-
35C3 preroll music
-
Herald-Angel: All right, let's start with
our next talk in the security track of the
-
chaos communication congress. The talk is
called jailbreaking iOS from past to
-
present. Done by tihmstar. He spoke at the
32nd C3 already and researched on several
-
jailbreaks like the Phoenix or the
jelbrekTime for the Apple Watch and he's
-
gonna talk about the history of
jailbreaks. He's going to familiarize you
-
with the terminology of jailbreaking and
about exploit mitigations and how you can
-
circumvent these mitigations. Please
welcome him with a huge round of applause.
-
Applause
-
tihmstar: Thank you very much. So hello
room, I'm tihmstar, and as already said I
-
want to talk about jailbreaking iOS from
past to present and the topics I'm going
-
to cover "what is jailbreaking?". I will
give an overview in general. I'm going to
-
introduce you to how jailbreak started,
how they got into the phone at first and
-
how all of these progressed. I'll
introduce you to the terminology which is
-
"tethered", "untethered", "semi-tethered",
"semi-untethered" jailbreaks. Stuff you
-
probably heard but some of you don't know
what that means. I'm gonna talk a bit
-
about hardware mitigations which were
introduced by Apple which is KPP, KTRR and
-
a little bit about PAC. I'm going to talk
about the general goals of... About the
-
technical goals of jailbreaking and the
kernel patches and what you want to do
-
with those and brief overview how
jailbreaking could look like in the future.
-
So who am I? I'm tihmstar. I got
my first iPod touch with iOS 5.1 and since
-
then I pretty much played with jailbreaks
and then I got really interested into that
-
and started doing my own research. I
eventually started doing my own
-
jailbreaks. I kinda started with
downgrading – so I've been here two years
-
ago with my presentation "iOS Downgrading:
From past to present". I kept hacking
-
since then. So back then I kind of talked
about the projects I made and related to
-
downgrading which was tsschecker,
futurerestore, img4tool, you probably have
-
heard of that. And since then I was
working on several jailbreaking tools
-
ranging from iOS 8.4.1 to 10.3.3, among
those 32bit jailbreaks, untethered
-
jailbreaks, remote jailbreaks like
jailbreak.me and the jailbreak for the
-
Apple Watch. So, what is this jailbreaking
I am talking about? Basically, the goal is
-
to get control over a device you own. You
want to escape the sandbox which the apps
-
are put in. You want to elevate the
privileges to root and eventually to
-
kernel, you want to disable code signing
because all applications on iOS are code-
-
signed and you cannot run unsigned
binaries. You pretty much want to disable
-
that to run unsigned binaries. And the
most popular about people on jailbreak is
-
to install tweaks! And also a lot of
people install a jailbreak or jailbreak
-
their devices for doing security analysis.
For example if you want to pentest your
-
application and see how an attack goes
foot – you want to debug that stuff and
-
you want to have a jailbroken phone for
that. So what are these tweaks? Tweaks are
-
usually modifications of built-in
userspace programs, for example one of the
-
programs is springboard. Springboard is
what you see if you turn on your phone.
-
This is where all the icons are at. And
usually you can install tweaks to, I don't
-
know, modify the look, the behavior or add
functionality, just this customization,
-
this is how it started with jailbreaking.
What is usually bundled when you install a
-
jailbreak is Cydia. So you install dpkg
and apt which is the Debian package
-
manager and you also get Cydia which is a
user-friendly graphical user interface for
-
the decentralized or centralized package
installer system. I'm saying centralized
-
because it is pretty much all in one spot,
you just open the app and you can get all
-
your tweaks and it's also decentralized
because you can just add up your own repo,
-
you can make your own repo, you can add
other repos and you're not kinda tied to
-
one spot where you get the tweaks from,
like from the App Store you can only download
-
from the App Store. But with Cydia you can
pretty much download from everywhere.
-
You're probably familiar with Debian and
it's pretty much the same. So this talk is
-
pretty much structured around this tweet:
the "Ages of jailbreaking". So as you can
-
see we get the Golden Age, the BootRom,
the Industrial Age and The Post-
-
Apocalyptic age. And I kind of agree with
that. So this is why I decided to
-
structure my talk around that and walk you
through the different ages of
-
jailbreaking. So starting with the first
iPhone OS jailbreak – then it was actually
-
called iPhone OS not iOS – it was not the
BootROM yet. So the first was a buffer
-
overflow and the iPhone's libTitt library.
