revisiting ios kernel in security attacking the early
play

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG - PowerPoint PPT Presentation

Sep 20, 2022 •472 likes •1.24k views

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014 tm@azimuthsecurity.com @kernelpool About Me Senior Security Researcher at Azimuth Security Masters degree in Information Security

  1. Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014 tm@azimuthsecurity.com @kernelpool

  2. About Me • Senior Security Researcher at Azimuth Security • Master’s degree in Information Security • Interested in operating system security and mitigation technology • Recent focus on mobile device security ▫ iOS 6 Kernel Security: A Hacker’s Guide • Occasionally blog on security topics ▫ http://blog.azimuthsecurity.com

  3. Introduction • Several new kernel mitigations introduced in iOS 6 and OS X Mountain Lion ▫ Stack and heap cookies ▫ Memory layout randomization ▫ Pointer obfuscation • Require random (non-predictable) data generated at boot time ▫ Introduced the early random PRNG

  4. Early Random PRNG • Boot time pseudorandom number generator ▫ Intended for use before the kernel entropy pool is available • Primarily designed to support kernel level mitigations ▫ Also used to seed the Yarrow PRNG • Platform dependent ▫ Implemented differently in OS X and iOS

  5. Robustness • Strength of deployed mitigations depend on the robustness of the early random PRNG ▫ Must provide sufficient entropy ▫ Must produce non-predictable output • iOS 6 implementation had some notable flaws ▫ E.g. suffered from time correlation issues • iOS 7 attempts to resolve these issues ▫ Leverages an entirely new generator

  6. Talk Outline • Part 1: Early Random PRNG ▫ iOS and OS X differences ▫ Seed generation (iOS) ▫ Improvements made in iOS 7 • Part 2: PRNG Analysis ▫ Weaknesses ▫ Attacks ▫ Remedies

  7. Recommended Reading • Black-Box Assessment of Pseudorandom Algorithms ▫ Derek Soeder et al., BH USA 2013 • PRNG: Pwning Random Number Generators ▫ George Argyros, Aggelos Kiayias, BH USA 2012 • iOS 6 Kernel Security: A Hacker’s Guide ▫ Mark Dowd, Tarjei Mandt, HitB KL 2012

  8. Revisiting iOS Kernel (In)Security

  9. Early Random PRNG • Two platform specific versions ▫ Mac OS X (Intel) ▫ iOS (ARM/ARM64) • Primarily relies on entropy from low-level components ▫ CPU clock information ▫ Hardware embedded RNG

  10. Early Random in OS X • Returns the output from RDRAND if available ▫ Intel Ivy Bridge and later • Otherwise derives a value from the time stamp counter and KASLR entropy ▫ Distributes the lower order bits (more random) ▫ Successive outputs are well-correlated • Provided in the XNU source ▫ osfmk/x86_64/machine_routines_asm.s

  11. Early Random in OS X CPUID ¡(EAX=1) ¡and ¡ early_random( ¡) check ¡processor ¡ feature ¡bit ¡30 ¡in ¡ECX RDRAND ¡ Execute ¡ Yes supported? RDRAND Returns ¡a ¡random ¡64-­‑ bit ¡value ¡in ¡RAX Return No Execute ¡ Distribute ¡low ¡ Incorporate ¡KASLR ¡ Rotate ¡high ¡ RDTSC order ¡bits entropy order ¡bits Returns ¡current ¡ Rotate ¡constant ¡ XORs ¡lower ¡bits ¡with ¡ Leverages ¡lower ¡8 ¡bits ¡ processor ¡tick ¡count ¡ retrieved ¡from ¡lower ¡ higher ¡bits of ¡KASLR ¡entropy in ¡EAX:EDX bits

  12. Early Random in iOS • No hardware embedded RNG ▫ Output derived from CPU clock counter • Two different implementations ▫ iOS 6: initial version ▫ iOS 7: improved version • Leverages a seed generated by iBoot ▫ Provided to the kernel via the I/O device tree ▫ IODeviceTree:/chosen/random-seed

  13. Seed Generation • iBoot implements its own random data generator ▫ Used to generate the early random seed • Also used to support other tasks ▫ Boot nonce generation ▫ KASLR slide offset calculation • Comprises two major components ▫ Entropy accumulator ▫ Output generator

  14. Entropy Accumulator • Gathers source entropy from CPU clock information ▫ Reads clock counter in physical memory ▫ E.g. 0x20E101020 on S5L8960X (Apple A7) • Generates a 32-bit value ▫ Reads lowest bit of clock value ▫ Loops ‘remaining number of bits’ times between each read ▫ Repeats until 32 bits read

