<i>35C3 preroll music</i>

Herald-Angel: All right, let's start with
our next talk in the security track of the

chaos communication congress. The talk is
called jailbreaking iOS from past to

present. Done by tihmstar. He spoke at the
32nd C3 already and researched on several

jailbreaks like the Phoenix or the
jelbrekTime for the Apple Watch and he's

gonna talk about the history of
jailbreaks. He's going to familiarize you

with the terminology of jailbreaking and
about exploit mitigations and how you can

circumvent these mitigations. Please
welcome him with a huge round of applause.

<i>Applause</i>

tihmstar: Thank you very much. So hello
room, I'm tihmstar, and as already said I

want to talk about jailbreaking iOS from
past to present and the topics I'm going

to cover "what is jailbreaking?". I will
give an overview in general. I'm going to

introduce you to how jailbreak started,
how they got into the phone at first and

how all of these progressed. I'll
introduce you to the terminology which is

"tethered", "untethered", "semi-tethered",
"semi-untethered" jailbreaks. Stuff you

probably heard but some of you don't know
what that means. I'm gonna talk a bit

about hardware mitigations which were
introduced by Apple which is KPP, KTRR and

a little bit about PAC. I'm going to talk
about the general goals of... About the

technical goals of jailbreaking and the
kernel patches and what you want to do

with those and brief overview how
jailbreaking could look like in the future.

So who am I? I'm tihmstar. I got
my first iPod touch with iOS 5.1 and since

then I pretty much played with jailbreaks
and then I got really interested into that

and started doing my own research. I
eventually started doing my own

jailbreaks. I kinda started with
downgrading – so I've been here two years

ago with my presentation "iOS Downgrading:
From past to present". I kept hacking

since then. So back then I kind of talked
about the projects I made and related to

downgrading which was tsschecker,
futurerestore, img4tool, you probably have

heard of that. And since then I was
working on several jailbreaking tools

ranging from iOS 8.4.1 to 10.3.3, among
those 32bit jailbreaks, untethered

jailbreaks, remote jailbreaks like
jailbreak.me and the jailbreak for the

Apple Watch. So, what is this jailbreaking
I am talking about? Basically, the goal is

to get control over a device you own. You
want to escape the sandbox which the apps

are put in. You want to elevate the
privileges to root and eventually to

kernel, you want to disable code signing
because all applications on iOS are code-

signed and you cannot run unsigned
binaries. You pretty much want to disable

that to run unsigned binaries. And the
most popular about people on jailbreak is

to install tweaks! And also a lot of
people install a jailbreak or jailbreak

their devices for doing security analysis.
For example if you want to pentest your

application and see how an attack goes
foot – you want to debug that stuff and

you want to have a jailbroken phone for
that. So what are these tweaks? Tweaks are

usually modifications of built-in
userspace programs, for example one of the

programs is springboard. Springboard is
what you see if you turn on your phone.

This is where all the icons are at. And
usually you can install tweaks to, I don't

know, modify the look, the behavior or add
functionality, just this customization,

this is how it started with jailbreaking.
What is usually bundled when you install a

jailbreak is Cydia. So you install dpkg
and apt which is the Debian package

manager and you also get Cydia which is a
user-friendly graphical user interface for

the decentralized or centralized package
installer system. I'm saying centralized

because it is pretty much all in one spot,
you just open the app and you can get all

your tweaks and it's also decentralized
because you can just add up your own repo,

you can make your own repo, you can add
other repos and you're not kinda tied to

one spot where you get the tweaks from, 
like from the App Store you can only download

from the App Store. But with Cydia you can
pretty much download from everywhere.

You're probably familiar with Debian and
it's pretty much the same. So this talk is

pretty much structured around this tweet:
the "Ages of jailbreaking". So as you can

see we get the Golden Age, the BootRom,
the Industrial Age and The Post-

Apocalyptic age. And I kind of agree with
that. So this is why I decided to

structure my talk around that and walk you
through the different ages of

jailbreaking. So starting with the first
iPhone OS jailbreak – then it was actually

called iPhone OS not iOS – it was not the
BootROM yet. So the first was a buffer

overflow and the iPhone's libTitt library.
And this is an image parsing library.

