Dilip Dwarakanath
The topic I’m about to present was taken from a paper titled “Apple iOS 4 Security Evaluation” written by Dino A Dai Zovi. Dino Zovi is a known hacker and author of several papers on hacking. He is also a faculty member at the NYU Polytechnic University. He has been ranked at 8 th out of 15 Most Influential People in Cyber Security today.
In a Buffer over flow attack, the stack of the application is attacked and is inserted with malicious input. This, kind of crashes the application partially, but to recover it goes to back to the return address from where it started. The return address was already pointing to a malicious location in the beginning, so the system is now fully compromised. PIE stands for Position Independent Executables and these executables can run pretty much anywhere in the memory. There are two types of ASLRs (Later): ◦ Partial – Compiled without PIE Support ◦ Complete – Compiled with PIE Support
Address Space Layout Randomization makes remote exploitation of memory difficult. It was introduced in iOS 4 and it is used to stop Buffer Overflow Attacks. ASLR Re-arranges address space positions randomly including the location of the executable. Hence, this makes it difficult for the attacker to pinpoint the exact memory address to which it writes.
To verify that all executables are authentic, iOS requires that all apps be signed with Trust Certificate. This is called Code Signing. Some different trust certificates include “Apple Store”, “Developer”, “Enterprise” and “University” Some Trust Certificates come with certain entitlements. For example, an application with Apple Trust Certificate already has access to certain groups and has certain preset File Permissions. No app can be installed on the device without a Trust Certificate. This is called Mandatory Code Signing. Apple also charges its developers fees for different Trust Certificates, especially for Enterprise packages. The Developer edition is free, but it has no default entitlements.
In order to prevent execution of new executables at runtime, iOS implements a security protection called Code Signing Enforcement (CSE). This prevents applications from loading unsigned libs, downloading new code at run time or using self modifying code. CSE is more stronger than Microsoft’s Data Execution Prevention, because in DEP you could potentially download new code and execute them using runtime executable commands.
iOS 4 requires that applications and their data be isolated from other apps and their data. Sandbox is designed to enforce this This is done by assigning each installed app its own file systems and storage. On top of this, process level runtime security policies are implemented to make sure the app isn’t writing to or reading from the folder of another application. These policies enforce file and system access restrictions on the application.
The iOS 4.0 version brought around many new changes to the then newly introduced (2010) Operating system. It fixed many serious vulnerabilities and introduced new and improved security measures. It laid the foundation stone for ASLR in operating systems, a system today widely used in many other mobile devices as well. The code signing feature might keep iOS at frustrating levels with the user mind set, but it is much more secure than the Android OS that allows installation of apps from Third Party websites on un-rooted handsets too. Although it brought around these many improvements, it hasn’t stopped hackers from being able to insert malware into it, in fact Dan Zovi himself has written a book titled “Apple Hacker’s Bible” aimed specifically at iOS.
Possey, B. How do buffer overflow attacks work? Retrieved April 14, 2015.How do buffer overflow attacks work? Zovi, D. (2011). Apple iOS 4 Security Evaluation. BlackHat Conference, USA.Apple iOS 4 Security Evaluation Address space layout randomization. Retrieved April 15, 2015 from Wikipedia.org Address space layout randomization