Targeting the iOS Kernel - Reverse Engineering Mac OS X
Targeting the iOS Kernel - Reverse Engineering Mac OS X Targeting the iOS Kernel - Reverse Engineering Mac OS X
Who am I? Stefan Esser • from Cologne/Germany • Information Security since 1998 • PHP Core Developer since 2001 • Suhosin / Hardened-PHP 2004 • Month of PHP Bugs 2007 / Month of PHP Security 2010 • ASLR for jailbroken iPhones 2010 / untethered jailbreak for iOS 4.3.1/2 • Head of Research & Development at SektionEins GmbH Stefan Esser • Targeting the iOS Kernel • April 2011 • 2
Motivation • iPhone security heavily relies on kernel level protections • code signing / sandboxing • NX / ASLR • public iPhone exploit payloads are very limited in what they can do • security researchers have relied on the jailbreakers to provide kernel pwnage • this session is an introduction to finding bugs in the iOS kernel Stefan Esser • Targeting the iOS Kernel • April 2011 • 3
- Page 1: Targeting the iOS Kernel Stefan Ess
- Page 5 and 6: Part I Introduction Stefan Esser
- Page 7 and 8: Finding Vulnerabilities in the iOS
- Page 9 and 10: Interesting Kernel Bugs - OS X OS X
- Page 11 and 12: Part II The iOS Kernelcache Stefan
- Page 13 and 14: Getting the iOS Kernelcache (II)
- Page 15 and 16: Kernelcache is just a Mach-O Binary
- Page 17 and 18: iOS Kernelcache vs. IDA • IDA can
- Page 19 and 20: Helping IDA - Kernel Extensions •
- Page 21 and 22: Helping IDA - findAndMarkKEXT.py St
- Page 23 and 24: IOKit Driver Classes (I) • IOKit
- Page 25 and 26: IOKit Object Hierarchy - Full View
- Page 27 and 28: Part IV iOS Kernel Where Are your S
- Page 29 and 30: Kernel Symbols - Manual Symbolizati
- Page 31 and 32: Zynamic‘s BinDiff • Zynamic‘s
- Page 33 and 34: Zynamic‘s BinDiff - Demo (II) Ste
- Page 35 and 36: Using IOKit Class Hierarchy for Sym
- Page 37 and 38: Exporting Symbols • IDA cannot ex
- Page 39 and 40: iOS Kernel Attack Surface • simpl
- Page 41 and 42: Finding and Marking the Syscall Tab
- Page 43 and 44: Attacking through Network Protocols
- Page 45 and 46: Attacking through Network Protocols
- Page 47 and 48: Attacking through Devices (II) com.
- Page 49 and 50: Dumping List of Sysctl Handlers mai
- Page 51 and 52: Attacking from User-Land: IOKit Dri
Motivation<br />
• iPhone security heavily relies on kernel level protections<br />
• code signing / sandboxing<br />
• NX / ASLR<br />
• public iPhone exploit payloads are very limited in what <strong>the</strong>y can do<br />
• security researchers have relied on <strong>the</strong> jailbreakers to provide kernel pwnage<br />
• this session is an introduction to finding bugs in <strong>the</strong> <strong>i<strong>OS</strong></strong> kernel<br />
Stefan Esser • <strong>Targeting</strong> <strong>the</strong> <strong>i<strong>OS</strong></strong> <strong>Kernel</strong> • April 2011 •<br />
3