That at least is the conclusion that can be legitimately drawn from the
workshop on What about animated Charlie Miller and Dino Dai Zovi during the RSA
Conference that took place last week in San Francisco. In short, simple and efficient:
it takes at least four to five "exploits" software to successfully
install a rootkit on IOS persistent against only two or even one very well
made, for Android.
IOS not only has advanced considerably since its initial launch in 2007, but it now offers the luxury to integrate security features rare. Indication of the success of IOS and its importance in the IT ecosystem present, the workshop Charlie Miller and Dino Dai Zovi on the security of embedded operating system Apple has sold out. The queue to enter the dining room to seat about 350 people, about how "first come, first served" basis, without reservation, extended over several tens of meters in the aisles of the vast conference center of the city, the Moscone Center. Dino Dai Zovi could not help but raise it: last year, his workshop on iOS had attracted a dozen people, including two journalists ...
The purpose of the workshop this year? What you need to install a rootkit on a persistent device IOS, that is to say, a software with the highest privileges on the file system internal to the terminal and continues to operate even after restarting the device. Why is this interesting? Particularly because it corresponds more or less a jailbreak untethered said.
Co-authors of the Handbook of hacker iOS, due out in April in the U.S., have detailed in their studios, the safety devices available now iOS. The inventory is impressive, as well as evolution. Charlie Miller, the mobile operating system from Apple is clearly more secure: there are still a few years, he could take control of an iPhone ... "sleeping," he quips on the way back on his past exploits. But today, the story is quite different. What does it take to install on an iPhone for example, a persistent rootkit? The starting point is the injection of malicious data to exploit a vulnerability to corrupt memory and execute software code whose execution is theoretically prohibited by the protective mechanisms of IOS. It bypasses the control and code signing. However, the code executed is stuck in the "sandbox" and thus can only access limited resources. We must then leave the sandbox to successfully exploit a vulnerability to access privilege levels higher. This done, we must exploit a new vulnerability to access the kernel to exploit ... a vulnerability.
Charlie Miller explains, almost admiringly, "even when you run a process as root (the highest level of privileges, Ed), you do not have access to the core! It is almost unique in IOS. "It's only happened once to use a kernel vulnerability that it becomes possible to jailbreak temporary - it will still manage to sustain.
IOS not only has advanced considerably since its initial launch in 2007, but it now offers the luxury to integrate security features rare. Indication of the success of IOS and its importance in the IT ecosystem present, the workshop Charlie Miller and Dino Dai Zovi on the security of embedded operating system Apple has sold out. The queue to enter the dining room to seat about 350 people, about how "first come, first served" basis, without reservation, extended over several tens of meters in the aisles of the vast conference center of the city, the Moscone Center. Dino Dai Zovi could not help but raise it: last year, his workshop on iOS had attracted a dozen people, including two journalists ...
The purpose of the workshop this year? What you need to install a rootkit on a persistent device IOS, that is to say, a software with the highest privileges on the file system internal to the terminal and continues to operate even after restarting the device. Why is this interesting? Particularly because it corresponds more or less a jailbreak untethered said.
Co-authors of the Handbook of hacker iOS, due out in April in the U.S., have detailed in their studios, the safety devices available now iOS. The inventory is impressive, as well as evolution. Charlie Miller, the mobile operating system from Apple is clearly more secure: there are still a few years, he could take control of an iPhone ... "sleeping," he quips on the way back on his past exploits. But today, the story is quite different. What does it take to install on an iPhone for example, a persistent rootkit? The starting point is the injection of malicious data to exploit a vulnerability to corrupt memory and execute software code whose execution is theoretically prohibited by the protective mechanisms of IOS. It bypasses the control and code signing. However, the code executed is stuck in the "sandbox" and thus can only access limited resources. We must then leave the sandbox to successfully exploit a vulnerability to access privilege levels higher. This done, we must exploit a new vulnerability to access the kernel to exploit ... a vulnerability.
Charlie Miller explains, almost admiringly, "even when you run a process as root (the highest level of privileges, Ed), you do not have access to the core! It is almost unique in IOS. "It's only happened once to use a kernel vulnerability that it becomes possible to jailbreak temporary - it will still manage to sustain.
