Title:
iOS hacker's handbook
Publication Information:
Indianapolis, IN : Wiley, c2012
Physical Description:
xx, 388 p. : ill. ; 24 cm.
ISBN:
9781118204122
Title Subject:
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010322230 | QA76.774.I67 I57 2012 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Discover all the security risks and exploits that can threaten iOS-based mobile devices
iOS is Apple's mobile operating system for the iPhone and iPad. With the introduction of iOS5, many security issues have come to light. This book explains and discusses them all. The award-winning author team, experts in Mac and iOS security, examines the vulnerabilities and the internals of iOS to show how attacks can be mitigated. The book explains how the operating system works, its overall security architecture, and the security risks associated with it, as well as exploits, rootkits, and other payloads developed for it.
Covers iOS security architecture, vulnerability hunting, exploit writing, and how iOS jailbreaks work Explores iOS enterprise and encryption, code signing and memory protection, sandboxing, iPhone fuzzing, exploitation, ROP payloads, and baseband attacks Also examines kernel debugging and exploitation Companion website includes source code and tools to facilitate your effortsiOS Hacker's Handbook arms you with the tools needed to identify, understand, and foil iOS attacks.
Author Notes
Charlie Miller is Principal Research Consultant at Accuvant Labs and a four-time CanSecWest Pwn20wn winner.
Dionysus Blazakis is an expert on iOS and OS X sandbox security mechanisms.
Dino Dai Zovi is coauthor of The Mac Hackers Handbook and a popular conference speaker.
Stefan Esser is a PHP security expert and leading researcher of iOS security topics.
Vincenzo Iozzo is an independent security researcher focused on Mac OS X and smartphones.
Ralf-Philipp Weinmann holds a PhD in cryptography and has an extensive security background.
Table of Contents
| Introduction | p. xv |
| Chapter 1 iOS Security Basics | p. 1 |
| iOS Hardware/Device Types | p. 2 |
| How Apple Protects the App Store | p. 2 |
| Understanding Security Threats | p. 3 |
| Understanding iOS Security Architecture | p. 5 |
| The Reduced Attack Surface | p. 5 |
| The Stripped-Down iOS | p. 6 |
| Privilege Separation | p. 6 |
| Code Signing | p. 7 |
| Data Execution Prevention | p. 7 |
| Address Space Layout Randomization | p. 8 |
| Sandboxing | p. 8 |
| A Brief History of iOS Attacks | p. 9 |
| Libtiff | p. 9 |
| Fun with SMS | p. 10 |
| The Ikee Worm | p. 10 |
| Storm8 | p. 11 |
| SpyPhone | p. 12 |
| Pwn2Own2010 | p. 13 |
| Jailbreakme.com 2 ("Star") | p. 13 |
| Jailbreakme.com 3 ("Saffron") | p. 14 |
| Summary | p. 14 |
| Chapter 2 iOS in the Enterprise | p. 15 |
| iOS Configuration Management | p. 16 |
| Mobile Configuration Profiles | p. 16 |
| iPhone Configuration Utility | p. 18 |
| Creating a Configuration Profile | p. 18 |
| Installing the Configuration Profile | p. 20 |
| Updating Profiles | p. 25 |
| Removing Profiles | p. 25 |
| Applications and Provisioning Profiles | p. 26 |
| Mobile Device Management | p. 26 |
| MDM Network Communication | p. 27 |
| Lion Server Profile Manager | p. 28 |
| Setting Up Profile Manager | p. 29 |
| Creating Settings | p. 35 |
| Enrolling Devices | p. 38 |
| Summary | p. 45 |
| Chapter 3 Encryption | p. 47 |
| Data Protection | p. 47 |
| Data Protection API | p. 48 |
| Attacking Data Protection | p. 51 |
| Attacking User Passcodes | p. 51 |
| iPhone Data Protection Tools | p. 55 |
| Installation Prerequisites | p. 55 |
| Building the Ramdisk | p. 58 |
| Booting Ramdisk | p. 61 |
| Brute-Force Attacking Four-Digit Passcodes | p. 62 |
| Dumping Keychain | p. 64 |
| Dumping Data Partition | p. 65 |
| Decrypting Data Partition | p. 66 |