And this is an image parsing library.
-
It was exploited through Safari and used as
an entry point to get code execution.
-
It was the first time that non-Apple software
was run on an iPhone and people installed
-
applications like Installer or AppTapp
which were stores similar to Cydia back
-
then and those were used to install apps
or games because for the first iPhone OS
-
there was no way to install applications
anyhow, as the App Store got introduced
-
with iOS 2. So then, going to the Golden
Age, the attention kind of shifted to the
-
BootROM; people started looking at the
boot process and they found this device
-
firmware upgrade mode which is a part of
ROM. So the most famous BootROM exploit
-
was limera1n by geohot. It was a bug in
hardware and it was unpatchable with
-
software. So this bug was used to
jailbreak devices up to the iPhone 4.
-
There were also several other jailbreaks –
we didn't rely on that one – but this one,
-
once discovered, you can use it over and
over again and there's no way to patch
-
that. So this was later patched in a new
hardware revision which is the iPhone 4s.
-
So with that BootROM bug –
-
This is how kind of tethered jailbreaks
became a thing. So limera1n exploits a bug
-
in DFU mode which allows you to load
unsigned software through USB. However
-
when you reboot the device a computer was
required to re-exploit and again load your
-
unsigned code. And then load the
bootloaders, load the patched kernel and
-
thus the jailbreak was kind of tethered to
the computer because whenever you shut
-
down you need to be back at a computer to
boot your phone up. So historically a
-
tethered jailbroken phone does not boot
without a computer at all. And the reason
-
for that is because the jailbreaks would
modify the kernel and the bootloaders on
-
the file system for performance reasons,
so when you do the actual tether boot you
-
would need to upload a very tiny payload
via USB which then in turn would load
-
everything else from the file system
itself. But this results in a broken chain
-
of trust. When the normal boot process
runs and the bootloader checks the
-
signature of the first-stage bootloader
that would be invalid so the bootloader
-
would refuse to boot that and it would end
up in DFU mode so basically a phone won't
-
boot. Sometime around then, the idea for
semi-tethered jailbreak came up and the
-
idea behind that is very simple: just
don't break the chain of trust for
-
tethered jailbreaks. So, what you would do
differently is you do not modify the
-
kernel on the file system, don't touch the
bootloaders at all and then when you
-
would boot tethered, you would need to
upload all the bootloaders like the first
-
stage bootloader, then the second stage
bootloader which is iBoot and then the
-
kernel via USB to boot into jailbroken
mode. However when you reboot you could
-
boot all those components from the file
system so you could actually boot your
-
phone into non-jailbroken mode. If you
don't install any tweaks or modifications
-
which modify critical system components
because if you tamper with, for example,
-
the signature of the mount binary the
system obviously cannot boot
-
in non-jailbroken mode.
-
So, this is kind of the Golden age.
So let's continue with the Industrial age.
-
So with the release of the
iPhone 4s and iOS 5, Apple fixed the
-
BootROM bug and essentially killed
limera1n. They also introduced APTickets
-
and nonces to bootloaders, which I'm just
mentioning because it's kind of a
-
throwback for downgrading: before that you
can have a phone if you update to the
-
latest firmware and before you save your
SHSH blobs you could just downgrade and
-
then jailbreak again which wasn't a big
deal but with that they also added
-
downgrade protection so jailbreaking
became harder. If you wanted to know more
-
about how the boot process works, what
SHSH blobs are, what APTickets are, you
-
should check out my talk from two years
ago, I go in-depth on how all of that
-
works. So, I'm skipping that for this
talk. So the binaries the phone boots are
-
encrypted so the bootloaders are encrypted
and until recently the kernel used to be
-
encrypted as well. And the key encryption
key is fused into the devices and it is
-
impossible to get through hardware
attacks. At least there's no public case
-
where somebody actually got that recovered
at keys so it's probably impossible,
-
nobody has done it yet. So old boot files
are decrypted at boot by the previous
-
bootloader. And before the iPhone 4s you
could actually just talk to the hardware
-
iOS engine as soon as you got kernel-level
code execution. But with the iPhone 4s
-
they introduced a feature where before the
kernel would boot they would shut off the
-
iOS engine by hardware, so there is no way
to decrypt bootloader files anymore so
-
easily unless you got code execution in
the bootloader itself. So decrypting
-
bootloaders is a struggle from now on. So
I think kind of because of that the
-
attention shifted to userland and from now
the jailbreaks kind of had to be
-
untethered. So untethered here means that
if you jailbreak your device, you turn it
-
off, you boot it again, then the device is
still jailbroken, and this is usually
-
achieved through re-exploitation at some
point in the boot process. So you can't
-
just patch the kernel on file system
because that would invalidate signatures,
-
so instead you would, I don't know, add
some configuration files to some demons
-
which would trigger bugs and then exploit.