  15. Entropy Accumulator Start Yes Read ¡ Left ¡shift ¡ OR ¡lowest ¡bit ¡ Spin ¡cycles CPU ¡clock ¡ More ¡bits? (previous) ¡result into ¡result counter No Requests ¡32 ¡bits ¡ in ¡total Loops ¡‘remaining ¡ Accessed ¡via ¡address ¡ Return number ¡of ¡bits’ ¡times in ¡physical ¡memory

  16. Output Generator • Computes a SHA-1 hash over a stream of gathered entropy ▫ 64-bit (e.g. iPhone 5S): 4000 bytes ▫ 32-bit (e.g. iPhone 4): 9600 bytes • Outputs the requested number of bytes from the hash itself ▫ 20 bytes per hash • Generates additional hashes if needed ▫ Gathers new entropy and repeats the process

  17. iBoot Random Data Generator iBoot_GetRandomBytes( ¡) Has ¡remaining ¡ Accumulate ¡ No hash ¡bytes? entropy Returns ¡a ¡32-­‑bit ¡value ¡ each ¡round Yes Copy ¡out ¡ Compute ¡SHA-­‑1 ¡ Yes hash ¡bytes hash More ¡bytes ¡ No Return needed?

  18. Early Random in iOS 6 • Similar to the OS X implementation • Output derived from the current Mach absolute time ▫ Platform dependent processor tick counter • Attempts to address weak entropy in higher order bits ▫ Mixes lower order (less predictable) with higher order bits • Leverages a 2-byte seed

  19. Early Random in iOS 6 – Overview Get ¡CPU ¡ early_random( ¡) tick ¡count Returns ¡a ¡64-­‑bit ¡ timestamp Seeded? Yes Return No Obtain ¡seed ¡ Distribute ¡low ¡ Incorporate ¡seed ¡ Rotate ¡high ¡ value order ¡bits entropy order ¡bits Rotate ¡constant ¡ Retrieves ¡2-­‑byte ¡value ¡ ¡ XORs ¡lower ¡bits ¡with ¡ Leverages ¡lower ¡8 ¡bits ¡ retrieved ¡from ¡lower ¡ from ¡IODeviceTree higher ¡bits of ¡seed ¡byte bits

  20. Early Random in iOS 6 – Issues • Successive outputs are well-correlated ▫ Poor entropy source ▫ Highly sensitive to time of generation • Poor use of seed data ▫ Only one (lower) byte is used ▫ Seed only affects higher 32 bits of output ▫ E.g. rarely used on 32-bit devices

  21. Early Random in iOS 6 – Issues /* * Initialize backup pointer random cookie for poisoned elements * Try not to call early_random() back to back, it may return * the same value if mach_absolute_time doesn't have sufficient time * to tick over between calls. <rdar://problem/11597395> * (This is only a problem on embedded devices) */ zp_init() [ osfmk/kern/zalloc.c ] #if MACH_ASSERT if (zp_poisoned_cookie == zp_nopoison_cookie) panic("early_random() is broken: %p and %p are not random\n", (void *) zp_poisoned_cookie, (void *) zp_nopoison_cookie); #endif

  22. Early Random in iOS 7 • Attempts to address the inherent weaknesses of early random in iOS 6 ▫ Avoids time-based correlation issues • Output derived from the initial seed ▫ Seed extended to 8 bytes in iOS 7.0.3 and later • Leverages a linear congruential generator ▫ Algorithm for generating a sequence of pseudorandom numbers

  23. Early Random in iOS 7 – Overview early_random( ¡) No Seeded? Return IODeviceTree:/ Collect ¡seed ¡ chosen/random-­‑seed entropy Yes Set ¡initial ¡ Process ¡LCG Construct ¡output LCG ¡state <= ¡iOS ¡7.0.2: ¡2 ¡bytes Records ¡output ¡from ¡ ¡ Concatenates ¡four ¡ >= ¡iOS ¡7.0.3: ¡8 ¡bytes four ¡LCG ¡rounds 16-­‑bit ¡LCG ¡outputs

  24. Linear Congruential Generator • In an LCG, the next pseudorandom number is generated from the current one such that ▫ x n+1 = ( ax n + c ) mod m • Where x is the sequence of pseudorandom values, and ▫ m = modulus and m > 0 ▫ a = the multiplier and 0 < a < m ▫ c = the increment and 0 <= c < m ▫ x 0 = the starting seed value and 0 <= x 0 < m

