Jailbreaking iOS

Video thumbnail (Frame 0) Video thumbnail (Frame 1247) Video thumbnail (Frame 3075) Video thumbnail (Frame 4398) Video thumbnail (Frame 5681) Video thumbnail (Frame 7662) Video thumbnail (Frame 9483) Video thumbnail (Frame 10520) Video thumbnail (Frame 12304) Video thumbnail (Frame 14134) Video thumbnail (Frame 23636) Video thumbnail (Frame 24594) Video thumbnail (Frame 26526) Video thumbnail (Frame 27903) Video thumbnail (Frame 29316) Video thumbnail (Frame 30367) Video thumbnail (Frame 31321) Video thumbnail (Frame 33404) Video thumbnail (Frame 37168) Video thumbnail (Frame 39599) Video thumbnail (Frame 43344) Video thumbnail (Frame 45161) Video thumbnail (Frame 46561) Video thumbnail (Frame 47536) Video thumbnail (Frame 48537) Video thumbnail (Frame 49534) Video thumbnail (Frame 51768) Video thumbnail (Frame 53684) Video thumbnail (Frame 58229) Video thumbnail (Frame 59647) Video thumbnail (Frame 62051) Video thumbnail (Frame 63188) Video thumbnail (Frame 66659) Video thumbnail (Frame 68982) Video thumbnail (Frame 70221) Video thumbnail (Frame 71321)
Video in TIB AV-Portal: Jailbreaking iOS

Formal Metadata

Jailbreaking iOS
From past to present
Title of Series
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
This talk aims to give a general overview of iOS Jailbreaking by starting at what jailbreaking was back in the days and how it evolved up until today, while also taking a quick look at how it might evolve in future. Therefore the following topics are covered: - Jailbreaking goals (technical) - Types of jailbreak and it's origins (tethered, untethered, semi-tethered, semi-untethered) - Exploit mitigations (ASLR, iBoot-level AES, KPP, KTRR, PAC) - Kernel patches (h3lix) - Kppless jailbreaks The goal is to give an insight into the jailbreak terminology, exploit mitigations and how these are dealt with in past and modern jailbreaks.
Keywords Security

Related Material

Video is cited by the following resource
Trail Drill commands Multiplication sign Telecommunication Control flow Musical ensemble Flow separation Information security
Covering space Presentation of a group Roundness (object) Kernel (computing) Patch (Unix) Kernel (computing) Computer hardware Patch (Unix) Computer hardware Bit Arithmetic progression
Presentation of a group Computer-generated imagery Touch typing Projective plane output Hacker (term) RAID Flow separation Firmware
Game controller Mobile app Code Binary code Mathematical analysis Mathematical analysis Control flow Cartesian coordinate system Root Kernel (computing) output Software testing Information security Routing Information security
Installation art Mobile app Functional (mathematics) Installation art Computer program Data storage device Computer programming Computer icon Twitter Graphical user interface Spring (hydrology) Data management Graphical user interface Spring (hydrology) Whiteboard Software repository Function (mathematics) Spacetime Spacetime Asynchronous Transfer Mode Physical system
Point (geometry) Asynchronous Transfer Mode Mobile app Parsing Code Multiplication sign Patch (Unix) Computer-generated imagery Mereology Software bug Medical imaging Software Computer hardware Booting Library (computing) Game theory Installation art Parsing Data storage device Code Cartesian coordinate system Software Computer hardware output Game theory Buffer overflow Library (computing) Asynchronous Transfer Mode Booting Firmware
Ising-Modell Asynchronous Transfer Mode Code Patch (Unix) Structural load Computer Software bug Neuroinformatik Revision control Chain Kernel (computing) Software Kernel (computing) Software Computer hardware File system Booting Physical system Resultant Asynchronous Transfer Mode Computer worm Booting
Asynchronous Transfer Mode Multiplication sign Connectivity (graph theory) Control flow Electronic signature Component-based software engineering Chain Kernel (computing) Kernel (computing) Chain Touch typing File system Normal (geometry) Booting Physical system Asynchronous Transfer Mode Physical system Booting
Demon Randomization Code Multiplication sign Public key certificate Arm Software bug Pointer (computer programming) Sign (mathematics) Kernel (computing) Befehlsprozessor Encryption File system Cuboid Process (computing) Information security Public key certificate Software developer Computer file Binary code Electronic mailing list Electronic signature Arithmetic mean Befehlsprozessor Order (biology) Chain Configuration space output Encryption Freeware Asynchronous Transfer Mode Booting Firmware Point (geometry) Reading (process) Slide rule Asynchronous Transfer Mode Mobile app Freeware Computer file Software developer Codierung <Programmierung> Patch (Unix) Authentication Focus (optics) Code Power (physics) Advanced Encryption Standard Computer hardware Energy level Booting Game theory Address space Form (programming) Authentication Installation art Focus (optics) Key (cryptography) Validity (statistics) Patch (Unix) Projective plane Code Exploit (computer security) Sign (mathematics) Kernel (computing) Personal digital assistant Computer hardware Read-only memory Game theory Library (computing)
Arm Patch (Unix) Code Code Arm Kernel (computing) Event horizon Software Kernel (computing) Operator (mathematics) Energy level Energy level Exception handling Exception handling
Point (geometry) Group action Observational study Multiplication sign Code Cartesian coordinate system Event horizon Arm Expected value Floating-point unit Kernel (computing) Event horizon Kernel (computing) Right angle Energy level Exception handling Spacetime
Game controller Seitentabelle Table (information) Proxy server Multiplication sign Patch (Unix) Web page Port scanner Control flow Floating-point unit Kernel (computing) Read-only memory Semiconductor memory Kernel (computing) Password
Kernel (computing) Seitentabelle Event horizon Proxy server Read-only memory Patch (Unix) Semiconductor memory Kernel (computing) Patch (Unix) Multiplication sign Port scanner Event horizon
