Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond The 'Cript: Practical iOS Reverse Engine...

Michael Allen
September 26, 2016

Beyond The 'Cript: Practical iOS Reverse Engineering

Today there is an app for almost everything. But all apps come with security vulnerabilities, many of which have been relatively easy to find with the help of increasingly available frameworks. So developers are now generally better about hardening apps against the most common issues using jailbreak detection and best practices, and many of the known “low hanging” security issues are resident less frequently.

But there are still vulnerabilities not as well known that can only be found with a deeper knowledge of iOS and its underlying assembly code. The aim of this talk is to provide a bridge between the mundane methodologies and vulnerabilities that are easy to find, and a new approach for identifying vulnerabilities that require assembly knowledge to discover.

The talk will include fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and conclude with real-world examples involving bypassing jailbreak detection routines.

Michael Allen

September 26, 2016
Tweet

More Decks by Michael Allen

Other Decks in Research

Transcript

  1. IOActive, Inc. Copyright ©2016. All Rights Reserved. Beyond The ‘Cript:

    Practical iOS Reverse Engineering Michael Allen (@_dark_knight_) Security Consultant
  2. IOActive, Inc. Copyright ©2016. All Rights Reserved. Why This Talk?

    •  Apps more hardened against common attacks •  Bridge the gap •  Deeper understanding of what happens under the hood •  Foundation for additional research
  3. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 –  Usual results –  “New” approach •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Mach-O Binary Format •  Mach Tasks •  ARM(32/64) •  Objective-C •  Swift •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion
  4. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion
  5. IOActive, Inc. Copyright ©2016. All Rights Reserved. Building A General

    Toolkit •  Jailbroken Device •  File System •  Network •  Instrumentation •  Automating Common Tasks •  Essentials
  6. IOActive, Inc. Copyright ©2016. All Rights Reserved. Jailbroken Device • 

    Removing software restrictions imposed by iOS, through the use of software exploits •  Recommend dedicated device for testing •  Latest jailbreak –  Pangu (iOS 9.2 – 9.3.3 64-bit devices only)
  7. IOActive, Inc. Copyright ©2016. All Rights Reserved. Jailbroken Device (contd.)

    •  Tethered •  Does not persist across reboots •  Requires computer to start device •  Untethered •  Persists on device across reboots •  Semi-tethered •  Requires computer to start into jailbroken state •  Rebooting or starting device without assistance possible. But boots into non-jailbroken state
  8. IOActive, Inc. Copyright ©2016. All Rights Reserved. Jailbroken Device (ProTip)

    •  Change default root password from alpine •  Access device over usb using usbmuxd –  sudo python tcprelay.py -t 22:22 •  Generate ssh keys –  ssh-keygen -t rsa -f ~/.ssh/ironman -N "” •  Copy public key to device –  ssh-copy-id -i ~/.ssh/ironman.pub root@localhost •  Create an alias on (~/.ssh/config)
  9. IOActive, Inc. Copyright ©2016. All Rights Reserved. File System: Moving

    Files •  iFunbox •  iExplorer •  Sftp
  10. IOActive, Inc. Copyright ©2016. All Rights Reserved. Network: SSL Kill

    Switch 2 •  “Disables SSL certificate validation - including certificate pinning - within iOS Apps.”
  11. IOActive, Inc. Copyright ©2016. All Rights Reserved. Instrumentation: Cycript • 

    Injects into target process •  Interactive console •  Objective-C and Javascript syntax •  Supported Architectures(iOS, Mac OS X) •  NowSecure fork where runtime powered by Frida* (Cycript on steroids)
  12. IOActive, Inc. Copyright ©2016. All Rights Reserved. Instrumentation: Frida • 

    Injects Google’s V8 engine into target process •  Javascript executed with full access to memory •  Function hooking •  Access to native methods •  Inject into starting process •  Multiple architectures (Windows, Mac, Linux, iOS and Android)
  13. IOActive, Inc. Copyright ©2016. All Rights Reserved. Automating Common Tasks

    •  Idb Tool - http://www.idbtool.com/ •  Snoop-IT - http://repo.nesolabs.de/ •  iRet - https://www.veracode.com/blog/2014/03/introducing-the-ios-reverse-engineering-toolkit •  IntroSpy - https://github.com/iSECPartners/Introspy-iOS •  AppMon - https://dpnishant.github.io/appmon/ •  Needle - https://github.com/mwrlabs/needle •  Varying levels of support
  14. IOActive, Inc. Copyright ©2016. All Rights Reserved. Automating Common Tasks:

    Idb Tool •  Idb Tool •  “idb is a tool to simplify some common tasks for iOS app security assessments and research.” •  Provides general app info •  URL Handler •  Keychain dumping •  Pasteboard •  Logging
  15. IOActive, Inc. Copyright ©2016. All Rights Reserved. Essentials: Command Line

