Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Journey Through Exploit Mitigation Techniques...

A Journey Through Exploit Mitigation Techniques on iOS

DEFCON 24, Las Vegas, USA, 2016

Max Bazaliy

August 07, 2016
Tweet

More Decks by Max Bazaliy

Other Decks in Technology

Transcript

  1. August 4-7, 2016 1 2 3 4 5 6 7

    8 9 10 11 12 Exploit Mitigation Techniques on iOS Max Bazaliy A Journey Through
  2. August 4-7, 2016 About me 1 2 3 4 5

    6 7 8 9 10 11 12 o  From Kiev, Ukraine o  Staff Engineer at Lookout o  Focused on XNU, Linux and LLVM internals o  Interested in jailbreak techniques o  Worked on obfuscation and DRM in a past o  Member of Fried Apple team
  3. August 4-7, 2016 Agenda 1 2 3 4 5 6

    7 8 9 10 11 12 o  iOS security mechanisms o  Function hooking o  iOS 8 & 9 exploit mitigations o  Bypassing code signatures o  Future codesign attacks
  4. August 4-7, 2016 o  Memory protections o  Code signing o 

    Sandbox o  Secure boot process o  Data protection o  Kernel Patch Protection 1 2 3 4 5 6 7 8 9 10 11 12 iOS security mechanisms
  5. August 4-7, 2016 o  No way to change existing page

    permission o  Pages can never be both writable and executable o  No dynamic code generation without JIT o  Non executable stack and heap o  ASLR / KASLR 1 2 3 4 5 6 7 8 9 10 11 12 Memory protections
  6. August 4-7, 2016 1 2 3 4 5 6 7

    8 9 10 11 12 Allocating new regions kern_return_t vm_map_enter(…){! ...! #if CONFIG_EMBEDDED! if (cur_protection & VM_PROT_WRITE){! if ((cur_protection & VM_PROT_EXECUTE) && !entry_for_jit){! printf("EMBEDDED: curprot cannot be write+execute. turning off execute\n”);! cur_protection &= ~VM_PROT_EXECUTE;! }! }! #endif /* CONFIG_EMBEDDED */! ...! } http://opensource.apple.com//source/xnu/xnu-3248.20.55/osfmk/vm/vm_map.c!
  7. August 4-7, 2016 1 2 3 4 5 6 7

    8 9 10 11 12 Changing existing regions kern_return_t vm_map_protect(…){! ...! #if CONFIG_EMBEDDED! if (new_prot & VM_PROT_WRITE) {! if ((new_prot & VM_PROT_EXECUTE) && !(curr->used_for_jit)) {! printf("EMBEDDED: %s can't have both write and exec at the same time\n", __FUNCTION__);! new_prot &= ~VM_PROT_EXECUTE;! }! }! #endif! ...! } http://opensource.apple.com//source/xnu/xnu-3248.20.55/osfmk/vm/vm_map.c!
  8. August 4-7, 2016 o  Mandatory Access Control Framework (MACF) o 

    Code must be signed by trusted party o  Signed page hashes match running code 1 2 3 4 5 6 7 8 9 10 11 12 Code signing
  9. August 4-7, 2016 o  LC_CODE_SIGNATURE command points to a CSBlob

    o  Key component of blob is the Code Directory o  File page hashes are individually stored into slots o  Special slots (_CodeResources, Entitlements etc) o  CDHash: Master hash of code slots hashes 1 2 3 4 5 6 7 8 9 10 11 12 Code signature format
  10. August 4-7, 2016 1 2 3 4 5 6 7

    8 9 10 11 12 CS on load validation in kernel __mac_execve \ posix_spawn exec_activate_image exec_mach_imgact load_machfile parse_machfile load_code_signature ubc_cs_blob_add mac_vnode_check_signature
  11. August 4-7, 2016 1 2 3 4 5 6 7