Game controller Reading (process) Presentation of a group Game controller Greatest element Range (statistics) Range (statistics) Kernel (computing) Befehlsprozessor Read-only memory Semiconductor memory Function (mathematics) Befehlsprozessor Computer hardware Kernel (computing) Read-only memory Blog Computer hardware Right angle Booting Sinc function Booting
Befehlsprozessor Read-only memory Befehlsprozessor Patch (Unix) Code
Mobile Web Patch (Unix) Patch (Unix) Debugger Electronic mailing list Set (mathematics) Substitute good Substitute good Root Kernel (computing) Root Helix Kernel (computing) File system Lipschitz-Stetigkeit Library (computing)
Point (geometry) Functional (mathematics) Run time (program lifecycle phase) Computer file Code INTEGRAL Patch (Unix) Principle of maximum entropy Set (mathematics) Sign (mathematics) Root File system Flag Process (computing) Booting Task (computing) Mobile Web Mapping Patch (Unix) Forcing (mathematics) Volume (thermodynamics) Data management Process (computing) Helix output Reading (process) Arc (geometry)
Demon Injektivität Code Ferry Corsten Multiplication sign Source code Medical imaging Sign (mathematics) Kernel (computing) Oval File system Cuboid Flag Process (computing) Error message Source code Software developer Binary code Electronic mailing list Flow separation Electronic signature Root Process (computing) Hash function Helix MiniDisc Physical system Data structure Spacetime Mobile app Functional (mathematics) Open source Patch (Unix) Equivalence relation Cache (computing) Root Spacetime Data structure Proxy server Task (computing) Patch (Unix) Projective plane Content (media) Code Planning Directory service Cache (computing) Kernel (computing) Personal digital assistant Revision control
Point (geometry) Context awareness Functional (mathematics) Code Codierung <Programmierung> Patch (Unix) Authentication Stack (abstract data type) Code Revision control Pointer (computer programming) Read-only memory Semiconductor memory Kernel (computing) Finitary relation Message passing Authentication Context awareness Theory of relativity Key (cryptography) Patch (Unix) Code Message passing Kernel (computing) Pointer (computer programming) Function (mathematics) Revision control System identification Table (information)
Pointer (computer programming) Functional (mathematics) Context awareness Pointer (computer programming) Function (mathematics) Authentication Computer hardware Data storage device Bit Prolog Electronic signature Address space
Authentication Point (geometry) Key (cryptography) Code Authentication Mathematical singularity MIDI Code Bit Stack (abstract data type) Electronic signature Pointer (computer programming) Virtual memory Pointer (computer programming) Semiconductor memory Chain Address space
Context awareness Algorithm Implementation Context awareness Arm Key (cryptography) Code Codierung <Programmierung> Authentication Primitive (album) Code Bit Primitive (album) Pointer (computer programming) Sign (mathematics) Pointer (computer programming) Strategy game Encryption Implementation Table (information)
Point (geometry) Context awareness Slide rule Implementation Block (periodic table) Function (mathematics) Cryptography Arm Blockchiffre Cryptography Function (mathematics) Encryption output Information security output Information security
Slide rule Cohesion (computer science) Functional (mathematics) Context awareness System call Inheritance (object-oriented programming) Code 1 (number) Design by contract Function (mathematics) Electronic signature Leak Pointer (computer programming) Mathematics Sign (mathematics) Cryptography Collision Context awareness Key (cryptography) Mapping Information Point (geometry) Bit Leak Electronic signature Pointer (computer programming) Function (mathematics) output Collision
Authentication Functional (mathematics) Key (cryptography) Code Length Connectivity (graph theory) Bit Complete metric space Cryptography Electronic signature Component-based software engineering Message passing Mathematics Arithmetic mean Cryptography Right angle Game theory Game theory Form (programming)
Point (geometry) Message passing Sign (mathematics) Pointer (computer programming) Key (cryptography) Cryptography Game theory Oracle Oracle
Implementation Algorithm Proxy server Patch (Unix) Code Patch (Unix) Code Bit Cryptography Exploit (computer security) Sign (mathematics) Cryptography Kernel (computing) Hacker (term) Kernel (computing) Musical ensemble Implementation Information security Booting Row (database)
Patch (Unix) Control flow Line (geometry) Mereology Revision control Kernel (computing) Software Internetworking Statement (computer science) Cuboid Right angle Musical ensemble Information security Firmware Form (programming)
Context awareness Stack (abstract data type) Electronic signature Number Electronic signature Leak Pointer (computer programming) Message passing Cryptography Pointer (computer programming) Hacker (term) Function (mathematics) Game theory Game theory
Point (geometry) Message passing Internetworking Forcing (mathematics) Bit Musical ensemble Game theory Electronic signature
Cartesian closed category Coma Berenices Musical ensemble Semiconductor memory Inflection point
[Music] all right let's start with our next talk in the security track of the cranes communications Congress the talk is called is called jailbreaking iOS from past to present done by James Joe he spoke at the 32nd c3 already and researched on several drill breaks like the Phoenix or the angelic time for Apple watch and he's gonna talk about the history of jailbreaks he's gonna familiarize you with the terminology of jailbreaking and about explore
mitigations and how you can circumvent these mitigations please welcome with a huge round of thoughts [Applause] thank you very much so hello everyone I am team sir and as I said I'm going to talk about jailbreaking iOS from past present and the topics I'm gonna cover
