE_ASSERT(!result); // 6. Zero out writableAddr to avoid leaking the address of the writable mapping. memset_s(&writableAddr, sizeof(writableAddr), 0, sizeof(writableAddr)); jitWriteFunction = reinterpret_cast(writeThunk.code().executableAddress()); }
Page 1 and 2: Behind the Scenes with iOS Security
Page 3 and 4: Component Encryption iOS 10 User da
Page 5 and 6: Hardened WebKit JIT Mapping Backgro
Page 7 and 8: Hardened WebKit JIT Mapping Execute
Page 9: Hardened WebKit JIT Mapping Tying i
Page 13 and 14: iOS 10 - - X R-X RW-
Page 15 and 16: iOS 10 - - X R-X RW- mov x0, #0
Page 17 and 18: iOS 10 - - X R-X RW- mov x0, #0 mov
Page 19 and 20: Data Protection with the Secure En
Page 21 and 22: Data Protection Goals—Sidestep AP
Page 23 and 24: Secure Enclave Processor Overview D
Page 25 and 26: User Keybags Background Sets of key
Page 27 and 28: 00000000 44 41 54 41 00 00 05 ca 56
Page 29 and 30: Filesystem Data Protection Overview
Page 31 and 32: 7) keybagd loads system keybag (cla
Page 33 and 34: Userspace UserEventAgent Darwin loc
Page 35 and 36: Unattended Update—Install Later 1
Page 37 and 38: Data Protection Goals User data pro
Page 39 and 40: Synchronizing Secrets Uses Password
Page 41 and 42: “Humans are incapable of securely
Page 43 and 44: iCloud Keychain Approach Each devic
Page 45 and 46: Synchronizing Secrets Goals—Inspi
Page 47 and 48: Cloud Key Vault Overview HSMs runni
Page 49 and 50: Cloud Key Vault HSM keys Key Descri
Page 51 and 52: Cloud Key Vault Understanding the d
Page 53 and 54: Cloud Key Vault Club Host HSM Host
Page 55 and 56: Cloud Key Vault Quorum commit Each
Page 57 and 58: Cloud Key Vault Escrow Recovery Tra
Page 59 and 60: Cloud Key Vault Escrow Recovery Tra
Page 61 and 62:
Cloud Key Vault Escrow Recovery Tra
Page 63 and 64:
Cloud Key Vault Who watches the wat
Page 65 and 66:
No.
Page 67 and 68:
Physical One-Way Hash Function
Page 69:
Cloud Key Vault Final attestation A
Page 72 and 73:
Apple Security Bounty
Page 74 and 75:
Apple Security Bounty Rewards resea
Page 76 and 77:
Apple Security Bounty Payments We r
Page 78 and 79:
September
Page 80:
TM and © 2016 Apple Inc. All right
show all

Behind the Scenes with iOS Security

Create successful ePaper yourself

Delete template?

Save as template?