Swiping Through Modern Security Features presented at HITBSecConf Amsterdam 2013

by Cyril \xe2\x80\x98@pod2g\xe2\x80\x99, Eric \xe2\x80\x98@musclenerd\xe2\x80\x99, David \xe2\x80\x98@planetbeing\xe2\x80\x99 Wang, Nikias \xe2\x80\x98@pimskeks\xe2\x80\x99 Bassen,

Tags: Exploitation iOS Jailbreak

URL : http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf

Summary : he Apple product security team did an impressive job raising the resilience of the iOS 6 kernel to well known attacks: Kernel ASLR was added, code pages of the kernel protected, and heap structures reinforced to harden the exploitability of heap overflows. Also, numerous directory traversals and vulnerabilities in iOS lockdown services have been fixed silently in the road from 5.1.1 to 6.0, burning all building blocks we already prepared.
For the iOS 6 public jailbreak, we started from scratch, and found successively a total of 8 vulnerabilities in a few months.
In our presentation, we will paint a big picture of the iOS 6 security, and how the Mandatory Code Signing requirement is enforced which is the target of all jailbreak tools. Afterwards, we will present different ideas, vulnerabilities and exploits that lead to the iOS 6 jailbreak. We will start by discussing the injection of the payload, which involves new and clever approaches to the problem, then explain how userland code is triggered, untethered, and finally discuss how the kernel has been successfully exploited.
We hope that this will give a new vision of the modern security protections and how they can be bypassed.