is what is Jerry King I'm a given all of hyun-jae knurl I'm introduce you to how jailbreak started how they got into the phone at first and how all of these progressed I'm introducing to you the terminology which is tethered untethered simi tether simi untethered jailbreak s-- like stuff you probably heard but some of you don't know what what that means I'm gonna talk a bit about Hardware mitigations which were introduced by Apple which is kpp ITR and a little bit about pact I'm gonna talk about the general goals of about the technical goals of Jerry King and the kernel patches and what you want to do with those and brief overview how Jerry King could look like in future so Who am
I I'm team sir I got my first ipod touch with iOS 5.1 and since then I pretty much played with jrx and then I got really interested into that and started doing my own research eventually started doing my own jrx kind of started with down raiding so I've been here two years ago with my presentation downgrading iOS down reading from past to present and kept hacking since then so back then I
kind of talked about the projects and made and related to down writing which
was CSS checker Futurist or IMG for tool probably heard have heard of that and since then I was working on several jailbreaking tools ranging from Iowa's eight four one two ten three three among those 32-bit generates untethered Eric's remote generates like Jarek me and the jailbreak for the Apple watch so what is
this Jerry King I'm talking about so basically the goal is to get control
over the device you own you want to escape the sandbox with the apps are put in you want to elevate the privileges to route and eventually to Colonel you want to disable code-signing because all applications on iOS a code signed and you cannot run unsigned binary so you pretty much want to disable that to run unsigned binaries and the most popular while people are jailbreak is to install tweaks and also a lot of people install a jailbreak or directly devices for doing security analysis for example if you want to pan test your application see how an attack goes for the you you want to like debug that stuff and you want to have a jailbroken phone for that so what are
these tweaks tweaks are usually modifications of built-in user space programs for example one of the programs to springboard so spring mode is what you see if you turn on your phone this is where all the icons are at and usually you can install tweaks to add on or modify the look the behavior add functionality just this customization this is what it's how it started with jacking well you also what is usually bundled when you're in so Derek is Cydia so you install dpkg and apt which is the debian package manager and you also get Cydia which is to use a friendly graphical user interface for the decentralized or centralized package installer package system so I'm saying centralized because it's pretty much all in one spot you just open the app and you can get all your tweaks or it's also decentralized because you can just add up your own repo you can make your own repo you can add other repos and so you not kind of tied to one spot where you get the tweaks from like when the app store you can only download it from the App Store but with Cydia you can pretty much download from everywhere you're probably familiar with Debian and it's pretty much the same so this talk is
pretty much structured around this tweet the ages of Jerry King so as the user say do we get like the Golden Age the bootrom the Industrial Age and the post apocalyptic age and I kind of agree with that so this is why I decided to structure my chalk around and walk you through the different ages of gyrating so starting with the first
iPhone OS JRA back then was actually called iPhone OS not iOS was not the boot ROM yet so the first was a buffer overflow and the iPhones lib tip library and this is an image parsing library and was exploited through Safari and used as an entry point to get code execution it was the first time that non apple software was run on an iPhone and people installed applications like installer app tab which were stores similar to Cydia back then and those were used to install apps or games because for the first I phone West there was no way to install applications anyhow so the apps trigger introduced with iOS 2 so then
going to the Golden Age the attention kind of shifted to the boot rom people started looking at the boot process and I found this device from where upgrade mode which is a part of ROM which yeah so the most famous boot rom exploit was lime rain by jihad it was a bug in hardware and was unpayable with software so this book was used to jailbreak devices up to the iPhone 4 there were also several other jerax we didn't rely on that one but this one like once you discovered you can use it over and over again and you there's no way to patch that so this was later patch in a new
hardware revision which is the iPhone 4s so with that boot ROM bug this is how
kind of tattered jailbreaks became a thing so lime rain exploits a buck in the DFU mode which allows you to load unsigned software through use beef however when you reboot the device a computer is required to re-explore and again load your unsigned code and then load the boot loaders load the patch kernel and thus the jailbreak was kind of tethered to the computer because whenever you shut down need to be back at a computer to boot your phone up so hysterically a tethered jailbreak phone does not boot without a computer at all and the reason for that is because the jarek's would modify the kernel and the boot loaders on the file system for performance reasons so when you do the actual tethered boot you would need to upload a very tiny payload via USB which then in turn would load everything else from the file system itself but this results in a broken