So jailbreaks then chained many bugs
-
together, sometimes six or more bugs to
get initial code execution, kernel code
-
execution and persistence. This somewhat
changed when Apple introduced free
-
developer accounts around the time they
released iOS 9. So these developer
-
accounts allow everybody who has an Apple
ID to get a valid signing certificate for
-
seven days for free. So you can actually
create an XCode project and run your app
-
on your physical device. Before that that
was not possible, so the only way to run
-
your own code on your device was to buy a
paid developer account which is 100$ per
-
year if you a buy personal developer
account. But now you can just get that for
-
free. And after seven days the certificate
expires, but you can just, for free,
-
request another one and keep doing that.
Which is totally enough if you develop
-
apps. So this kind of led to semi-
untethered jailbreaks because initial code
-
execution was not an issue anymore.
Anybody could just get that free
-
certificate, sign apps and run some kind
of code that was sandboxed. So jailbreak
-
focus shifted to more powerful kernel bugs
which were reachable from sandbox. So we
-
had jailbreaks using just one single bug
or maybe just two bugs and the jailbreaks
-
then were distributed as an IPA, which is
an installable app people would download,
-
sign themselves, put on the phone and just
run the app. So semi-untethered means
-
you can reboot into non-jailbroken mode,
however you can get to jailbroken mode
-
easily by just pressing an app. And over
the years Apple stepped up its game
-
constantly. So with iOS 5 they introduced
ASLR address space layer randomisation,
-
with iOS 6 they added kernel ASLR, with
the introduction of the iPhone 5, as they
-
added 64bit CPUs, which isn't really a
security mitigation, it just changed a bit
-
how you would exploit. So the real deal
started to come with iOS 9, where they
-
first introduced Kernel Patch Protection,
an attempt to make the kernel immutable
-
and not patchable. And they stepped up that
with the iPhone 7 where they introduced
-
Kernel Text Readonly Region, also known as
KTRR. So with iOS 11 they removed 32bit
-
libraries, which I think has very little
to no impact on exploitation; it's mainly
-
in the list because up to that point Cydia
was compiled as a 32bit binary and that
-
stopped working, that's why that had to be
recompiled for 64bit, which took someone
-
to do until you could get a working Cydia
on 64bits iOS 11. So with the iPhone Xs
-
which came out just recently they
introduced Pointer Authentication Codes,
-
and I'm gonna go more in detail into these
hardware mitigations in the next few
-
slides. So let's start with Kernel Patch
Protection. So when people say KPP, they
-
usually refer to what Apple calls
watchtower. So watchtower, as the name
-
suggests, watches over the kernel and
panics when modifications are detected,
-
and it prevents the kernel from being
patched. At least that's the idea of it.
-
It doesn't really prevent it because it's
broken but when they engineered it, it
-
should prevent you from patching the
kernel. So how does it work? Watchtower is
-
a piece of software which runs in EL3
which is the ARM exception level 3.