    Utilities •  Command Line –  BigBoss Recommended Tools (Cydia) –  Erica Utilities (Cydia) –  Jonathan Levin compiled a number of commonly used binaries for iOS
  16. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion
  17. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors:

    Insecure Storage •  Property list files (.plist) •  SQLite databases •  Keychain •  Snapshots •  Cache
  18. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Property

    Lists (.plist) •  Stores serialized objects •  Key value pairs •  Maybe compacted to bplist (binary plist) –  cat filename.plist | plutil -convert xml1 - -o -
  19. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Client-Side

    Data Stores •  Often see SQLite being used for client-side storage •  Lightweight client-side database •  Query using SQL
  20. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Fun

    Fact About SQLite Data Stores •  Delete doesn’t do what you think •  Deleted data added to free list •  Free records not overwritten until more space required •  End result is data may not be overwritten for a while •  May be recovered with SQLite-parser
  21. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Dumping

    The Keychain •  SQLite database stored in /var/Keychains
  22. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Inspecting

    The Cache •  Caches directory similar function to that of a web browser’s cache •  Aimed at improving performance •  May store web cache content
  23. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Dumping

    Binary Cookies •  Created by URL loading system or webview •  Stored on local file system in binary format.
  24. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors:

    Inter-process Communication •  Application registers custom URL scheme •  Invoked when scheme called
  25. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors:

    Inter-process Communication •  Suggest using lsdtrip to identify URL’s •  Use publicurls | privateurls option
  26. IOActive, Inc. Copyright ©2016. All Rights Reserved. Inter-process Communication (Side

    Note) •  Malicious app could register your URL scheme •  [[UIApplication sharedApplication] openURL:myURL]; •  Universal Links introduced in iOS 9 •  Kills the openURL problem •  Developer specifies what URL’s will be processed by app (association file) •  Communication over HTTPS •  No more enumerating apps via can canOpenURL method
  27. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors:

    Injection Attacks •  UIWebViews •  File-Handling Routine •  XML
  28. IOActive, Inc. Copyright ©2016. All Rights Reserved. Summary: Usual Results

    •  Issues relating to Local Storage –  Keep in mind most of these attacks requires the device to be unlocked •  Unsecured API’s (via Burpsuite Pro) •  Some hard-coded secrets maybe (typically run strings against binary) •  The truth however is that most of these bugs closed –  Binary protections are now standard –  Data Protection API’s (keychain etc) –  Universal links introduced with iOS 9 address IPC loophole –  …...
  29. IOActive, Inc. Copyright ©2016. All Rights Reserved. Additionally What Happens

    When? •  The common tools fail? •  Your Google Fu returns nothing? •  There are custom security protections in place •  You want to extend an existing tool? •  You want start investigating deeply hidden logic bugs –  Crypto functions etc •  Move beyond 3rd party applications
  30. IOActive, Inc. Copyright ©2016. All Rights Reserved. Towards A “New”

    Approach •  At this point we need to take a different approach one that involves Reverse Engineering and leverages knowledge of : •  iOS internals •  ARM(32/64) Assembly •  Deep dive into Objective-C/Swift •  ….... •  Let’s improve our toolkit •  And expand our knowledge base
  31. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion
  32. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit •  IDA Pro •  Hopper •  LLDB •  Jtool •  Procexp •  GNU Project Debugger (gdb) •  Apple CC Tools
  33. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: lldb •  Debugging an application binary with lldb •  iOS Device 1.  debugserver -x backboard ip:port </path/to/executable> •  MAC Host 1.  lldb 2.  process connect connect://<remote_host>:<port> 3.  image list –o –f (ASLR)
  34. IOActive, Inc. Copyright ©2016. All Rights Reserved. •  Breakpoint =

    offset1 + offset2 •  Or just use the symbols J The Reverse Engineer’s Toolkit: lldb ASLR (contd.) 1 2
  35. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: jtool •  otool type functionality with way more options •  MACH-O analysis (atos, dyldinfo, nm, strings etc) •  Multi-platform (OS X, iOS, Linux) •  ARM64 disassembler
  36. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: procexp •  Getting task related info •  Display threads, mach ports, dump core (memory image) etc..
  37. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: gdb •  Use source from http://cydia.radare.org •  No support for arm64 architectures
  38. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: filemon •  Tracing file system activity with FSEvents
  39. IOActive, Inc. Copyright ©2016. All Rights Reserved. Apple’s CC Tools

    •  otool •  MACH-O Binary Swiss army knife •  nm •  Displays symbol table •  lipo •  Architectures embedded in binary •  Codesign •  Binary signing
  40. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion
  41. IOActive, Inc. Copyright ©2016. All Rights Reserved. Reverse Engineering iOS