chain of trust when the normal boot process runs and the bootloader checks the signature of the first-stage bootloader that would be invalid so the bootloader would refuse to boot that and it would end up at the fu mode so basically a phone won't boot some time around then the idea of a semi tethered
jailbreak came up and the idea behind that is very simple just don't break the chain of trust for tethered jailbreaks so what you would do differently is you do not modify the kernel on the filesystem don't touch the Bullers at all and then you when you would do tethered you would need to upload all the boot loaders like the first stage boot ordered and a second stage boot loader which is I boot and then the kernel via USB to boot into general mode however when you reboot you could boot all those components in from the file system so you could actually boot your phone into non-jailbroken mode if you don't install any tweaks or modifications which modify critical system components because if you tamper with for example the signature of the mount binary the system obviously cannot boot in non-jailbroken mode so this is
kind of the golden age so let's continue with the industrial age so with the
release of the iPhone 4s and the and iOS 5 Apple fixed the boot ROM back and essentially killed lime rain they also introduced ap tickets and nonsense to boot loaders which just I mentioned because it's kind of throwback for down rating before that you can have a phone if you update to the latest firmware and before you saved your sh sh blobs you could just downgrade and then jailbreak again which wasn't a big deal but with that they also add a downgrade protection so Jerry King became harder if you want to know more about how the boot process works what sh sh blobs are what ap tickets are you should check out my talk form two years ago I go in-depth on how all of that works so I'm skipping that for this talk so the binary is the phone booths are encrypted so the bootloader is are encrypted and until recently the kernel used to be encrypted as well and the key encryption key is fused into the devices and it is impossible to get through hardware attacks at least there's no public case where somebody actually got that recovered their keys so but probably impossible nobody has done it yet so all boot files are decrypted at boot by the previous bootloader and before the iPhone 4s you could actually just talk to the hardware is engine as soon as you got kernel level code execution but with the iPhone 4s they introduced the feature where before the kernel would boot they would like shut off the is engine by Hardware so there's no way to decrypt bootloader files anymore so easily unless you get code execution in the boot order and self so yeah decrypting boot loaders is a struggle from now on so I think kind of because of that the attention shifted to user land and from now the jerax kinda had to be untethered so untethered he means that if you jailbreak your device you turn it off you boot it again then the device is still general and this is usually achieved through re exploitation at some point in the boot process so you can't just like patch the kernel on filesystem because that would invalidate the signatures so instead you would I don't know at some configuration file to some demons which would trigger box and then exploit so jailbreaks then chain many bugs together sometimes six or more bucks to get initial code execution kernel code execution and persistence this somewhat changed when Apple introduced free developer accounts around the time they released iOS 9 so these developer accounts allow everybody who has Apple ID to get a valid signing certificates for seven days for free so you can actually create an Xcode project and run your app on your physical device before that that was not possible so the only way to run your own code on your device was to buy a paid developer account which is like 100 per year if you buy personal developer account but now you can just get that for free and after seven days they certificate expires but you can just for free you request another one and keep doing that which is totally enough if you develop apps so this kind of led to see me untethered jailbreak because initial code execution was not an issue anymore anybody could just get that free certificate sign apps and run some kind of code that which was sent most so Jarek focus shifted to more powerful kernel bugs which were reachable from sandbox so you had jerax using just one single buck or maybe just two bucks and the jerax then were distributed as an IPA which is an installable app people would download sign there's sign themselves put on a phone and just run the app so Seanie untethered means you can reboot into non-jailbroken mode however you can get two jailbroken mode easily by just pressing an app and over the years apple stepped up its game constantly so what i OS v the introduced a slower address space layout randomization with our six headed kernel a SLR with the introduction of the iPhone 5s they added 64-bit CPUs which isn't really security mitigation it's just chained but how would exploit so the real deal came with started to come with iOS 9 where they're first introduced kernel patch protection an attempt to make the kernel immutable and not patchable and they stepped up that with the iPhone 7 where they introduce Colonel text read-only region also known as KT RR so with I was 11 they remove 32-bit libraries which I think has very little to no impact on exploitation as mainly in the list speakers up to that point Cydia was compiled as a 32-bit binary and that stopped working that's why that had to be recompiled for 64-bit which took someone to do until you could get a working cydia on 64-bit iOS 11 so with the iPhone access which came out is recently they introduced point their authentication codes and I'm gonna go more in detail into these Hardware mitigations in the next few slides so let's start with kernel patch protection so when people say kpp they usually refer to what Apple calls Watchtower so Watchtower as the name suggests