-
So exception levels are kind of privilege
separations while 3 is the highest and 0
-
is the lowest. And you can kind of trigger
an exception to call handler code in
-
higher levels. So the idea of watchtowers
that recurring events which is FPU usage
-
trigger Watchtower inspection of the
kernel, and you cannot really turn it off
-
because you do need the FPU. So if you
picture how it looks like, we have the
-
Watchtower to the left (which totally
looks like a lighthouse) and the
-
applications at the right. So in the
middle, in EL1, we have the kernel and
-
recent studies revealed that this is
exactly how the XNU kernel looks like. So
-
how can we be worse? An event occurs from
time to time which is from using userland
-
application, for example JavaScript makes
heavy use of floating points, and the
-
event would then go to the kernel and the
kernel would then trigger Watchtower as it
-
tries to enable the FPU. Watchtower would
scan the kernel and then if everything is
-
fine it would transition execution back
into the kernel which then in turn would
-
transition back into userspace which can
then use the FPU. However with a modified
-
kernel, when Watchtower scans the kernel
and detects modification, it would just
-
panic. So the idea is that the kernel is
forced to call Watchtower because the FPU
-
is blocked otherwise. But the problem at
the same time is that the kernel is in
-
control before it calls watchtower. And
this thing was fully defeated by qwerty in
-
yalu102. So how qwerty's KPP bypass works:
The idea is: you copy the kernel in memory
-
and you mody the copied kernel. Then you
would modify the page tables to use the
-
patched kernel. And whenever the FPU
triggers a Watchtower inspection, before
-
actually calling Watchtower you would
switch back to the unmodified kernel and
-
then let it run, let it check the
unmodified kernel when that returns you
-
would go back to the modified kernel. So
this one it looks like: we copy the kernel
-
in memory, we patch the modified copy, we
switch the page tables to actually use the
-
modified copy and when we have the FPU
event it would just switch the page tables
-
back, forward the call to Watchtower, make
then watch tower scan the unmodified
-
kernel and after the scan we would just
return to the patched kernel. So the
-
problem here is: Time of check – Time of
Use, the classical TOCTOU. And this works
-
on the iPhone 5s, the iPhone 6 and the
iPhone 6s and it's not really patchable.
-
However, with the iPhone 7, Apple
introduced KTRR, which kind of proves that
-
and they really managed to do an
unpatchable kernel. So how does KTRR work?
-
So Kernel Text Readonly Region, I'm going
to present as described by Siguza in his
-
blog, adds an extra memory controller
which is the AMCC which traps all writes to
-
the read-only region. And there's extra CPU
registers which mark and executable range
-
which are the KTRR registers and they
obviously mark a subsection of the
-
read-only region, so you have hardware
enforcement at boot time for read-only
-
memory region and hardware enforcement at
boot-time for an executable memory region.
-
So this the CPU. This is the memory at the
bottom. You would set the read-only region
-
at boot and since that's enforced by the
hardware memory controller everything
-
inside that region is not writable and
everything outside that region is
-
writable. And the CPU got KTRR registers
which mark begin and end. So the
-
executable region is a subsection of the
read-only region. Everything outside there
-
cannot be executed by the CPU. Everything
inside the read-only region cannot be
-
modified. And this has not been truly
bypassed yet. There's been a bypass but
-
that actually targeted how that thing gets
set up. But that's fakes and now it's
-
probably setting up everything and so far
it hasn't been bypassed. So jailbreaks are
-
still around. So what are they doing?
Well, they just walk around kernel patches
-
and this is when KPP jailbreaks evolved.
Which means, they just don't patch
-
the kernel. But before we dive into that,
let's take a look what previous jailbreaks
-
actually did patch in the kernel. So the
general goals are to disable code signing
-
to disable the sandbox to make the root
file system writable to somehow make
-
tweaks work which involves making mobile
substrate or libsubstitute work which is
-
the library for hooking. And I was about
to make a list of kernel patches which you
-
could simply apply, however, the
techniques and patches vary across
-
individual jailbreaks so much that I
couldn't even come up with the list of
-
kernel patches among the different
jailbreaks I worked on. So there's no
-
general set of patches, some prefer to do
it that way, some prefer to do it that
-
way. So instead of doing a kind of full
list, I'll just show you what the Helix
-
jailbreak does patch. So the Helix
jailbreak first patches the
-
i_can_has_debugger, which is a boot arc.