  25. Period • An LCG’s period is defined as the longest non- repeating sequence of output numbers ▫ Should ideally be as large as possible • When c ≠ 0, the maximum period m is only possible if ▫ 1. c and m are relatively prime ▫ 2. a – 1 is divisible by all prime factors of m ▫ 3. a – 1 is a multiple of 4 if m is a multiple of 4

  26. LCG Parameters • Early random in iOS 7 implements a mixed linear congruential generator ▫ Non-zero increment • LCG parameters are similar to ANSI C rand() ▫ Multiplier (a): 1103515245 ▫ Increment (c): 12345 ▫ Modulus (m): 2 64 • Seed used as initial state x 0

  27. Deriving Output • Derives output by leveraging information from four successive states ( x n … x n+3 ) • Each state produces 16 bits of the output ▫ Discards the lower 3 bits of each state ▫ Outputs the remaining lower 16 bits • Full output (64-bit) generated by concatenating the retrieved outputs ▫ ( x n-3 >> 3 ) & 0xffff || ( x n-2 >> 3 ) & 0xffff || ( x n-1 >> 3 ) & 0xffff || ( x n >> 3 ) & 0xffff

Recommend

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who Am I Hold two degrees nobody likes these days: Economics &amp; MBA. Ex-hacker for .pt banking system (www.sibs.pt). Security

1.16k views • 91 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis Introduction Limited to Windows, and aimed at IA32: Outline of protected mode and the kernel Attack vectors Useful tools Examples

672 views • 36 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab

JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab

JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab louis@pentesterlab.com About me Security Engineer Pentester/Code Reviewer/Security consultant/Security architect/IANAC Run a website to help people learn security

1.28k views • 79 slides
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4 Linux Kernel (patch) 2002: LSM 2003:

764 views • 43 slides
Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions

Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions

Presenting a live 90-minute webinar with interactive Q&amp;A Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions TUESDAY, MARCH 29, 2016 1pm Eastern | 12pm Central | 11am Mountain |

532 views • 51 slides
Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf) @360Vulcan Team About US Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2015 .pwned IE pwn2own

1.29k views • 54 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi Talbi Security researcher at Stormshield haka-security project. Past life: academia (phd, postdoc, ) Main research topics: advanced

1.61k views • 94 slides
Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

ATTACK &amp; &amp; ATTACK labs DEFENSE DEFENSE Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and

577 views • 28 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Importance of checking every step of the process Simple ways to defend against this attack Data from an analysis of

368 views • 19 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Just like fishing, it can be frustrating at times most needed multiple attempts, which is fine casting

483 views • 19 slides
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999 which led to Netfilter,

798 views • 48 slides
TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone @uffeux Principal Consultant @ NCC Group Focus on hardware and embedded systems security Previously: 10 years product security @

1.41k views • 54 slides
Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems Lab 3 Review on CSRF &amp; Path Traversal Hacker Wall of Fame (Lab 3 members in italics) Jacob Buckheit (2x) Jenny Zhu Ti ff any Chen

238 views • 13 slides
Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security Dr. Christos Xenakis Dr. Christoforos Ntantogian Associate Professor, Department of Digital Systems School of Information and Communication

524 views • 26 slides
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018 About me Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) Doing security research for the last

774 views • 48 slides
Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

SESSION ID: MLAI-W03 Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini Research Scientist, Google Brain #RSAC Act I: On the Security and Privacy of Neural Networks #RSAC Let's play a game

1.07k views • 103 slides
Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org

Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org

Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org James Morris james.l.morris@oracle.com https://outflux.net/slides/2015/ks/security.pdf What I mean by Security More than access control

735 views • 27 slides
Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security &amp; Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides
Introduction to Security Attacking Networks Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow

Introduction to Security Attacking Networks Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow

Introduction to Security Attacking Networks Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Motivation You may be wondering how the PCAPs for the Packet Sleuth lab were obtained, especially the one from arguably the worlds most

607 views • 45 slides
Attacking with HTML5 Lavakumar Kuppan Who am I ? Web Security Researcher of Attack and

Attacking with HTML5 Lavakumar Kuppan Who am I ? Web Security Researcher of Attack and

A TTACK TTACK &amp; D EFENSE EFENSE labs Attacking with HTML5 Lavakumar Kuppan Who am I ? Web Security Researcher of Attack and Defense Labs, www.andlabs.org Penetration Tester @ really big bank Author of Imposter &amp; Shell

872 views • 58 slides
ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org

ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org

ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security analyst and researcher. Over 20 years of diverse Information

1.11k views • 82 slides

More recommend