watches over the kernel and panics when modifications are detected and it prevents the kernel from being patched at least that's the idea of it doesn't really prevent it because it's broken but when they engineer it it should prevent you from patching the kernel so
how does it work Watchtower is a piece of software which runs the neo 3 which is the arm exception level 3 so exception levels are kind of privileged operations well 3 is the highest and 0 is lowest and you can kind trigger an exception to call handler code in high levels so the idea
of watchtowers that recurring events which is FPU usage trigger Watchtower expection of the kernel you cannot really turn it off because you do need the fu so if you picture how
it looks like we have the watch charged to the left which totally looks like a lighthouse and the applications at the right so in the middle and L one we have the kernel and recent studies revealed that this is exactly how the X a new
kernel looks like so how kbp works an event occurs from time to time which is from using an application for example javascript makes heavy use of floating points and the event would then go to the kernel and the kernel will then trigger Watchtower as a try so narrowly a few Watchtower would scan the kernel and then if everything is fine it would transition execution back into the kernel which then in turn would transition back into user space which can then use the fu however with a modified kernel when Watchtower scans the kernel in the text modification it would just panic so
the idea is that the kernel is forced to call Watchtower because the fu is
blocked otherwise but the problem at the same time is that the kernel is in control before it calls Watchtower and this thing was fully defeated by QWERTY in yellow 10 - so how Curry's kpv
passwords the idea is you copy the kernel in memory and you modify the copied kernel then you would modify the page tables to use the patch kernel and whenever the FPU triggers and watched our inspection before actually calling Watchtower you would switch back to the unmodified kernel and then let it run let it check the unmodified kernel when that returns you would go back to the modified kernel so this what it looks like we copy the
kernel and memory we patch the modified copy we switch the page tables to
actually use the modified copy and when we have the FPU event we would
just switch to page tables back make a forward to call to watchtower make then Watchtower scan the unmodified kernel and after the scan we would just
return to the patched kernel so the
problem here is time of check time of use a classical talk - and this works on the iPhone 5s the iPhone 6 and the iPhone 6s and it's not really patchable however with the iPhone 7 Apple introduced KTR which kind of proves that and they really managed to do an unmatchable kernel so how does Katie our
work so kernel text read-only region I'm gonna present as described by Z goose' in his blog adds an extra memory controller which is the MCC which traps all rights to read-only region and there's extra CPU registers which mark an executable range which are the KTR registers and they obviously mark is subsection of the read-only region so you have hardware at forcement at boot time for a read-only memory region and hardware forcement at boot time for an executable memory region so this is the
CPU you this is the memory at the bottom you would set the read-only region at boot and since that's the first but a hardware memory controller everything inside that region is not writable and everything outside that region is not is writable and the CPU got KTR registers which marked begin and end so the executable region is a subsection of the read-only region everything
outside there cannot be executed by CPU everything inside the read-only region
cannot be modified and this has not been
truly bypassed yet there's been a bypass but that actually targeted how that thing gets set up but that's fixed and now it's probably setting up everything and so far it hasn't been bypassed so genrich's are still around so what they are doing well they just walk around Colonel patches and this is when KP PGR brakes evolved which means yeah well they just don't patch the kernel but before we dive into that let's take a look what
previous Gerak's actually did patch in the kernel so the general goals are to disable code-signing to disable the sandbox to make the root filesystem writable and to somehow make tweaks work which involves making mobile substrate or lip substitute work which is the library for hooking and I was about to make a list of kernel patches which you could simply apply however the techniques and patches vary across individual jerrick so much that I couldn't even come up with the list of kernel patches among the different Derrick's I worked on so there's no general set of patches some prefer to do it that way some prefer to that way so instead of doing a kind of fullest and
just show you what the helix jailbreak does patch so the helix jailbreak first patches the I Can Has debugger which is