It's a variable in the kernel and if you
-
set that to true that would relax the
sandbox. So to relax the sandbox or to
-
disable code signing usually involves
multiple steps. Also since iOS 7 you need
-
to patch mount because there's actual
hardcoded that the root filesystem cannot
-
be mounted as read-write. Since iOS 10.3,
there is also hardcoded that you cannot
-
mount the root filesystem without the
nosuid flag, so you probably want to patch
-
that out as well. And then if you patch
both these you can remount the root
-
filesystem as read-and-write, however you
cannot actually write to the files on the
-
root filesystem unless you patch Light-
Weight Volume Manager which you also only
-
need to do in iOS 9 up to iOS 10.3. Later
when they switched to APFS you don't
-
actually need that anymore. Also there's a
variable called proc_enforce. You set that
-
to 0 to disable code signing which is one
of the things you need to do to disable
-
code signing. Another flag is
cs_enforcement_disable, set that to 1 to
-
disable code signing. So amfi, which is
Apple mobile file integrity is a kext which
-
handles the code signing checks. In that
kext it imports the mem-copy function.
-
So there's a stub and one of the patches
is to patch that stub to always return 0
-
by some simple gadget. So what this does
is, whenever it compares something in a
-
code, it would just always compare… say
that the compare succeeds and is equal.
-
I'm not entirely sure what it does,
so this patch dates back to Yalu
-
but like just supplying that patch helps
-
killing code signing, so that's why it's
in there. Another thing h3lix does is, it
-
adds the get-task-allow entitlement to
every process and this is for allowing
-
read/ write/executable mappings and this
is what you want for a mobile substrate
-
tweaks. So initially this entitlement
is used for debugging because
-
there you also need to be able to modify
code at runtime for setting breakpoints
-
while we use it for getting tweaks to
work. Since iOS 10.3 there's... h3lix also
-
patches label_update_execve patch...
label_update_execve function. So the idea
-
of that patch was to fix the "process-exec
denied while updating label" error message
-
in Cydia and several other processes. Well
that seems to completely nuke the sandbox
-
and also break sandbox containers so this
is also the reason why if you're
-
jailbreaking with h3lix apps would save
their data in the global directory instead
-
of their sandbox containers. And you also
kill a bunch of checks in
-
map_ops_policy... mac_policy_ops to relax
the sandbox. So if you want to check out
-
how that works yourself, unfortunately
h3lix itself is not open-source and I've
-
no plans of open-sourcing that. But
there's two very very closely related
-
projects which are open-source which is
doubleH3lix – this is pretty much exactly
-
the same but for 64 bit devices which
does include the KPP bypass, so it also
-
patches the kernel – and jelbrekTime,
which is the watchOS jailbreak. But h3lix
-
is for iOS 10 and the watchOS jailbreak is
kind of the iOS 11 equivalent but it
-
shares like most of the code. So most of
the patch code is the same if you want to
-
check that out. Check these out. So,
KPPless jailbreaks. So the idea is, don't
-
patch the kernel code but instead patch
the data. So for an example we go for
-
remounting root file system. We know we
have hardcoded checks which forbid us to
-
mount the root file system read/write. But
what we can do is in the kernel there's
-
this structure representing the root file
system and we can patch that structure
-
removing the flag saying that this
structure represents the root file system.
-
And we simply remove that and then we can
call remount on the root file system and
-
then we put back in the flag. So we kind
of bypass the hardcoded check. For
-
disabling code signing and disabling
sandbox there are several approaches.
-
In the kernel there's a trust cache so
usually amfi handles the code signing.
-
The demon in userspace handles the code
signing requests. But the demon itself
-
also needs to be code-signed. So you have
the chicken and egg problem. That's why in
-
the kernel there is a list of hashes of
binaries which are allowed to execute. And
-
this thing is actually writable because
when you mount the developer disk image it
-
actually adds some debugging things to it
so you can simply inject your own hash
-
into the trust cache making the binary
trusted. Another approach taken by
-
jailbreakd and the latest electro
jailbreak is to have a process, in this
-
case jailbreakd, which would patch the
processes on creation, so when you spawn a
-
process that thing would immediately stop
the process, go into the kernel, look up
-
the structure and remove the flags
saying "kill this process when the cold
-
signature becomes involved" and it will
invalid. And it would also add the
-
get-task-low entitlements. And then after
it's done that it would resume the process
-
and then the process won't get killed any
more because it's kind of already trusted.