    8 9 10 11 12 CS page validation in kernel vm_fault_enter vm_page_validate_cs vm_page_validate_cs_mapped cs_validate_page
  12. August 4-7, 2016 CS page validation o  vm_fault called on

    a page fault o  A page fault occurs when a page is loaded o  Validated page means that page have hash in CSDir o  Tainted page calculated page hash != stored page hash o  Process with invalid codesign status will be killed 1 2 3 4 5 6 7 8 9 10 11 12
  13. August 4-7, 2016 When to verify ? /*! * CODE

    SIGNING:! * When soft faulting a page, we have to validate the page if:! * 1. the page is being mapped in user space! * 2. the page hasn't already been found to be "tainted"! * 3. the page belongs to a code-signed object! * 4. the page has not been validated yet or has been mapped for write.! */! ! #define VM_FAULT_NEED_CS_VALIDATION(pmap, page) \! ((pmap) != kernel_pmap /*1*/ && \! !(page)->cs_tainted /*2*/ && \! (page)->object->code_signed /*3*/ && \! (!(page)->cs_validated || (page)->wpmapped /*4*/)) 13 14 15 16 17 18 19 20 21 22 23 24
  14. August 4-7, 2016 Code sign enforcement o  Apple Mobile File

    Integrity (AMFI) o  Registering hooks in MACF o  mpo_proc_check_get_task o  mpo_vnode_check_signature o  mpo_vnode_check_exec o  and many more... 13 14 15 16 17 18 19 20 21 22 23 24
  15. August 4-7, 2016 Code sign enforcement process sysent AMFI amfid

    libmis.dylib trust cache MACF 13 14 15 16 17 18 19 20 21 22 23 24 Kernel land User land
  16. August 4-7, 2016 The story about function hooking o  Add

    new security features o  Debugging 3rd party code o  Logging and tracing API calls o  Reverse engineering and de-obfuscation o  Interposing to the rescue 13 14 15 16 17 18 19 20 21 22 23 24
  17. August 4-7, 2016 Interposing - DYLD_INFO and LINKEDIT o  Rebase

    Info - contains rebasing opcodes o  Bind Info - for required import symbols o  Lazy Bind Info - symbol binding info for lazy imports o  Weak Bind Info – symbol binding info for weak imports o  Export Info - symbol binding info for exported symbols Details - http://newosxbook.com/articles/DYLD.html 13 14 15 16 17 18 19 20 21 22 23 24
  18. August 4-7, 2016 Having fun with bind info case BIND_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB:!

    segIndex = immediate;! address = segOffsets[segIndex] + read_uleb128(&p, end);! break;! case BIND_OPCODE_ADD_ADDR_ULEB:! address += read_uleb128(&p, end);! break;! case BIND_OPCODE_DO_BIND:! *((void **)address) = new_impl;! address += sizeof(void *);! break;! case BIND_OPCODE_DO_BIND_ADD_ADDR_ULEB:! *((void **)address) = new_impl;! address += read_uleb128(&p, end) + sizeof(void *);! break;! ! https://opensource.apple.com/source/dyld/dyld-360.18/src/ImageLoaderMachOCompressed.cpp! 13 14 15 16 17 18 19 20 21 22 23 24
  19. August 4-7, 2016 dyld_shared_cache 13 14 15 16 17 18

    19 20 21 22 23 24 o  All frameworks and libraries o  Loaded into each process space o  Used for performance and security reasons o  ASLR slide randomized at boot time
  20. August 4-7, 2016 Fixed offset in a cache 13 14

    15 16 17 18 19 20 21 22 23 24 ssize_t send(int a1, const void *a2, size_t a3, int a4)! {! return MEMORY[0x340480C8](a1, a2, a3, a4, 0, 0);! } ssize_t send(int a1, const void *a2, size_t a3, int a4)! {! return __sendto_shim(a1, (int)a2, a3, a4, 0, 0);! } iOS 8 iOS 9
  21. August 4-7, 2016 Fixed offset in a cache 13 14