a boot arc it's a variable in the kernel and if you set that to true that would relax the sandbox so to relax the sandbox or to disable code signing usually involves multiple steps also since iOS 7 you need to patch mount because there's actual hard-coded that the root file system cannot be mounted as readwrite since I was ten point three there's also hard-coded that you cannot mount the root file system without the know suet flag so you probably want to patch that out as well and then if you patch both these you can remount the root filesystem as read and write however you cannot actually write to the files on a root filesystem unless you patch like that volume manager which you also only need to do in nine up to iOS ten point three later when they're switched to a PFS you don't actually need that anymore also there's a variable called proc and force you said that to zero to do disable code-signing which is one of the things you need to do to disable code signing another flag is CS enforcement disable set that to one two to disable code signing so amfi which is Apple mobile file integrity you seek ax which handles the code signing checks so in that tax there its imports the mem copy function so there's a stub and one of the patches is to patch that stop to always return zero by some simple gadget so what this does is whenever it compares something in the code it would just always compare say that this the compare succeeds and is equal I'm not entirely sure what it does so this patch dates back to Yahoo but like just applying the patch helps killing code signing so that's why it's in there another thing he makes this is it adds the get task low entitlement to every process and this is for allowing retrial executable mappings and this is what you want for mobile substrate weeks so initially these this entitlement is used for debugging because there you
also need to be able to modify code at runtime for setting breakpoints what we use it for getting tweaks to work since I was ten point three there's helix also
patches label update exact ve patch label apps update exit via function so the idea of that patch was to fix the process X like the night while I updating label error message in cydia and several other process well that seems to completely new to sandbox and also break sandbox containers so this is also the reason while why if you jur broke with helix apps would save their data in the global directory instead of their sandbox content and you also kill a bunch of checks in Mack or policy make policy ops to relax the sandbox so if you want to check out how that works yourself unfortunately Hilux itself is not on source and I have no plans of outsourcing that but there's two very very closely related projects which are open source which is double helix this is pretty much exactly the same but 460 64-bit devices which does include the kpp bypass so it also patches the kernel and job rack time which is the watcher was jailbreak but he'll helix is for iowa's 10 and the watch OS jailbreak is kind of the I 11 equivalent but it shares like most of the code so most of the patch code is the same if you want to check that out check these out so
kbps Gerak's so the idea is don't patch the kernel code but instead patch the data so for an example we go for remounting the root filesystem we know we have hard-coded checks which forbid us to mount the root filesystem readwrite but what we can do is in the kernel there's a structure representing a root filesystem and we can patch that structure moving the flag saying that this structure represents the root filesystem and we simply remove that and then we can call remount on the root filesystem and then we put back in the flag so we kind of bypassed the hard-coded check for disabling code signing and savings and box there's several approaches so when the kernel there's a trust cache so usually MV handles the code signing the daemon user space handles the code signing requests but the demon itself also needs to be called saying so you have the chicken and egg problem that's why in the kernel there is a list of hashes of binaries which are allowed to execute and this thing is actually writable because when you mount the developer disk image it actually adds some debugging things to it so you can simply inject your own hash into the trust cache making by an we trusted another approach taken by Jarek D in the latest electric is to have a process in this case Jarek D which would patch the processes on creation so when you spawn a process that thing would immediately stop the process go into the kernel look up the structure and say and remove the flags saying kill this process when the code signature becomes involved and it will invalid and it would also add the get task low entitlement and then after it's done that it would resume the process and then the process won't get killed anymore because it's kind of already trusted and the third approach taken or demoed by Bizet was to take over MPD in userspace completely so if you can get a Mac port to launch D or to AM VD you can impersonate that and whenever the kernel asks and fee is that is that trusted you would reply okay yeah that's trusted it's fine you can run it so that way you don't need to go for the kernel at all so future Gerak's kernel patches are not
really possible anymore and they're not even required because we can still patch the kernel data or not go for the kernel at all while we're still not done yet we
still didn't go for post apocalyptic and post apocalyptic or short pack
well actually pack stands for point out education code but you get a joke so point authentication codes were introduced with the iPhone XS and we called Qualcomm this is a stronger version of stack protection and pointer identification codes are similar to message authentication codes but for pointers if you're familiar with that and the idea of that is to protect data in memory in relation to a context with a secret key so the data and memory could be the return value the context could be the stack pointer or data memory could be a function pointer and the context could be a V table so if we take a look how PAC is
implemented so at the left you can see function entry and like function Prolog and function epilogue without PAC and would pack the only thing that really changes is when you enter a function before actually doing anything inside it you would normally store the return value on the stack but when doing that you would first authenticate the pointer with the context and then kind of create a signature and store it inside the pointer and then put it on the stack and then when you leave the function you would just take back the pointer again calculate the signature and see if these both thing that the signatures matches and if they do then just return and if the signature is invalid you would just throw a hardware fault so this is how it