-
And the third approach taken or demoed by
bazad was to take over amfid and userspace
-
completely. So if you can get a Mac port
to launchd or to amfid you can impersonate
-
that and whenever the kernel asks and
feels that it's trusted you would reply
-
"Okay yeah that's trusted that's fine
you can run it" so that way you don't need
-
to go for the kernel at all. So future
jailbreaks. Kernel patches are not really
-
possible anymore and they're not even
required. Because we can still patch the
-
kernel data or not go for the kernel at
all. But we're still not done yet, we
-
still didn't go for Post-Apocalyptic
or short PAC. Well actually
-
PAC stands for pointer authentication
codes but you get the joke.
-
So pointer authentication codes were
introduced with the iPhone Xs and if we
-
quote Qualcomm "This is a stronger version
off stack protection". And pointer
-
authentication codes are similar to
message authentication codes but for
-
pointers, if you are familiar with that.
And the idea of that is to protect data in
-
memory in relation to context with a
secret key. So the data in memory could be
-
the return value and the context could be
the stack pointer or data in memory could
-
be a function pointer and the context
could be a vtable. So if we take a look
-
how PAC is implemented. So at the left you
can see function entry and like function
-
prologue and function epilogue without PAC
and with PAC the only thing that would be
-
changed is when you enter a function
before actually doing anything inside it,
-
you would normally store the return value
on the stack but when doing that you would
-
first authenticate the pointer with the
context and then kinda create the
-
signature and store it inside the pointer
and then put it on the stack. And then
-
when you leave the function you would just
take back the pointer, again calculate the
-
signature and see if these both signatures
matches and if they do then just return
-
and if the signature's invalid you would
just throw a hardware fault. So this is
-
how it looks like for 64-bit pointers. You
don't really use all of the available bits.
-
So usually you use 48 bits for
virtual memory which is more than enough.
-
If you use memory tagging
you have seven bits left for putting in
-
the signature or if you do not use memory
tagging you can use up to 15 bits for the
-
pointer authentication code. So the basic
idea of PAC is to kill ROP like code reuse
-
attacks. You cannot simply smash the stack
and create a ROP chain because every
-
return would have an instruction verifying
the signature of the return value and that
-
means you would need to sign everything,
every single of these pointers and since
-
you don't know the key you can't do that
in advance. So you cannot modify a return
-
value and you cannot swap two signed
values on the stack unless the stack
-
pointer is the same for both. Can we
bypass it? Maybe. I don't know. But we can
-
take a look at how that thing is
implemented. So if we take a look at the
-
ARM slides you can see that PAC is
basically derived from a pointer and a
-
64-bit context value and the key and we
put all of that in the algorithm P. And
-
that gives us the PAC which we store in
the unused bits. So the algorithm P can
-
either be QARMA or it can be something
completely custom. And the instructions,
-
the ARM instructions, kind of hide the
implementation details. So if you would go
-
for attacking PAC, there's two ways of
attack strategies. We can either try and
-
go straight for the cryptographic
primitive like take a look what cipher it
-
is or how that cipher is implemented.
Maybe it's weak or we can go and attack
-
the implementation. So if we go and attack
the implementation we could look for
-
signing primitives, which could be like
small gadgets we could jump to somehow,
-
somehow execute to sign a value which
could be either an arbitrary context
-
signing gadget or maybe a fixed context
signing gadget. We could also look for
-
unauthenticated code, for example I
imagine the code which sets up PAC itself
-
is probably not protected by PAC because
you can't sign the pointer if the key is
-
not set up yet. Maybe that code is still
accessible. We could look for something
-
like that. We could also try to replace
pointers which share the same context.
-
It's probably not feasible for return
values on the stack, but maybe it's
-
feasible for swapping pointers in the
vtable. Or maybe you come up with your own
-
clever idea how to bypass that. These are
just like some ideas. So I want to make a
-
point here, that in my opinion it doesn't
make much sense to try to attack the
-
underlying cryptography on PAC, so I think
that if we go for attacking PAC it makes
-
much more sense to look for implementation
attacks and not attacking the cryptography
-
and the next few slides are just there to
explain why I think that. So if we take a
-
look at QARMA which was proposed by ARM as
being one of the possible ways of
-
implementing PAC. PAC, uhm, QARMA is a
tweakable block cipher, so it takes an
-
input, a tweak and gives you an output.