It was exploited through Safari and used as
an entry point to get code execution.

It was the first time that non-Apple software
was run on an iPhone and people installed

applications like Installer or AppTapp
which were stores similar to Cydia back

then and those were used to install apps
or games because for the first iPhone OS

there was no way to install applications
anyhow, as the App Store got introduced

with iOS 2. So then, going to the Golden
Age, the attention kind of shifted to the

BootROM; people started looking at the
boot process and they found this device

firmware upgrade mode which is a part of
ROM. So the most famous BootROM exploit

was limera1n by geohot. It was a bug in
hardware and it was unpatchable with

software. So this bug was used to
jailbreak devices up to the iPhone 4.

There were also several other jailbreaks –
we didn't rely on that one – but this one,

once discovered, you can use it over and
over again and there's no way to patch

that. So this was later patched in a new
hardware revision which is the iPhone 4s.

So with that BootROM bug –

This is how kind of tethered jailbreaks
became a thing. So limera1n exploits a bug

in DFU mode which allows you to load
unsigned software through USB. However

when you reboot the device a computer was
required to re-exploit and again load your

unsigned code. And then load the
bootloaders, load the patched kernel and

thus the jailbreak was kind of tethered to
the computer because whenever you shut

down you need to be back at a computer to
boot your phone up. So historically a

tethered jailbroken phone does not boot
without a computer at all. And the reason

for that is because the jailbreaks would
modify the kernel and the bootloaders on

the file system for performance reasons,
so when you do the actual tether boot you

would need to upload a very tiny payload
via USB which then in turn would load

everything else from the file system
itself. But this results in a broken chain

of trust. When the normal boot process
runs and the bootloader checks the

signature of the first-stage bootloader
that would be invalid so the bootloader

would refuse to boot that and it would end
up in DFU mode so basically a phone won't

boot. Sometime around then, the idea for
semi-tethered jailbreak came up and the

idea behind that is very simple: just
don't break the chain of trust for

tethered jailbreaks. So, what you would do
differently is you do not modify the

kernel on the file system, don't touch the
bootloaders at all and then when you

would boot tethered, you would need to
upload all the bootloaders like the first

stage bootloader, then the second stage
bootloader which is iBoot and then the

kernel via USB to boot into jailbroken
mode. However when you reboot you could

boot all those components from the file
system so you could actually boot your

phone into non-jailbroken mode. If you
don't install any tweaks or modifications

which modify critical system components
because if you tamper with, for example,

the signature of the mount binary the
system obviously cannot boot

in non-jailbroken mode.

So, this is kind of the Golden age. 
So let's continue with the Industrial age.

So with the release of the
iPhone 4s and iOS 5, Apple fixed the

BootROM bug and essentially killed
limera1n. They also introduced APTickets

and nonces to bootloaders, which I'm just
mentioning because it's kind of a

throwback for downgrading: before that you
can have a phone if you update to the

latest firmware and before you save your
SHSH blobs you could just downgrade and

then jailbreak again which wasn't a big
deal but with that they also added

downgrade protection so jailbreaking
became harder. If you wanted to know more

about how the boot process works, what
SHSH blobs are, what APTickets are, you

should check out my talk from two years
ago, I go in-depth on how all of that

works. So, I'm skipping that for this
talk. So the binaries the phone boots are

encrypted so the bootloaders are encrypted
and until recently the kernel used to be

encrypted as well. And the key encryption
key is fused into the devices and it is

impossible to get through hardware
attacks. At least there's no public case

where somebody actually got that recovered
at keys so it's probably impossible,

nobody has done it yet. So old boot files
are decrypted at boot by the previous

bootloader. And before the iPhone 4s you
could actually just talk to the hardware