looks like for 64-bit pointers you don't really use all of the available bits so
I usually use 48 bits for virtual memory which is more than enough so you have if you use memory tagging you have seven bits left for putting in the signature or if you do not use memory tagging you can use up to 15 bits for the point authentication code so the basic idea of
PAC is to kill wrap like code reuse attacks you cannot simply smash the
stack and create a wrap chain because every return would have an instruction verifying the signature of the return value and that nee means you would need to sign everything every single of these pointers and since you don't know the key you can't do that in advance so you cannot modify a return value and you cannot swap two signed values and unless the stake pointer is the same for both can we bypass it maybe I don't know but we can take a look at how that thing
is implemented so if we take a look at the arm slides you can see that pack is basically derived from a pointer and a 64-bit context value and the key and we put all of that in the algorithm P and that gives us the pack which we store in the unused bits so the algorithm P can either be karma or it can be something completely custom and the instructions the arm instruction kind of hide the implementation details so if we would go for attacking pack
there's two ways of attack strategies we can either try and go straight for the cryptographic primitive like take a look what cipher that is or how that cipher is implement or maybe it's weak or we can go and attack the implementation so if we go and attack the implementation we could look for signing primitives which could be like small gadgets we could jump to somehow somehow execute to sign it to sign a value which could be either an arbitrary contact signing gadgets or maybe a fixed context signing gadget we could also look for an authenticated code for example I imagine the code which sets up pack itself is probably not protected by pact because you can't sign the pointer if the key is not set up yet maybe that code is still accessible we could look for something like that we could also try to replace pointers which share the same context it's probably not feasible for return values on the stack but maybe that's fees before swapping pointers in the B table or maybe you come up with your own clever idea or how to you bypass that
this is just like some ideas so I want to make a point here that in my opinion it doesn't make much sense to try to
attack the underlying cryptography unpack so I think that if we go for attacking peg it makes much more sense to look for implementation attacks and not attacking to cryptography in next few slides are just there to explain why I think that so if we take a look at
karma which was proposed by armed as being one of the possible ways of implementing pak pak karma is a tweakable block cipher so it takes an input a tweak and gives you an output which kind of fits perfectly for what we want and then I started looking at pak at Karma and came up come up with ideas how you could maybe attack that cipher and at some point I realized that practical crypto attacks on karma if there will be any in the future will probably that's what I think completely irrelevant to the pack security so why
is that if we define so just so you know the next few slides gonna bore you with some math but it's not too complex so if we define pack as a function which takes a 120 bits input and a 120 bit key and maps it to 15 bits outputs or we can more realistically define it as a function which takes 96 bits input with the 128-bit key because we have 48 bits
pointer because the other ones we can't use because that's where we store the signature and we most likely using the stack pointer as a context so that one will also only use 48 bit pointers 48 bits so then we have a pact as a contract so then we define the attacker with following capabilities the attacker is allowed to observe some pointer and signature pairs and I assume that you can get there through some info lease for example you have some buck in the code which lets you dump a portion of the stack which with a bunch of sign pointers this is why I can observe some not all but he can see some and I would also love to have the attacker be able to slightly modify the context and what I mean by that is I imagine a scenario where you the attacker could maybe shift the stack maybe through more nested function calls before executing the leak which will give you actually two signatures for the same pointer but with a different context maybe that's somehow helpful but so we realize that the attacker is the cryptographic attacker is super weak so the only other cryptographic problem there could be is collisions and for those of you who've seen my last talk they probably know I love collisions so we have 48 bit pointer 48 bit context and 198 bit key we sum that up and we divide that by the 15 bit of output we get from PAC which gives us to you ^ 209 possible collisions because we map so many bits to so little bits but even if we reduce the pointers because practically probably less than 34 bit of a pointer are really used we still get to you ^ 181 collisions which is a lot of collisions but the bad thing here is random collisions are not very useful to us unless we can predict them somehow so let's take a look how a cryptographically secure Mac is defined so a Mac is defined as fall
