The 4th annual Hack In The Box Security Conference takes place April. You can read the presentation abstract below...
Swiping Through Modern Security Features
The Apple product security team did an impressive job raising the resilience of the iOS 6 kernel to well known attacks: Kernel ASLR was added, code pages of the kernel protected, and heap structures reinforced to harden the exploitability of heap overflows. Also, numerous directory traversals and vulnerabilities in iOS lockdown services have been fixed silently in the road from 5.1.1 to 6.0, burning all building blocks we already prepared.
For the iOS 6 public jailbreak, we started from scratch, and found successively a total of 8 vulnerabilities in a few months.
In our presentation, we will paint a big picture of the iOS 6 security, and how the Mandatory Code Signing requirement is enforced which is the target of all jailbreak tools. Afterwards, we will present different ideas, vulnerabilities and exploits that lead to the iOS 6 jailbreak. We will start by discussing the injection of the payload, which involves new and clever approaches to the problem, then explain how userland code is triggered, untethered, and finally discuss how the kernel has been successfully exploited.
We hope that this will give a new vision of the modern security protections and how they can be bypassed.
ABOUT DAVID WANG (PLANETBEING)
David Wang (@planetbeing) is a member of the iPhone Dev Team and former developer of many iOS jailbreak tools including redsn0w, xpwn, and QuickPwn. He is also the first to have ported the Linux kernel and Android to iOS devices. More recently, he worked actively on Corona and Rocky-Racoon, the latests public jailbreaks for iOS. Lastly, he has found and successfully exploited several vulnerabilities in iOS 6, leading to an untethered jailbreak.
ABOUT ERIC (@MUSCLENERD)
Eric (@MuscleNerd) is a Staff Engineer at a southern Calfornia high-tech firm where he specializes in reverse engineering BIOSes. He is a member of the iPhone Dev Team, which has been developing free iPhone jailbreaks and carrier unlocks since the first iPhone in 2007. He was previously involved in hacking the first two generations of TiVo hardware and was Technical Editor of both the “iOS Hacker’s Handbook” (2012) and “Hacking the TiVo, 2nd Edition” (2004). Originally from the Boston area, he holds S.B and S.M. degrees from M.I.T.
ABOUT NIKIAS BASSEN (@PIMSKEKS)
Nikias Bassen (@pimskeks) is the main developer of libimobiledevice, usbmuxd, and other related projects that form an open source implementation of communication and service protocols for iDevices. He found several flaws and directory traversals in iDevice services that allowed installation of Corona, Rocky-Racoon and the latest iOS 6 jailbreak. Apart from reverse engineering and security research he founded the company samaraIT and is working as an independent developer for international clients.
ABOUT CYRIL (@POD2G)
Cyril (@pod2g) is an independant security researcher who has discovered and exploited several bootrom exploits on iDevices, including 24kpwn, steaks4uce, and SHAtter, as well as several userland and kernel exploits that have been used in various jailbreak tools. He is the initiator of Corona and Rocky-Racoon, the latests public jailbreaks for iOS. In December 2012, he created the 2G Lab company, focused on software development and security research projects.