Which kind of fits perfectly for what we
-
want. And then I started looking at QARMA
and came up with ideas on how are you
-
could maybe attack that cipher. At some
point I realized that practical crypto
-
attacks on QARMA if there will be any in
the future will probably that's what I
-
think completely irrelevant to the PAC
security. So why's that? If we define –
-
So just so you know, the next few slides
I'm going to bore you with some math but
-
it's not too complex. So if we define PAC
as a function which takes a 128 bit input
-
and a 120-bit key and maps it to 15 bits
output. Or we can more realistically
-
define it as a function which takes 96
bits input with a 128-bit key because we
-
have a 48-bit pointer because the other
ones we can't use because that's where we
-
store the signature and we're most likely
using the stack pointer as a context so
-
that one will also only use 48-bit
pointers, 48 bits. Then we have PAC as a
-
construct so then we define the attacker
with following capabilities. The attacker
-
is allowed to observe some pointer and
signature pairs and I assume that you can
-
get that through some info leaks, for
example you have some bug in the code
-
which lets you dump a portion of the stack
with a bunch of signed pointers.
-
This is why you can observe some, not all,
but you can see some and I would also
-
allow to have the attacker be able to
slightly modify the context and what I
-
mean by that is I imagine a scenario where
the attacker could maybe shift the stack,
-
maybe through more nested function calls
before executing the leak which will give
-
you actually two signatures for the same
pointer but with a different context.
-
Maybe that's somewhat helpful. But still
we realize that the attacker, the
-
cryptographic attacker, is super weak so
the only other cryptographic problem there
-
could be is collisions. And for those of
you who seen my last talk they probably
-
know I love collisions. So we have 48-bit
pointer, 48-bit context and 128-bit key.
-
We sum that up and we divide that by the
15-bit of output we get from PAC which
-
gives us 2 to the power of 209 possible
collisions because we map so many bits to
-
so little bits. But even if we reduce the
pointers because practically probably less
-
than 34 bit of a pointer are really used,
we still get 2 to the power 181
-
collisions, which is a lot of collisions
but the bad thing here is random
-
collisions are not very useful to us
unless we can predict them somehow. So
-
let's take a look how a cryptographically
secure MAC is defined. So a MAC is defined
-
as following: Let p be a MAC with the
following components and those are
-
basically Gen(), Mac() and Vrfy(). So
Gen() just somehow generates a key, it's
-
only here for the sake of mathematical
completeness. Just assume we generate the
-
key by randomly choosing n bits or however
how much bits the key needs. And Mac() is
-
just a function where you put in an n-bit
message called m and it gives us a
-
signature t. And I'm going to say
signature but in reality I mean a message
-
authentication code. And the third
function is Vrfy() and you give it a
-
message and a signature and that just
returns true if that signature is valid
-
for the message or false if it's not. And
when cryptographers prove that something
-
is secure they like to play games. So I'm
gonna to show you my favorite game, which
-
is Mac-forge game. So the game is pretty
simple you have to the left the game
-
master which is playing Mac-forge and
to the right the attacker. So the game
-
starts when the Mac-forge game master
informs the attacker how much bits are we
-
playing. So this is the first 1 to the
power of n, basically means hey we're
-
having MAC-forge with, I don't know,
64-bit messages so the attacker knows the
-
size. Then the game master just generates
the key and then the attacker can choose to
-
q messages of n-bit length and send them
over to the game master and the game
-
master will generate signatures and send
them back. So then the attacker can
-
observe all the messages he generated and
all the matching signatures. So what the
-
attacker needs to do then is to choose
another message which he did not send over
-
yet and somehow come up with a valid
signature and if he can manage to do that
-
he sends it over and if that's actually a
valid signature for the message then he
-
wins the game, otherwise he looses the
game. So we say a Mac is secure if the
-
probability that an attacker can somehow
win this is negligible. So I'm gonna spare
-
you the mathematical definition of what
negligible means but like just guessing or
-
trying means that it's still secure if
that's the best tech. So as you can see is