So, certainly, in terms of safety, it is possible to begin to steal data before
this point, and even when one is able to execute code, bypassing the control
code signing. But this is limited to what is accessible directly from the
sandbox, and this is "less and less things. "To perpetuate the
jailbreak, another exploit is needed, which should enable" to interfere in
the kernel at boot, "says Miller. In short, for him, he takes a minimum of
four to five feats for a successful jailbreak does not disappear on reboot -
"it's much easier on Android," he says. The security architecture of
IOS it is similar to a system of defense in depth. First, the operating system
has been stripped of many things, reducing the attack surface, "no Flash,
no Java ... even MobileSafari is not able to present certain types of files.”Some
PDF are not supported by IOS, or rather some of their functions:" there
are over 200 ways to crash the PDF rendering on OS X. IOS, only 7% of these
cases work. There is less code to attack, so less bugs. "And then IOS
ignores a lot of tools" useful "for hackers, as the shell.
Most processes "run with the mobile user and not root," the first to be content with restricted rights. Even stronger: "Some applications have specific permissions, defined in a profile Provisioning signed by Apple. It's not perfect, but that's how. "Simply put: some elements of IOS software check at the time of being requested by an application, that it has the right to request them. Thus, "although two processes work with the mobile user, both will not have the right to do the same things. "
In addition, IOS integrates control types of code signing: a first and a second launch ... at runtime - something "quite unique," notes Miller. The goal? Allow Apple to ensure that applications running are the ones that have been approved, and they have not been changed en route by a download, wanted by the publisher or malicious. The inventory continues: no executable memory, which means that "you can not inject code into memory and run.”Subtlety: MobileSafari has an exclusive privilege of being able to sign the code dynamically, need to compile JavaScript on the fly.
And we must also mention the randomization of the memory allocation, extensive as it relates to the executable code, libraries, battery, etc.. And then comes the sandboxing, the imprisonment of the most vulnerable code (or compromise) potentially - the applications - in sandboxes where they can access only little. Applications have access to roughly their file, which must contain their hides, their temporary files, preferences, etc. at final, Charlie Miller and Dino Dai Zovi, faced with these safeguards, the "developers jailbreak are very intelligent. "Comex? "Undoubtedly, it is from the future he is living proof of the existence of the machine to travel through time. "Their respect for the authors of jailbreak is such that they are questioning the reasons that led them to launch in 2010, version 2 of the jailbreakme.com website:" It was three to six months of work. They were well aware that it would be patched in two weeks. I did not think they would open the site. "
If, from the standpoint of safety of users of iPhone, Apple's efforts may seem positive, the two specialists are not less critical. For them, many IOS security gains are first "side effects of the desire for control of Apple. It's like when you live in a police state, there is less crime, but this is just a side effect. "
Most processes "run with the mobile user and not root," the first to be content with restricted rights. Even stronger: "Some applications have specific permissions, defined in a profile Provisioning signed by Apple. It's not perfect, but that's how. "Simply put: some elements of IOS software check at the time of being requested by an application, that it has the right to request them. Thus, "although two processes work with the mobile user, both will not have the right to do the same things. "
In addition, IOS integrates control types of code signing: a first and a second launch ... at runtime - something "quite unique," notes Miller. The goal? Allow Apple to ensure that applications running are the ones that have been approved, and they have not been changed en route by a download, wanted by the publisher or malicious. The inventory continues: no executable memory, which means that "you can not inject code into memory and run.”Subtlety: MobileSafari has an exclusive privilege of being able to sign the code dynamically, need to compile JavaScript on the fly.
And we must also mention the randomization of the memory allocation, extensive as it relates to the executable code, libraries, battery, etc.. And then comes the sandboxing, the imprisonment of the most vulnerable code (or compromise) potentially - the applications - in sandboxes where they can access only little. Applications have access to roughly their file, which must contain their hides, their temporary files, preferences, etc. at final, Charlie Miller and Dino Dai Zovi, faced with these safeguards, the "developers jailbreak are very intelligent. "Comex? "Undoubtedly, it is from the future he is living proof of the existence of the machine to travel through time. "Their respect for the authors of jailbreak is such that they are questioning the reasons that led them to launch in 2010, version 2 of the jailbreakme.com website:" It was three to six months of work. They were well aware that it would be patched in two weeks. I did not think they would open the site. "
If, from the standpoint of safety of users of iPhone, Apple's efforts may seem positive, the two specialists are not less critical. For them, many IOS security gains are first "side effects of the desire for control of Apple. It's like when you live in a police state, there is less crime, but this is just a side effect. "
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.