let P be a Mac with following components and those are basically gen Mac and verify so Jan just somehow generates the key it's only here for the sake of mathematical completeness just assume we generate the key by randomly choosing n bits or however how much bits the key needs and Mac is just a function where we put in an N bit message column and it gives us a signature T and I'm gonna say signature but already I mean a message authentication code and the third function is verify you give it a message and a signature and it just returns true if that signature is valid for the message or false if it's not and when cryptographers prove that something is secure there like to play games so I'm gonna show you my favorite game which is Mac forge game so the game
is pretty simple you have to the left the game master which is playing with forge and to the right the attacker so the game starts when the Mac forge game uh certain forms the the attacker how much bits are we playing so this is the first one to the power of n basically means hey we're having Mac forge with I don't know 64-bit messages so the attacker knows the size then the game master generates the key and then the attacker can choose up to Q messages of n bit length and send them over to the game master the game has come will generate signatures and send them back so then the attacker can absorb all the messages he generated and all the matching signatures so what the attacker needs to do then is to choose another message which he did not send over yet and somehow come up with the ballot with a valid signature and if he can manage to do that he sends it over and if that's actually valid signature for the message then he wins the game otherwise he loses the so we say a Mac is secure if the probability that an attacker can somehow win this is negligible Sargon is very the mathematical definition of what negligible means but like just guessing or trying means that it's still secure if that's the best
attack so as you can see as a Mac which is secure needs to withstand this but for our PAC attacker we do not even have
this Oracle so our attacker for PAC is even weaker than that so why do we not have this Oracle well simple if we allow the attacker to sign arbitrary messages the attacker wouldn't even need to try to somehow get the key of forged message because then we could just send over all the messages all the pointers he wants to sign get back sign pointers and you wouldn't need to bother about breaking the crypto at all so basically the point
I'm trying to make here is that the PAC attacker is weaker than a Mac attacker so every secure Mac we know is also a
secure PAC but even an insecure Mac might still be sufficiently secure for PAC so secure Mac's have been around for a while and this in my opinion I think if somebody who knows what he's doing is to design a PAC algorithm today it will likely be secure so instead of going for the crypto I think we should rather go for implementation attacks instead because they also be around forever and by that I mean well you can either see how the crypto itself is implemented but I mean especially by that is you could see how the pack is used in the actual couch maybe you can find signing records maybe you can find an authenticated code I think this is where we need to go if we want to bypass back somehow so just to recap where we're coming from future iPhone hacks probably gonna not try to bypass KTR and I think they will not try to patch kernel code because we can achieve pretty much all the things we want to achieve for end-user jailbreak without having to patch the kernel so far and I think people will go in a struggle a bit at least a bit when exploiting with pact because that kind of will either make some bucks on exploitable or really really hard to exploit also maybe we're gonna avoid the kernel doll as bastard has demoed the userland only Gerak's are possible maybe gonna recalculate what the low-hanging fruits are maybe just go back to your boot or look for what other thing is interesting so that was about it thank you very much for your attention [Applause] [Music] [Applause]
[Music] [Applause]
if you would like to ask a question please line up on the microphones in the room we do not have a question form Internet where one question over there yes please okay hi I would like to be
interested what your comment is on the statement from Zurich that basically trade breaking is not a thing anymore because you're breaking so much security features that makes the phone basically more insecure than the former reasons of doing it right breaker II allow for well jailbreaking I don't think gyrating itself nowadays makes the phone really insecure so of course if you patch the kernel and disable all the security features that will be less secure but if you take a look what we have here with the unpassable kernel I think the main downside of being jailbroken is the fact that you cannot go to the latest software version because you want the box to be in there to have the jailbreak so I don't really think if you have like a KTR device the jailbreak itself makes it less secure just the fact that you're not on the latest firmware is the the insecure part of it all right thank you
microphone number two your question hi good talk could you go back to the
capabilities of the bursaries please yeah so you said you can do basically two things right this one yeah yeah it
can observe some pointers and some signatures pairs but why is this not an Oracle because you cannot choose your message yourself you message yourself and you have also an Oracle that says if the signature is valid for us chosen message well yeah but this is if you take a look at the game in this game for
a secure Mac the attacker can choose up to Q messages sending over like he can do whatever he wants with that messages and get signature while the package hacker can see a few very limited amount of
messages and their matching signature and he has little to no influence on these messages right okay so it's a bit
weaker but so yeah that's the point is just that it's weaker Thanks do we have
a question from the internet okay just please all right then I don't see anyone else being lined up and these people gives a lot of applause to team stuff force awesome Joe [Music] [Applause]
[Music] [Music]