-
a MAC which is secure needs to withstand
this. But for our PAC attacker we do not
-
even have this oracle. So our attacker for
PAC is even weaker than that. So why do we
-
not have this oracle? Well simple if we
allow the attacker to sign arbitrary
-
messages the attacker wouldn't even need
to try to somehow get the key or forged
-
message because then he could just send
over all the messages. All the pointers he
-
wants to sign get back signed pointers and
you wouldn't need to bother about breaking
-
the crypto at all. So basically the point
I'm trying to make here is that the PAC
-
attacker is weaker than a MAC attacker. So
every secure MAC we know is also a secure
-
PAC, but even then an insecure MAC might
still be sufficiently secure for PAC so
-
secure MACs have been around for a while
and thus in my opinion, I think if
-
somebody, who knows what he's doing,
designs a PAC algorithm today it will
-
likely be secure. So instead of going for
the crypto I think we should rather go for
-
implementation attacks instead because
those will be around forever. And by that
-
I mean well you can either see how the
crypto itself is implemented, what I mean
-
especially by that is you could see how
the PAC is used in the actual code. Maybe
-
you can find signing oracles, maybe you
can find unauthenticated code. I think
-
this is where we need to go if wanna
bypass PAC somehow. So just to recap where
-
we're coming from. Future iPhone hacks
probably gonna not try to bypass KTRR. I
-
think they will not try to patch Kernel
code because we can achieve pretty much
-
all the things we want to achieve for end
user jailbreak without having to patch the
-
kernel so far. And I think people are
going to struggle a bit. At least a bit
-
when exploiting with PAC because that kind
will either make some bugs unexploitable
-
or really really hard to exploit. Also
maybe we're gonna avoid the Kernel at all
-
as it has demoed that userland-only
jailbreaks are possible. Maybe we're going
-
to recalculate what the low hanging fruits
are. Maybe just go back to iBoot or look
-
for what other thing is interesting. So,
that was about it, thank you very much for
-
your attention.
Applause
-
Herald-Engel: Thank you, sir. If you would
like to ask a question please line up
-
on the microphones in the room. We do not
have a question from the Internet.
-
One question over there, yes please.
Question: Hi. I would like to be
-
interested what your comment is on the
statement from Zarek that basically
-
jailbreaking is not a thing anymore
because you're breaking so much security
-
features that makes the phone basically
more insecure than the former reasons of
-
doing a jailbreaking allow for.
tihmstar: Well, jailbreaking -- I don't
-
think jailbreaking itself nowadays makes a
phone really insecure. So of course if you
-
patched a kernel and disable all of the
security features that will be less
-
secure. But if you take a look what we
have here with the unpatchable kernel I
-
think the main downside of being
jailbroken is the fact that you cannot go
-
to the latest software version because you
want the box to be in there to have the
-
jailbreak. So I don't really think if you
have like a KTRR device the jailbreak
-
itself makes it less secure. Just the fact
that you are not on the latest firmware is
-
the insecure part of it.
Herald: Alright, thank you.
-
Microphone number two, your question.
Mic #2: Hi good talk. Could you go back to
-
the capabilities of the adversary please?
Yeah. So you said you can do basically two
-
things right. This one, yes. Yeah you can
observe some pointers and some signature
-
pairs. But why is this not an oracle?
tihmstar: Because you cannot choose...
-
Mic #2: Your message yourself.
tihmstar: ...your message yourself.
-
Mic #2: And you have also an oracle that
says if the signature is valid. For a
-
chosen message.
tihmstar: Well yeah but this is if you
-
take a look at the game and this game for
a secure MAC the attacker can choose up to
-
q messages sending over... like he can do
whatever he wants with that messages and
-
get a signature while the package hacker
can see a few very limited amount of
-
messages and their matching signature and
he has little to no influence on these
-
messages.
Mic #2: Okay. So it's a bit weaker.
-
tihmstar: So yeah that's the point. Just
that it's weaker.
-
Mic #2: Thanks.
Herald-Engel: Do we have a question from
-
the internet? No. OK. Yes please. All
right then I don't see anyone else being
-
lined up and... please give a lot of
applause for tihmstar for his awesome
-
talk!
Applause
-
postroll music
-
subtitles created by c3subtitles.de
in the year 2020. Join, and help us!