iOS engine as soon as you got kernel-level
code execution. But with the iPhone 4s

they introduced a feature where before the
kernel would boot they would shut off the

iOS engine by hardware, so there is no way
to decrypt bootloader files anymore so

easily unless you got code execution in
the bootloader itself. So decrypting

bootloaders is a struggle from now on. So
I think kind of because of that the

attention shifted to userland and from now
the jailbreaks kind of had to be

untethered. So untethered here means that
if you jailbreak your device, you turn it

off, you boot it again, then the device is
still jailbroken, and this is usually

achieved through re-exploitation at some
point in the boot process. So you can't

just patch the kernel on file system
because that would invalidate signatures,

so instead you would, I don't know, add
some configuration files to some demons

which would trigger bugs and then exploit.
So jailbreaks then chained many bugs

together, sometimes six or more bugs to 
get initial code execution, kernel code

execution and persistence. This somewhat
changed when Apple introduced free

developer accounts around the time they
released iOS 9. So these developer

accounts allow everybody who has an Apple
ID to get a valid signing certificate for

seven days for free. So you can actually
create an XCode project and run your app

on your physical device. Before that that
was not possible, so the only way to run

your own code on your device was to buy a
paid developer account which is 100$ per

year if you a buy personal developer
account. But now you can just get that for

free. And after seven days the certificate
expires, but you can just, for free,

request another one and keep doing that.
Which is totally enough if you develop

apps. So this kind of led to semi-
untethered jailbreaks because initial code

execution was not an issue anymore.
Anybody could just get that free

certificate, sign apps and run some kind
of code that was sandboxed. So jailbreak

focus shifted to more powerful kernel bugs
which were reachable from sandbox. So we

had jailbreaks using just one single bug
or maybe just two bugs and the jailbreaks

then were distributed as an IPA, which is
an installable app people would download,

sign themselves, put on the phone and just
run the app. So semi-untethered means

you can reboot into non-jailbroken mode,
however you can get to jailbroken mode

easily by just pressing an app. And over
the years Apple stepped up its game

constantly. So with iOS 5 they introduced
ASLR address space layer randomisation,

with iOS 6 they added kernel ASLR, with
the introduction of the iPhone 5, as they

added 64bit CPUs, which isn't really a
security mitigation, it just changed a bit

how you would exploit. So the real deal
started to come with iOS 9, where they

first introduced Kernel Patch Protection,
an attempt to make the kernel immutable

and not patchable. And they stepped up that 
with the iPhone 7 where they introduced

Kernel Text Readonly Region, also known as
KTRR. So with iOS 11 they removed 32bit

libraries, which I think has very little
to no impact on exploitation; it's mainly

in the list because up to that point Cydia
was compiled as a 32bit binary and that

stopped working, that's why that had to be
recompiled for 64bit, which took someone

to do until you could get a working Cydia
on 64bits iOS 11. So with the iPhone Xs

which came out just recently they
introduced Pointer Authentication Codes,

and I'm gonna go more in detail into these
hardware mitigations in the next few

slides. So let's start with Kernel Patch
Protection. So when people say KPP, they

usually refer to what Apple calls
watchtower. So watchtower, as the name

suggests, watches over the kernel and
panics when modifications are detected,

and it prevents the kernel from being
patched. At least that's the idea of it.

It doesn't really prevent it because it's
broken but when they engineered it, it

should prevent you from patching the
kernel. So how does it work? Watchtower is

a piece of software which runs in EL3
which is the ARM exception level 3.

