iOS Hacker's HandBookを読みます

Life is Techに参加してiOSのことを習ったので、
iOSに興味を持ちました。

だから、この本も読んでいきたいと思いまーす。
あと、重要だと思ったところと個人的に面白いなーって思った文だけを抜粋しようと思います。
意味がはっきりわからない文だけど、重要そうだな。って思ったものの先頭に "???"をつけているので、あとでバイナリの師匠に教えてもらおうかと。

【Chapter1】iOS Security Basics

“The original iPad had an ARM Cortex-A8 CPU, which, compared to the CPU present on the original iPhone, was roughly twice as fast.”

“Another big step forward was the iPad 2 and the iPhone 4S. They both feature ARM Cortex-A9 dual-core processors, which are 20 percent faster compared to the A8 in terms of CPU operations. ”

“ astonishing is the fact that the GPU of the A9 is nine times faster compared to the A8.”

“the biggest hardware differences came with the iPhone 3GS and the iPad 2. The iPhone 3GS was the first one to support the “Thumb2 instruction set. The new instruction set changed the way ROP payloads needed to be created. Most code sequences present in previous versions of the device were suddenly different on the 3GS.

???“Another relevant hardware component from a security point of view is the baseband. In fact, in most countries the iDevices are bound to a carrier (locked).”
もう一つのセキュリティの観点から関係のあるハードウェアコンポーネントとして、帯域がある。
実は、ほとんどの国では、iDeviceはキャリアに紐付けられている(ロックされている)


“Only recently with the iPhone 4 CDMA and iPhone 4S has Apple moved to Qualcomm.”

“This malware might be bundled with software the user wants, or it might disguise itself as something the user wants.”

“ it performs its malicious actions. These actions might include sending e-mails, allowing remote access to an attacker, installing a keylogger, and so on. ”

“The typical way to protect devices from malware is with antivirus (AV) software. It is the AV's job to determine which software is safe to run and which is not safe to run.”

“Such attacks are sometimes called drive-by-downloads because, unlike the malware example, the user is mostly an innocent victim and wasn't trying to install any code, but just trying to use his or her device! ”

“ “Exploitation such as this requires two ingredients. The first is a flaw or vulnerability in the software on the device. The second is a way to leverage this vulnerability to get attacker-controlled code to run on the device. Because of this two-step process, you have two main ways to protect against this kind of attack. ”

???“This involves using privilege separation or sandboxing to keep sensitive data from some processes. ”

“the discussion has centered on security threats for all devices. Next, you examine how attacking an iOS device might differ from attacking a personal computer.”

iOS is a stripped-down version of Mac OS X, and so many of the vulnerabilities and attacks are shared between the two or are at least very similar."

???“The fact that iPhones parse these messages but you don't have corresponding code in Mac OS X demonstrates that in some regards, iOS has a larger attack surface.”

“ Another example of the expanded attack surface of iOS includes the code running on the baseband processor of the iPhone. ”
“ We talk about these two iOS-specific attack vectors later in this book in Chapters 6 and 12, respectively.”

“ Just to see some numbers on the subject, Charlie Miller once fuzzed Preview (the native Mac OS X PDF viewer) and found well over a hundred crashes.”

???“When he tried these same files against iOS, only 7 percent of them caused a problem in iOS. This means that just by reducing the PDF features that iOS handled, it reduced the number of potential vulnerabilities by more than 90 percent in this case. Fewer flaws mean fewer opportunities for exploitation.”

“Beyond just reducing the potential code an attacker might exploit, Apple also stripped down the number of useful applications an attacker might want to use during and after exploitation. The most obvious example is that there is no shell (/bin/sh) on an iOS device. In Mac OS X exploits, the main goal is to try to execute a shell in “shellcode.”

???“Therefore, attackers who get code running will have to either perform all of their actions within the context of the exploited process, or bring along all the tools they want to use. Neither or these options are particularly easy to pull off.”

iOS separates processes using users, groups, and other traditional UNIX file permission mechanisms.”

???“Other system processes run as other users such as _wireless or _mdnsresponder. ”

???“an attacker who gets full control of a process such as the web browser will be constrained by the fact the code she is executing will be running as user mobile”

“Likewise, apps from the App Store are limited in what they can do because they will be executed as user mobile as well.”

???“only pages in memory that come from signed sources will be executed. This means apps cannot change their behavior dynamically or upgrade themselves. ”

“Once an exploit is executing code in memory, it might want to download, install, and execute additional malicious applications. This will be denied because anything it tries to install will not be signed.”
code signedされてないアプリは実行できないってことかな。

???“exploits will be restricted to the process they originally exploit, unless it goes on to attack other features of the device.”

“Once jailbroken, unsigned applications can be executed on the device. J”
ありゃりゃ、jail breakなんてするもんじゃありませんね。
(する必要ないからしてないけど)

“(DEP) is a mechanism whereas a processor can distinguish which portions of memory are executable code and which portions are data; DEP will not allow the execution of data, only code. This is important because when an exploit is trying to run a payload, it would like to inject the payload into the process and execute it. DEP makes this impossible because the payload is recognized as data and not code. ”

???“code signing requires that no page may be executed unless it originates from code signed by a trusted authority.”

“one to obtain code execution and one to leak a memory address in order to perform ROP — or the attacker may be able to get by with having only one very special vulnerability.”








ぽてち先生からプラティカルな話も聞けて面白かった

メモ and Keywords

アロケータ

??? use during

exploitにも限界があるということですな。

NX bit

ASLR

DEP

次は、Fuzzing読みたい>

質疑応答タイム

師匠: コード著名の説明を

あしがる:
Code-Signingは、
実行するときの許可書みたいなもので、App Storeからダウンロードしたときに
コード署名があると、実行できて、それがないと実行できない。
ゆえに、インターネットから適当にダウンロードしたアプリを実行しようとすると、
コード署名がないため実行できない。
これ自体がアンチウィルスの役目を果たしてる。


師匠:
良いと思います。
実用的には、コード署名のおかげでいくつかの攻撃を防げていると思います。
アップデートによる攻撃や、セカンドアプリ内包型のマルウェアなんかはその例ですねー
最初は悪性な動作を持っていないけれど、外部から悪性なコードをダウンロードしてきて
より悪性なマルウェアに変化するような攻撃です。
アップデート
コード署名が必要な状態でこれをやろうとすると
新しく外部からダウンロードしてきた悪性なコードに署名がないので
失敗しますね。