| Summary | p. 68 |
| Chapter 4 Code Signing and Memory Protections | p. 69 |
| Understanding Mandatory Access Control | p. 70 |
| AMFI Hooks | p. 71 |
| AMFI and execv | p. 72 |
| How Provisioning Works | p. 74 |
| Understanding the Provisioning Profile | p. 74 |
| How the Provisioning File Is Validated | p. 77 |
| Understanding Application Signing | p. 78 |
| Inside Entitlements | p. 79 |
| How Code Signing Enforcement Works | p. 80 |
| Collecting and Verifying Signing Information | p. 80 |
| How Signatures Are Enforced on Processes | p. 84 |
| How the iOS Ensures No Changes Are Made to Signed Pages | p. 88 |
| Discovering Dynamic Code Signing | p. 89 |
| Why MobileSafari Is So Special | p. 89 |
| How the Kernel Handles JIT | p. 91 |
| Attacking Inside MobileSafari | p. 94 |
| Breaking Code Signing | p. 95 |
| Altering iOS Shellcode | p. 96 |
| Using Meterpreter on iOS | p. 101 |
| Gaining App Store Approval | p. 103 |
| Summary | p. 104 |
| Chapter 5 Sandboxing | p. 107 |
| Understanding the Sandbox | p. 108 |
| Sandboxing Your Apps | p. 109 |
| Understanding the Sandbox Implementation | p. 116 |
| Understanding User Space Library Implementation | p. 117 |
| Into the Kernel | p. 121 |
| Implementing TrustedBSD | p. 121 |
| Handling Configuration from User Space | p. 123 |
| Policy Enforcement | p. 125 |
| How Profile Bytecode Works | p. 126 |
| How Sandboxing Impacts App Store versus Platform Applications | p. 133 |
| Summary | p. 137 |
| Chapter 6 Fuzzing iOS Applications | p. 139 |
| How Fuzzing Works | p. 139 |
| The Recipe for Fuzzing | p. 141 |
| Mutation-Based ("Dumb") Fuzzing | p. 141 |
| Generation-Based ("Smart") Fuzzing | p. 142 |
| Submitting and Monitoring the Test Cases | p. 143 |
| Fuzzing Safari | p. 144 |
| Choosing an Interface | p. 144 |
| Generating Test Cases | p. 144 |
| Testing and Monitoring the Application | p. 145 |
| Adventures in PDF Fuzzing | p. 148 |
| Quick Look Fuzzing | p. 153 |
| Fuzzing with the Simulator | p. 155 |
| Fuzzing MobileSafari | p. 158 |
| Selecting the Interface to Fuzz | p. 158 |
| Generating the Test Case | p. 158 |
| Fuzzing and Monitoring MobileSafari | p. 158 |
| PPT Fuzzing Fun | p. 160 |
| SMS Fuzzing | p. 162 |
| SMS Basics | p. 163 |
| Focusing on the Protocol Data Unit Mode | p. 165 |
| Using PDUspy | p. 167 |
| Using User Data Header Information | p. 167 |
| Working with Concatenated Messages | p. 168 |
| Using Other Types of UDH Data | p. 169 |
| Generation-Based Fuzzing with Sulley | p. 170 |
| SMS iOS Injection | p. 175 |
| Monitoring SMS | p. 177 |
| SMS Bugs | p. 182 |
| Summary | p. 184 |
| Chapter 7 Exploitation | p. 185 |
| Exploiting Bug Classes | p. 186 |
| Object Lifetime Vulnerabilities | p. 186 |
| Understanding the iOS System Allocator | p. 188 |
| Regions | p. 188 |
| Allocation | p. 189 |
| Deallocation | p. 189 |
| Taming the iOS Allocator | p. 190 |
| Tools of the Trade | p. 190 |
| Learning Alloc/Dealloc Basics | p. 191 |
| Exploiting Arithmetic Vulnerabuities | p. 195 |
| Exploiting Object Lifetime Issues | p. 198 |
| Understanding TCMalloc | p. 200 |
| Large Object Allocation and Deallocation | p. 201 |
| Small Object Allocation | p. 201 |
| Small Object Deallocation | p. 202 |
| Taming TCMalloc | p. 202 |
| Obtaining a Predictable Heap Layout | p. 202 |
| Tools for Debugging Heap Manipulation Code | p. 204 |
| Exploiting Arithmetic Vulnerabilities with TCMalloc - Heap Feng Shui | p. 206 |
| Exploiting Object Lifetime Issues with TCMalloc | p. 211 |
| ASLR Challenges | p. 211 |
| Case Study: Pwn20wn 2010 | p. 213 |
| Testing Infrastructure | p. 217 |
| Summary | p. 218 |
| Chapter 8 Return-Oriented Programming | p. 219 |
| ARM Basics | p. 220 |
| iOS Calling Convention | p. 220 |
| System Calls Calling Convention | p. 221 |
| ROP Introduction | p. 222 |