So exception levels are kind of privilege
separations while 3 is the highest and 0

is the lowest. And you can kind of trigger
an exception to call handler code in

higher levels. So the idea of watchtowers
that recurring events which is FPU usage

trigger Watchtower inspection of the
kernel, and you cannot really turn it off

because you do need the FPU. So if you
picture how it looks like, we have the

Watchtower to the left (which totally
looks like a lighthouse) and the

applications at the right. So in the
middle, in EL1, we have the kernel and

recent studies revealed that this is
exactly how the XNU kernel looks like. So

how can we be worse? An event occurs from
time to time which is from using userland

application, for example JavaScript makes
heavy use of floating points, and the

event would then go to the kernel and the
kernel would then trigger Watchtower as it

tries to enable the FPU. Watchtower would
scan the kernel and then if everything is

fine it would transition execution back
into the kernel which then in turn would

transition back into userspace which can
then use the FPU. However with a modified

kernel, when Watchtower scans the kernel
and detects modification, it would just

panic. So the idea is that the kernel is
forced to call Watchtower because the FPU

is blocked otherwise. But the problem at
the same time is that the kernel is in

control before it calls watchtower. And
this thing was fully defeated by qwerty in

yalu102. So how qwerty's KPP bypass works:
The idea is: you copy the kernel in memory

and you mody the copied kernel. Then you
would modify the page tables to use the

patched kernel. And whenever the FPU
triggers a Watchtower inspection, before

actually calling Watchtower you would
switch back to the unmodified kernel and

then let it run, let it check the
unmodified kernel when that returns you

would go back to the modified kernel. So
this one it looks like: we copy the kernel

in memory, we patch the modified copy, we
switch the page tables to actually use the

modified copy and when we have the FPU
event it would just switch the page tables

back, forward the call to Watchtower, make
then watch tower scan the unmodified

kernel and after the scan we would just
return to the patched kernel. So the

problem here is: Time of check – Time of
Use, the classical TOCTOU. And this works

on the iPhone 5s, the iPhone 6 and the
iPhone 6s and it's not really patchable.

However, with the iPhone 7, Apple
introduced KTRR, which kind of proves that

and they really managed to do an
unpatchable kernel. So how does KTRR work?

So Kernel Text Readonly Region, I'm going
to present as described by Siguza in his

blog, adds an extra memory controller
which is the AMCC which traps all writes to

the read-only region. And there's extra CPU
registers which mark and executable range

which are the KTRR registers and they
obviously mark a subsection of the

read-only region, so you have hardware
enforcement at boot time for read-only

memory region and hardware enforcement at
boot-time for an executable memory region.

So this the CPU. This is the memory at the
bottom. You would set the read-only region

at boot and since that's enforced by the
hardware memory controller everything

inside that region is not writable and
everything outside that region is

writable. And the CPU got KTRR registers
which mark begin and end. So the

executable region is a subsection of the
read-only region. Everything outside there

cannot be executed by the CPU. Everything
inside the read-only region cannot be

modified. And this has not been truly
bypassed yet. There's been a bypass but

that actually targeted how that thing gets
set up. But that's fakes and now it's

probably setting up everything and so far
it hasn't been bypassed. So jailbreaks are

still around. So what are they doing?
Well, they just walk around kernel patches

and this is when KPP jailbreaks evolved. 
Which means, they just don't patch

the kernel. But before we dive into that,
let's take a look what previous jailbreaks

actually did patch in the kernel. So the
general goals are to disable code signing

to disable the sandbox to make the root
file system writable to somehow make

tweaks work which involves making mobile
substrate or libsubstitute work which is

the library for hooking. And I was about
to make a list of kernel patches which you

could simply apply, however, the
techniques and patches vary across

individual jailbreaks so much that I
couldn't even come up with the list of

kernel patches among the different
jailbreaks I worked on. So there's no

general set of patches, some prefer to do
it that way, some prefer to do it that

way. So instead of doing a kind of full
list, I'll just show you what the Helix

jailbreak does patch. So the Helix
jailbreak first patches the

i_can_has_debugger, which is a boot arc.
It's a variable in the kernel and if you

set that to true that would relax the
sandbox. So to relax the sandbox or to

disable code signing usually involves
multiple steps. Also since iOS 7 you need

to patch mount because there's actual
hardcoded that the root filesystem cannot

be mounted as read-write. Since iOS 10.3,
there is also hardcoded that you cannot