    Applications (Under The Hood) •  Mach-O Binary Format •  Mach Tasks •  ARM(32/64) •  Objective-C •  Swift
  42. IOActive, Inc. Copyright ©2016. All Rights Reserved. Application Binary Version

    Location < iOS 8 /var/mobile/Application/<app bundle id> iOS 8 + §  /var/mobile/Containers/Bundle/Application/<app bundle id> §  App binary, nibs, Code Signature §  /var/mobile/Containers/Data/Application/<app bundle id> §  Documents, Library, tmp folder iOS 9.3.x §  /var/containers/Bundle/Application/<app bundle id> §  App binary
  43. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O Binary • 

    Header – Identifies file type, architecture etc •  Load Commands – Details layout and linkage specifications •  Data – Code
  44. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Flags • 

    PIE: Commonly checked flag during an assessment. •  ASLR for executable types
  45. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Load Commands

    (Kernel) •  LC_SEGMENT[_64] main load command –  Memory regions with same r/w/x protection <mach-o/loader.h>
  46. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: SEGMENTS • 

    __PAGEZERO(NULL pointer trap, all access permissions revoked ) •  _TEXT(program code) •  _DATA (readable/writeable program data) •  _LINKEDIT (symbol and other tables used by linker) •  _RESTRICT (see dyld.cpp, will not load DYLD_INSERT_LIBRARIES) •  Optional sections
  47. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Load Commands

    (dyld) •  Kernel hands off to DYLD(dynamic linker) •  Uses dynamic linker specified in LC_LOAD_DYLINKER •  Loads each LC_LOAD_DYLIB •  Resolves symbols •  Interposing (method switching) •  add __interpose section to __DATA SEGMENT •  Force library loading with DYLD_INSERT_LIBRARIES •  code with __attribute(constructor) auto runs
  48. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks • 

    At this point binary mapped into memory •  Process on other systems •  Port (IPC Endpoint) •  Own the port, own the task •  Mach Trap task_for_pid() •  Requires jailbreak tfp0 patch for kernel(PID0) •  processor_set_tasks() •  Any task port in system
  49. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks –

    Interacting with the task •  Get the task port •  Read/write memory with mach_vm* api’s •  Inject your own shellcode •  Left to your imagination
  50. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks –

    Owning The Port * mach_vm_region returns information about a memory region in a given address space.
  51. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks –

    Dumping Memory •  Write your own code and call appropriate mach_vm* api’s •  Use procexp <pid> regions
  52. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks –

    Dumping Memory •  Read using lldb (memory read –outfile <outfile> –count <size> <address>)
  53. IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM32 - Registers

    Register Purpose R0 – R12 General purpose registers R13 Stack pointer R14 Link register. Holds return address during a function call. R15 Program counter (PC) CPSR Information on current execution state (Endianness bit, Thumb bit, Mode bit)
  54. IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM32 – Function

    Calling Convention •  Functions are invoked via a B, BX, BL, BLX Register Purpose r0-r3 §  First four function parameters. §  Other arguments passed on stack r0 Stores return value
  55. IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM32 – Basic

    Loading Instructions Register Purpose LDR Loads a word. Ex. LDR R3, [R0] Loads the word value at R0 into R3 STR Stores a word. Ex. STR R3, [R4] Takes the value in R3 and stores at memory address R4 •  Arm is a load/store architecture •  Data must be loaded into registers before they can be used
  56. IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM64 - Registers

    Register Purpose x0-x28 General purpose registers (64 bit) w0-w30 General purpose registers (32 bit) x29 Frame pointer x30 Link register (return address) SP Stack pointer PC Program counter
  57. IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM64 – Function

    Calling Convention Register Purpose x0-x7 Arguments/return values x9-x15 Local variables x19-x29 Callee-saved registers
  58. IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C •  objc_msgSend

    •  Equivalent of calling functions in C •  id objc_msgSend(id self, SEL op,…) •  receiver(id self) •  selector(SEL op) •  Receiver is a pointer to class message is intended for •  Selector is the method to handle message
  59. IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C (contd.) x0

    – receiver x1 – selector x2 – argument objc_msgSend – func call -v –d objc retrieves info on classes, methods etc *ARM64
  60. IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C: Method Swizzling

    Under The Hood •  objc_method struct holds information about method of a class [/usr/include/objc/ runtime.h] •  Hooking Frameworks [/Library/Frameworks/CydiaSubstrate.framework] Member Description method_name Method name method_types Accepted parameters method_imp Pointer to implementation Swizzling just changes implementation using underlying C functions: •  class_replaceMethod •  method_exchangeImplementations •  method_setImplementation CydiaSubstrate: •  MSHookMessageEx •  MSHookFunction
  61. IOActive, Inc. Copyright ©2016. All Rights Reserved. Swift •  Introduced

    with iOS 8 •  Still uses traditional message passing for Swift classes that inherit from Objective-C classes •  Swift classes may use •  Direct function calls •  Vtables •  C++ like mangled function names •  Method Swizzling if subclass of NSObject
  62. IOActive, Inc. Copyright ©2016. All Rights Reserved. Swift: Mangled Function