| ROP and Heap Bugs | p. 224 |
| Manually Constructing a ROP Payload | p. 225 |
| Automating ROP Payload Construction | p. 230 |
| What Can You Do with ROP on iOS? | p. 232 |
| Testing ROP Payloads | p. 232 |
| Examples of ROP Shellcode on iOS | p. 235 |
| Exfiltrate File Content Payload | p. 235 |
| Using ROP to Chain Two Exploits (JailBreakMe v3) | p. 242 |
| Summary | p. 247 |
| Chapter 9 Kernel Debugging and Exploitation | p. 249 |
| Kernel Structure | p. 249 |
| Kernel Debugging | p. 250 |
| Kernel Extensions and IOKit Drivers | p. 256 |
| Reversing the IOKit Driver Object Tree | p. 257 |
| Finding Vulnerabilities in Kernel Extensions | p. 261 |
| Finding Vulnerabilities in IOKit Drivers | p. 264 |
| Attacking through Device Properties | p. 265 |
| Attacking through External Traps and Methods | p. 266 |
| Kernel Exploitation | p. 269 |
| Arbitrary Memory Overwrite | p. 269 |
| Patching a Vulnerability into the Kernel | p. 270 |
| Choosing a Target to Overwrite | p. 271 |
| Locating the System Call Table | p. 272 |
| Constructing the Exploit | p. 273 |
| Uninitialized Kernel Variables | p. 274 |
| Kernel Stack Buffer Overflows | p. 279 |
| Kernel Heap Buffer Overflows | p. 285 |
| Kernel Heap Zone Allocator | p. 286 |
| Kernel Heap Feng Shui | p. 291 |
| Detecting the State of the Kernel Heap | p. 293 |
| Exploiting the Kernel Heap Buffer Overflow | p. 294 |
| Summary | p. 296 |
| Chapter 10 Jailbreaking | p. 297 |
| Why Jailbreak? | p. 298 |
| Jailbreak Types | p. 298 |
| Jailbreak Persistence | p. 299 |
| Tethered Jailbreaks | p. 299 |
| Untethered Jailbreaks | p. 299 |
| Exploit Type | p. 300 |
| Bootrom Level | p. 300 |
| iBoot Level | p. 300 |
| Userland Level | p. 301 |
| Understanding the Jailbreaking Process | p. 301 |
| Exploiting the Bootrom | p. 302 |
| Booting the Ramdisk | p. 303 |
| Jailbreaking the Filesystem | p. 303 |
| Installing the Untethering Exploit | p. 304 |
| Installing the AFC2 Service | p. 305 |
| mstalling Base Utilities | p. 306 |
| Application Stashing | p. 307 |
| Bundle Installation | p. 307 |
| Post-Installation Process | p. 309 |
| Executing Kernel Payloads and Patches | p. 309 |
| Kernel State Reparation | p. 309 |
| Privilege Escalation | p. 310 |
| Kernel Patching | p. 312 |
| security.mac.proc_enforce | p. 312 |
| cs_enforcement_disable (kernel) | p. 313 |
| cs_enforcement_disable (AMFI) | p. 314 |
| PE_i_can_has_debugger | p. 315 |
| vm_map_enter | p. 316 |
| vm_map_protect | p. 318 |
| AMFI Binary Trust Cache | p. 319 |
| Task_for_pid 0 | p. 320 |
| Sandbox Patches | p. 322 |
| Clearing the Caches | p. 324 |
| Clean Return | p. 324 |
| Summary | p. 325 |
| Chapter 11 Baseband Attacks | p. 327 |
| GSM Basics | p. 329 |
| Setting up OpenBTS | p. 331 |
| Hardware Required | p. 331 |
| OpenBTS Installation and Configuration | p. 332 |
| Closed Configuration and Asterisk Dialing Rules | p. 335 |
| RTOSes Underneath the Stacks | p. 335 |
| Nucleus PLUS | p. 336 |
| ThreadX | p. 337 |
| REX/OKL4/Iguana | p. 337 |
| Heap Implementations | p. 338 |
| Dynamic Memory in Nucleus PLUS | p. 338 |
| Byte Pools in ThreadX | p. 340 |
| The Qualcomm Modem Heap | p. 341 |
| Vulnerability Analysis | p. 342 |
| Obtaining and Extracting Baseband Firmware | p. 343 |
| Loading Firmware Images into IDA Pro | p. 344 |
| Application/Baseband Processor Interface | p. 345 |
| Stack Traces and Baseband Core Dumps | p. 345 |
| Attack Surface | p. 346 |
| Static Analysis on Binary Code Like it's 1999 | p. 347 |
| Specification-Guided Fuzz Testing | p. 348 |
| Exploiting the Baseband | p. 348 |
| A Local Stack Buffer Overflow: AT+XAPP | p. 348 |
| The ultrasn0w Unlock | p. 350 |
| An Overflow Exploitable Over the Air | p. 356 |
| Summary | p. 362 |
| Appendix References | p. 365 |
| Index | p. 369 |