mount the root filesystem without the
nosuid flag, so you probably want to patch

that out as well. And then if you patch
both these you can remount the root

filesystem as read-and-write, however you
cannot actually write to the files on the

root filesystem unless you patch Light-
Weight Volume Manager which you also only

need to do in iOS 9 up to iOS 10.3. Later
when they switched to APFS you don't

actually need that anymore. Also there's a
variable called proc_enforce. You set that

to 0 to disable code signing which is one
of the things you need to do to disable

code signing. Another flag is
cs_enforcement_disable, set that to 1 to

disable code signing. So amfi, which is
Apple mobile file integrity is a kext which

handles the code signing checks. In that 
kext it imports the mem-copy function.

So there's a stub and one of the patches
is to patch that stub to always return 0

by some simple gadget. So what this does
is, whenever it compares something in a

code, it would just always compare… say
that the compare succeeds and is equal.

I'm not entirely sure what it does,
so this patch dates back to Yalu

but like just supplying that patch helps

killing code signing, so that's why it's
in there. Another thing h3lix does is, it

adds the get-task-allow entitlement to
every process and this is for allowing

read/ write/executable mappings and this
is what you want for a mobile substrate

tweaks. So initially this entitlement 
is used for debugging because

there you also need to be able to modify
code at runtime for setting breakpoints

while we use it for getting tweaks to
work. Since iOS 10.3 there's... h3lix also

patches label_update_execve patch...
label_update_execve function. So the idea

of that patch was to fix the "process-exec
denied while updating label" error message

in Cydia and several other processes. Well
that seems to completely nuke the sandbox

and also break sandbox containers so this
is also the reason why if you're

jailbreaking with h3lix apps would save
their data in the global directory instead

of their sandbox containers. And you also
kill a bunch of checks in

map_ops_policy... mac_policy_ops to relax
the sandbox. So if you want to check out

how that works yourself, unfortunately
h3lix itself is not open-source and I've

no plans of open-sourcing that. But
there's two very very closely related

projects which are open-source which is
doubleH3lix – this is pretty much exactly

the same but for 64 bit devices which
does include the KPP bypass, so it also

patches the kernel – and jelbrekTime,
which is the watchOS jailbreak. But h3lix

is for iOS 10 and the watchOS jailbreak is
kind of the iOS 11 equivalent but it

shares like most of the code. So most of
the patch code is the same if you want to

check that out. Check these out. So,
KPPless jailbreaks. So the idea is, don't

patch the kernel code but instead patch
the data. So for an example we go for

remounting root file system. We know we
have hardcoded checks which forbid us to

mount the root file system read/write. But
what we can do is in the kernel there's

this structure representing the root file
system and we can patch that structure

removing the flag saying that this
structure represents the root file system.

And we simply remove that and then we can
call remount on the root file system and

then we put back in the flag. So we kind
of bypass the hardcoded check. For

disabling code signing and disabling
sandbox there are several approaches.

In the kernel there's a trust cache so
usually amfi handles the code signing.

The demon in userspace handles the code
signing requests. But the demon itself

also needs to be code-signed. So you have
the chicken and egg problem. That's why in

the kernel there is a list of hashes of
binaries which are allowed to execute. And

this thing is actually writable because
when you mount the developer disk image it

actually adds some debugging things to it
so you can simply inject your own hash

into the trust cache making the binary
trusted. Another approach taken by

jailbreakd and the latest electro
jailbreak is to have a process, in this

case jailbreakd, which would patch the
processes on creation, so when you spawn a

process that thing would immediately stop
the process, go into the kernel, look up

the structure and remove the flags
saying "kill this process when the cold

signature becomes involved" and it will
invalid. And it would also add the

get-task-low entitlements. And then after 
it's done that it would resume the process

and then the process won't get killed any 
more because it's kind of already trusted.