    Names •  __TFC9jailbreak14ViewController12btnFileCheckfS0_FPSs9AnyObject_T_ –  __T Swift Symbol –  F indicates function –  C indicates it is a function belonging to a class –  9jailbreak module name prefixed with length –  14ViewController class name prefixed with length –  12btnFileCheck function name prefixed with length –  S0_FPSs no clue ?? J –  f function attribute –  9AnyObject function parameter –  T_ return type
  63. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion
  64. IOActive, Inc. Copyright ©2016. All Rights Reserved. Disclaimer •  We

    will discuss binary patching next •  Yeah but I could do this with ? •  Yes there are several other options: •  xCon •  tsProtector •  Officer •  Tools discussed earlier(remember CydiaSubstrate hooking with MSHookFunction) •  What happens when you can’t? •  Get comfortable reading/modifying ARM assembly •  Start with simple examples
  65. IOActive, Inc. Copyright ©2016. All Rights Reserved. But First A

    Note On Patching 101 •  Replace instruction with NOP •  No Operation •  Change conditional instructions to unconditional ones •  BNE, BEQ, BLT….changes to just B etc •  Update the register that determines branch taken •  reg write <register> •  p $<reg> = <value> •  Remove SEGMENT •  __RESETRICT
  66. IOActive, Inc. Copyright ©2016. All Rights Reserved. Identifying and bypassing

    Simple Jailbreak Detection Routines •  Known file paths •  Inline functions •  Sandbox integrity •  Anti-debugging •  P_TRACED •  PT_DENY_ATTACH
  67. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection

    Routines: Inline Functions (contd.) Note no more bl _isJailbroken
  68. IOActive, Inc. Copyright ©2016. All Rights Reserved. •  Setting w10

    to 0 is enough to bypass the check Anti-Debugging: PTRACED (contd.) Just change the register value
  69. IOActive, Inc. Copyright ©2016. All Rights Reserved. •  Defined in

    /bsd/sys/ptrace.h Anti-Debugging: PT_DENY_ATTACH (contd.)
  70. IOActive, Inc. Copyright ©2016. All Rights Reserved. Simple Jailbreak Detection

    Routine Bypass: Swift (contd.) jailbreak function call return value in w0 patch cmp w0, #1
  71. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion
  72. IOActive, Inc. Copyright ©2016. All Rights Reserved. Conclusion •  Common

    bugs being closed •  A “new” approach and break from the norm is required for in depth assessments •  Assembly knowledge a MUST for Reversing Engineering –  Low level assembly allows you to bypass many security protections, discover hidden gems and then some •  Knowledge of iOS architecture will not only improve your assessments but also provide a launching pad for other research •  Disassemblers are your friends (IDA, Hopper, Jtool …..) •  Add the reverse engineering skillset to your arsenal !!!
  73. IOActive, Inc. Copyright ©2016. All Rights Reserved. References •  Books:

    •  Mac OS X and iOS Internals To the Apple’s Core (Jonathan Levin) •  The Mobile Application Hacker’s Handbook (Dominic Chell, Tyrone Erasmus et al. ) •  Hacking and Securing iOS Applications (Jonathan Zdziarski) •  iOS Application Security: The Definitive Guide for Hackers and Developers (David Thiel) •  Blogs and Tools: •  processor_set_tasks() - http://newosxbook.com/articles/PST2.html •  procexp – http://newosxbook.com/tools/procexp.html •  iOSBinaries - http://newosxbook.com/tools/iOSBinaries.html •  jtool - http://newosxbook.com/tools/jtool.html •  filemon - http://newosxbook.com/tools/filemon.html •  AmIBeingDebugged - https://developer.apple.com/library/mac/qa/qa1361/_index.html •  Frida - http://www.frida.re/ •  Cycript - http://www.cycript.org/ •  iFunBox - http://www.i-funbox.com/ •  SSL Kill Switch – https://github.com/iSECPartners/ios-ssl-kill-switch •  BurpSuite - https://portswigger.net/burp/ •  IDA - https://www.hex-rays.com/products/ida/ •  Hopper - https://www.hopperapp.com/ •  Idb - http://www.idbtool.com/ •  PT_DENY_ATTACH - https://www.theiphonewiki.com/wiki/Bugging_Debuggers •  ARM - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch05s01s03.html •  SQLite-parser - https://github.com/mdegrazia/SQLite-Deleted-Records-Parser •  SQLite Deletion - http://www.zdziarski.com/blog/?p=6143 •  lsdtrip - http://newosxbook.com/src.jl?tree=listings&file=ls.m#dumpURL