    15 16 17 18 19 20 21 22 23 24 ssize_t send(int a1, const void *a2, size_t a3, int a4)! {! return MEMORY[0x340480C8](a1, a2, a3, a4, 0, 0);! } ssize_t send(int a1, const void *a2, size_t a3, int a4)! {! return __sendto_shim(a1, (int)a2, a3, a4, 0, 0);! } iOS 8 iOS 9
  22. August 4-7, 2016 Trampolines ? 13 14 15 16 17

    18 19 20 21 22 23 24 jmp function_B nop Orig instruction 3 Orig instruction 4 Orig instruction 5 Orig instruction 6 Function A Hook instruction 1 Hook instruction 2 Hook instruction 3 Hook instruction 4 Hook instruction 5 jmp orig_code Function B Orig instruction 1 Orig instruction 2 jmp func_A + n Original A code
  23. August 4-7, 2016 Trampolines ! o  How to change memory

    to RW ? o  How to switch back to RX ? o  How to bypass a codesign check ? 13 14 15 16 17 18 19 20 21 22 23 24
  24. August 4-7, 2016 Change a memory to RW o  What

    if mmap new page on a same address ? void *data =! mmap(addr & (~PAGE_MASK),! PAGE_SIZE, ! PROT_READ|PROT_WRITE,! MAP_ANON|MAP_PRIVATE|MAP_FIXED,! 0, 0); 13 14 15 16 17 18 19 20 21 22 23 24
  25. August 4-7, 2016 Change a memory to RX o  What

    if mprotect ? ! mprotect(addr & (~PAGE_MASK),! PAGE_SIZE,! PROT_READ|PROT_EXEC);! 25 26 27 28 29 30 31 32 33 34 35 36
  26. August 4-7, 2016 ü  Copy original page content ü  mmap

    new RW page over ü  Copy original content back ü  Write trampoline ü  mprotect to RX o  Do something with codesign(?) Sounds like a plan 25 26 27 28 29 30 31 32 33 34 35 36
  27. August 4-7, 2016 Codesign bypass o  Page is checked on

    page fault o  How we can prevent page fault ? o  What if we mlock page ... mlock(data & (~PAGE_MASK)), PAGE_SIZE);! ! o  … and it works! 25 26 27 28 29 30 31 32 33 34 35 36
  28. August 4-7, 2016 Full attack ü  Get function pointer, get

    page base ü  memcpy page contents to temporary buffer ü  mmap new RW page over ü  memcpy original content back ü  mlock page ü  memcpy trampoline code ü  mprotect page to RX 25 26 27 28 29 30 31 32 33 34 35 36
  29. August 4-7, 2016 We need to go deeper o  Hook

    fcntl in dyld to skip codesign validation fsignatures_t siginfo;! siginfo.fs_file_start=offsetInFatFile; siginfo.fs_blob_start=(void*)(long)(codeSigCmd->dataoff);! siginfo.fs_blob_size=codeSigCmd->datasize;! int result = fcntl(fd, F_ADDFILESIGS_RETURN, &siginfo); https://opensource.apple.com/source/dyld/dyld-360.18/src/ImageLoaderMachO.cpp! 25 26 27 28 29 30 31 32 33 34 35 36
  30. August 4-7, 2016 Loading unsigned code o  mlock all pages

    with executable permission during mapping if ( size > 0 ) {! if ( (fileOffset+size) > fileLen ) {! ...! }! void* loadAddress = xmmap((void*)requestedLoadAddress, size, protection, MAP_FIXED | MAP_PRIVATE, fd, fileOffset);! ...! }! } https://opensource.apple.com/source/dyld/dyld-360.18/src/ImageLoaderMachO.cpp! 25 26 27 28 29 30 31 32 33 34 35 36
  31. August 4-7, 2016 cs_bypass ü  Hook fcntl and return -1

    ü  Hook xmmap and mlock all regions that have exec permission ü  dlopen unsigned code J https://github.com/kpwn/921csbypass 25 26 27 28 29 30 31 32 33 34 35 36
  32. August 4-7, 2016 Future codesign attacks 25 26 27 28

    29 30 31 32 33 34 35 36 o  Hide executable segment o  Hook dyld functions o  Hook libmis functions