And the third approach taken or demoed by
bazad was to take over amfid and userspace

completely. So if you can get a Mac port
to launchd or to amfid you can impersonate

that and whenever the kernel asks and
feels that it's trusted you would reply

"Okay yeah that's trusted that's fine
you can run it" so that way you don't need

to go for the kernel at all. So future
jailbreaks. Kernel patches are not really

possible anymore and they're not even
required. Because we can still patch the

kernel data or not go for the kernel at
all. But we're still not done yet, we

still didn't go for Post-Apocalyptic
or short PAC. Well actually

PAC stands for pointer authentication
codes but you get the joke.

So pointer authentication codes were
introduced with the iPhone Xs and if we

quote Qualcomm "This is a stronger version
off stack protection". And pointer

authentication codes are similar to
message authentication codes but for

pointers, if you are familiar with that.
And the idea of that is to protect data in

memory in relation to context with a
secret key. So the data in memory could be

the return value and the context could be
the stack pointer or data in memory could

be a function pointer and the context
could be a vtable. So if we take a look

how PAC is implemented. So at the left you
can see function entry and like function

prologue and function epilogue without PAC
and with PAC the only thing that would be

changed is when you enter a function
before actually doing anything inside it,

you would normally store the return value
on the stack but when doing that you would

first authenticate the pointer with the
context and then kinda create the

signature and store it inside the pointer
and then put it on the stack. And then

when you leave the function you would just
take back the pointer, again calculate the

signature and see if these both signatures
matches and if they do then just return

and if the signature's invalid you would
just throw a hardware fault. So this is

how it looks like for 64-bit pointers. You
don't really use all of the available bits.

So usually you use 48 bits for
virtual memory which is more than enough.

If you use memory tagging
you have seven bits left for putting in

the signature or if you do not use memory
tagging you can use up to 15 bits for the

pointer authentication code. So the basic
idea of PAC is to kill ROP like code reuse

attacks. You cannot simply smash the stack
and create a ROP chain because every

return would have an instruction verifying
the signature of the return value and that

means you would need to sign everything,
every single of these pointers and since

you don't know the key you can't do that
in advance. So you cannot modify a return

value and you cannot swap two signed
values on the stack unless the stack

pointer is the same for both. Can we
bypass it? Maybe. I don't know. But we can

take a look at how that thing is
implemented. So if we take a look at the

ARM slides you can see that PAC is
basically derived from a pointer and a

64-bit context value and the key and we
put all of that in the algorithm P. And

that gives us the PAC which we store in
the unused bits. So the algorithm P can

either be QARMA or it can be something
completely custom. And the instructions,

the ARM instructions, kind of hide the
implementation details. So if you would go

for attacking PAC, there's two ways of
attack strategies. We can either try and

go straight for the cryptographic
primitive like take a look what cipher it

is or how that cipher is implemented.
Maybe it's weak or we can go and attack

the implementation. So if we go and attack
the implementation we could look for

signing primitives, which could be like
small gadgets we could jump to somehow,

somehow execute to sign a value which
could be either an arbitrary context

signing gadget or maybe a fixed context
signing gadget. We could also look for

unauthenticated code, for example I
imagine the code which sets up PAC itself

is probably not protected by PAC because
you can't sign the pointer if the key is

not set up yet. Maybe that code is still
accessible. We could look for something

like that. We could also try to replace
pointers which share the same context.

