Behind the Scenes with iOS Security

Recommendations

Info

Filesystem Data Protection User Kernel SEP open(“foo.txt”, …) 1. Fetch wrapped file_key from metadata HFS Key Store 2. Unwrap file_key using keybag key 4. Send IO command with ephemerally wrapped file_key NVME Driver Clear Text AES Engine 3. Wrap file_key using ephemeral_key, return ephemerally wrapped file_key to kernel Hardware NAND Cipher Text Storage Controller Ephemeral Key established on boot
7) keybagd loads system keybag (class D key available) Userspace 5) launchd mounts user partition 6) launchd starts keybagd keybagd gets prot key from effaceable loads device keybag into SEP 8) decrypts keybag with prot key from effaceable systembag.kb /var/keybags/systembag.kb encrypted with the keybag prot key contains the device keybag 4) decrypt HFS metadata with media key XNU (Kernel) HFS AppleKeyStore SEP endpoint to SKS Effaceable media key keybag prot key Class D 1) kernel boots (system partition) 3) decrypt class D key, load into keyring 2) AppleKeyStore loads D key (before user partition is mounted) 9) keybag loaded into sks memory, class B public loaded into keyring class D SEP UID SKS SEP class D SKS memory master key + SEP UID class A class B (priv) class C SKS keyring class B (public) class D 10) class keys cannot be decrypted until we get the passcode 11) launchd permits userspace to start loading boot
Page 1 and 2: Behind the Scenes with iOS Security
Page 3 and 4: Component Encryption iOS 10 User da
Page 5 and 6: Hardened WebKit JIT Mapping Backgro
Page 7 and 8: Hardened WebKit JIT Mapping Execute
Page 9 and 10: Hardened WebKit JIT Mapping Tying i
Page 11 and 12: 4. Prevent writing into the executa
Page 13 and 14: iOS 10 - - X R-X RW-
Page 15 and 16: iOS 10 - - X R-X RW- mov x0, #0
Page 17 and 18: iOS 10 - - X R-X RW- mov x0, #0 mov
Page 19 and 20: Data Protection with the Secure En
Page 21 and 22: Data Protection Goals—Sidestep AP
Page 23 and 24: Secure Enclave Processor Overview D
Page 25 and 26: User Keybags Background Sets of key
Page 27 and 28: 00000000 44 41 54 41 00 00 05 ca 56
Page 29: Filesystem Data Protection Overview
Page 33 and 34: Userspace UserEventAgent Darwin loc
Page 35 and 36: Unattended Update—Install Later 1
Page 37 and 38: Data Protection Goals User data pro
Page 39 and 40: Synchronizing Secrets Uses Password
Page 41 and 42: “Humans are incapable of securely
Page 43 and 44: iCloud Keychain Approach Each devic
Page 45 and 46: Synchronizing Secrets Goals—Inspi
Page 47 and 48: Cloud Key Vault Overview HSMs runni
Page 49 and 50: Cloud Key Vault HSM keys Key Descri
Page 51 and 52: Cloud Key Vault Understanding the d
Page 53 and 54: Cloud Key Vault Club Host HSM Host
Page 55 and 56: Cloud Key Vault Quorum commit Each
Page 57 and 58: Cloud Key Vault Escrow Recovery Tra
Page 63 and 64: Cloud Key Vault Who watches the wat
Page 65 and 66: No.
Page 67 and 68: Physical One-Way Hash Function
Page 69: Cloud Key Vault Final attestation A
Page 72 and 73: Apple Security Bounty
Page 74 and 75: Apple Security Bounty Rewards resea
Page 76 and 77: Apple Security Bounty Payments We r
Page 78 and 79: September
Page 80:
TM and © 2016 Apple Inc. All right
show all

Behind the Scenes with iOS Security

Create successful ePaper yourself

Delete template?

Save as template?