Behind the Scenes with iOS Security

Recommendations

Info

Cloud Key Vault Escrow record generated on iOS device SRP verifier for iCSC User’s escrow key Maximum failure count
Cloud Key Vault Understanding the design A kind of SEP Data Protection approach for escrow records Vault service private key material not available to mutable software, just like SEP UID key User attempting escrow recovery sends previous escrow record, establishes SRP session Vault unwraps escrow record, SRP with user device against iCSC verifier in the record, return escrow key if successful If SRP fails due to incorrect iCSC, vault unit bumps a secure counter • If maximum failure count (10) is exceeded for the record, record is marked terminal
Page 1 and 2: Behind the Scenes with iOS Security
Page 3 and 4: Component Encryption iOS 10 User da
Page 5 and 6: Hardened WebKit JIT Mapping Backgro
Page 7 and 8: Hardened WebKit JIT Mapping Execute
Page 9 and 10: Hardened WebKit JIT Mapping Tying i
Page 11 and 12: 4. Prevent writing into the executa
Page 13 and 14: iOS 10 - - X R-X RW-
Page 15 and 16: iOS 10 - - X R-X RW- mov x0, #0
Page 17 and 18: iOS 10 - - X R-X RW- mov x0, #0 mov
Page 19 and 20: Data Protection with the Secure En
Page 21 and 22: Data Protection Goals—Sidestep AP
Page 23 and 24: Secure Enclave Processor Overview D
Page 25 and 26: User Keybags Background Sets of key
Page 27 and 28: 00000000 44 41 54 41 00 00 05 ca 56
Page 29 and 30: Filesystem Data Protection Overview
Page 31 and 32: 7) keybagd loads system keybag (cla
Page 33 and 34: Userspace UserEventAgent Darwin loc
Page 35 and 36: Unattended Update—Install Later 1
Page 37 and 38: Data Protection Goals User data pro
Page 39 and 40: Synchronizing Secrets Uses Password
Page 41 and 42: “Humans are incapable of securely
Page 43 and 44: iCloud Keychain Approach Each devic
Page 45 and 46: Synchronizing Secrets Goals—Inspi
Page 47 and 48: Cloud Key Vault Overview HSMs runni
Page 49: Cloud Key Vault HSM keys Key Descri
Page 53 and 54: Cloud Key Vault Club Host HSM Host
Page 55 and 56: Cloud Key Vault Quorum commit Each
Page 57 and 58: Cloud Key Vault Escrow Recovery Tra
Page 63 and 64: Cloud Key Vault Who watches the wat
Page 65 and 66: No.
Page 67 and 68: Physical One-Way Hash Function
Page 69: Cloud Key Vault Final attestation A
Page 72 and 73: Apple Security Bounty
Page 74 and 75: Apple Security Bounty Rewards resea
Page 76 and 77: Apple Security Bounty Payments We r
Page 78 and 79: September
Page 80: TM and © 2016 Apple Inc. All right

Behind the Scenes with iOS Security

Create successful ePaper yourself

Delete template?

Save as template?