It's probably not feasible for return
values on the stack, but maybe it's

feasible for swapping pointers in the
vtable. Or maybe you come up with your own

clever idea how to bypass that. These are
just like some ideas. So I want to make a

point here, that in my opinion it doesn't
make much sense to try to attack the

underlying cryptography on PAC, so I think
that if we go for attacking PAC it makes

much more sense to look for implementation
attacks and not attacking the cryptography

and the next few slides are just there to
explain why I think that. So if we take a

look at QARMA which was proposed by ARM as
being one of the possible ways of

implementing PAC. PAC, uhm, QARMA is a
tweakable block cipher, so it takes an

input, a tweak and gives you an output.
Which kind of fits perfectly for what we

want. And then I started looking at QARMA
and came up with ideas on how are you

could maybe attack that cipher. At some
point I realized that practical crypto

attacks on QARMA if there will be any in
the future will probably that's what I

think completely irrelevant to the PAC
security. So why's that? If we define –

So just so you know, the next few slides
I'm going to bore you with some math but

it's not too complex. So if we define PAC
as a function which takes a 128 bit input

and a 120-bit key and maps it to 15 bits
output. Or we can more realistically

define it as a function which takes 96
bits input with a 128-bit key because we

have a 48-bit pointer because the other
ones we can't use because that's where we

store the signature and we're most likely
using the stack pointer as a context so

that one will also only use 48-bit 
pointers, 48 bits. Then we have PAC as a

construct so then we define the attacker
with following capabilities. The attacker

is allowed to observe some pointer and
signature pairs and I assume that you can

get that through some info leaks, for
example you have some bug in the code

which lets you dump a portion of the stack
with a bunch of signed pointers.

This is why you can observe some, not all,
but you can see some and I would also

allow to have the attacker be able to
slightly modify the context and what I

mean by that is I imagine a scenario where
the attacker could maybe shift the stack,

maybe through more nested function calls
before executing the leak which will give

you actually two signatures for the same
pointer but with a different context.

Maybe that's somewhat helpful. But still
we realize that the attacker, the

cryptographic attacker, is super weak so
the only other cryptographic problem there

could be is collisions. And for those of
you who seen my last talk they probably

know I love collisions. So we have 48-bit
pointer, 48-bit context and 128-bit key.

We sum that up and we divide that by the
15-bit of output we get from PAC which

gives us 2 to the power of 209 possible
collisions because we map so many bits to

so little bits. But even if we reduce the
pointers because practically probably less

than 34 bit of a pointer are really used,
we still get 2 to the power 181

collisions, which is a lot of collisions
but the bad thing here is random

collisions are not very useful to us
unless we can predict them somehow. So

let's take a look how a cryptographically
secure MAC is defined. So a MAC is defined

as following: Let p be a MAC with the
following components and those are

basically Gen(), Mac() and Vrfy(). So
Gen() just somehow generates a key, it's

only here for the sake of mathematical
completeness. Just assume we generate the

key by randomly choosing n bits or however
how much bits the key needs. And Mac() is

just a function where you put in an n-bit
message called m and it gives us a

signature t. And I'm going to say
signature but in reality I mean a message

authentication code. And the third
function is Vrfy() and you give it a

message and a signature and that just
returns true if that signature is valid

for the message or false if it's not. And
when cryptographers prove that something

is secure they like to play games. So I'm
gonna to show you my favorite game, which

is Mac-forge game. So the game is pretty
simple you have to the left the game

master which is playing Mac-forge and
to the right the attacker. So the game

starts when the Mac-forge game master
informs the attacker how much bits are we

playing. So this is the first 1 to the
power of n, basically means hey we're

having MAC-forge with, I don't know,
64-bit messages so the attacker knows the

size. Then the game master just generates
the key and then the attacker can choose to

q messages of n-bit length and send them
over to the game master and the game

master will generate signatures and send
them back. So then the attacker can

observe all the messages he generated and
all the matching signatures. So what the

attacker needs to do then is to choose
another message which he did not send over

yet and somehow come up with a valid
signature and if he can manage to do that

he sends it over and if that's actually a
valid signature for the message then he

wins the game, otherwise he looses the
game. So we say a Mac is secure if the

probability that an attacker can somehow
win this is negligible. So I'm gonna spare

you the mathematical definition of what
negligible means but like just guessing or

trying means that it's still secure if
that's the best tech. So as you can see is

a MAC which is secure needs to withstand
this. But for our PAC attacker we do not

even have this oracle. So our attacker for
PAC is even weaker than that. So why do we

not have this oracle? Well simple if we
allow the attacker to sign arbitrary

messages the attacker wouldn't even need
to try to somehow get the key or forged

message because then he could just send
over all the messages. All the pointers he

wants to sign get back signed pointers and
you wouldn't need to bother about breaking

the crypto at all. So basically the point
I'm trying to make here is that the PAC

attacker is weaker than a MAC attacker. So
every secure MAC we know is also a secure

PAC, but even then an insecure MAC might
still be sufficiently secure for PAC so

secure MACs have been around for a while
and thus in my opinion, I think if

somebody, who knows what he's doing,
designs a PAC algorithm today it will

likely be secure. So instead of going for
the crypto I think we should rather go for

implementation attacks instead because
those will be around forever. And by that

I mean well you can either see how the
crypto itself is implemented, what I mean

especially by that is you could see how
the PAC is used in the actual code. Maybe

you can find signing oracles, maybe you
can find unauthenticated code. I think

this is where we need to go if wanna
bypass PAC somehow. So just to recap where

we're coming from. Future iPhone hacks
probably gonna not try to bypass KTRR. I

think they will not try to patch Kernel
code because we can achieve pretty much

all the things we want to achieve for end
user jailbreak without having to patch the

kernel so far. And I think people are
going to struggle a bit. At least a bit

when exploiting with PAC because that kind
will either make some bugs unexploitable

or really really hard to exploit. Also
maybe we're gonna avoid the Kernel at all

as it has demoed that userland-only
jailbreaks are possible. Maybe we're going

to recalculate what the low hanging fruits
are. Maybe just go back to iBoot or look

for what other thing is interesting. So,
that was about it, thank you very much for

your attention.
<i>Applause</i>

Herald-Engel: Thank you, sir. If you would
like to ask a question please line up

on the microphones in the room. We do not
have a question from the Internet.

One question over there, yes please.
Question: Hi. I would like to be

interested what your comment is on the
statement from Zarek that basically

jailbreaking is not a thing anymore
because you're breaking so much security

features that makes the phone basically
more insecure than the former reasons of

doing a jailbreaking allow for.
tihmstar: Well, jailbreaking -- I don't

think jailbreaking itself nowadays makes a
phone really insecure. So of course if you

patched a kernel and disable all of the
security features that will be less

secure. But if you take a look what we
have here with the unpatchable kernel I

think the main downside of being
jailbroken is the fact that you cannot go

to the latest software version because you
want the box to be in there to have the

jailbreak. So I don't really think if you
have like a KTRR device the jailbreak

itself makes it less secure. Just the fact
that you are not on the latest firmware is

the insecure part of it.
Herald: Alright, thank you.

Microphone number two, your question.
Mic #2: Hi good talk. Could you go back to

the capabilities of the adversary please?
Yeah. So you said you can do basically two

things right. This one, yes. Yeah you can
observe some pointers and some signature

pairs. But why is this not an oracle?
tihmstar: Because you cannot choose...

Mic #2: Your message yourself.
tihmstar: ...your message yourself.

Mic #2: And you have also an oracle that
says if the signature is valid. For a

chosen message.
tihmstar: Well yeah but this is if you

take a look at the game and this game for
a secure MAC the attacker can choose up to

q messages sending over... like he can do
whatever he wants with that messages and

get a signature while the package hacker
can see a few very limited amount of

messages and their matching signature and
he has little to no influence on these

messages.
Mic #2: Okay. So it's a bit weaker.

tihmstar: So yeah that's the point. Just
that it's weaker.

Mic #2: Thanks.
Herald-Engel: Do we have a question from

the internet? No. OK. Yes please. All
right then I don't see anyone else being

lined up and... please give a lot of
applause for tihmstar for his awesome

talk!
<i>Applause</i>

<i>postroll music</i>

subtitles created by c3subtitles.de
in the year 2020. Join, and help us!