Apple left the core of iOS 10 without protection
Apple iOS security experts shared some interesting information with the MIT Technology Review. According to their information, Apple took an unprecedented step for itself, leaving the core code of iOS 10 in the clear. It is known that Apple is famous for its closed approach not only to the development of applications for iOS, but also to its system components. Prior to the release of the preliminary version of iOS 10, Apple subjected the executable code and kernel data of this mobile OS to encryption and obfuscation operations, thereby creating big problems even for that narrow circle of security recerchers who deal with iOS security analysis.
It is known that in the case of the cost of exploits for current versions of iOS, we are talking about large sums of money. We recently wrote that an exploit for successfully bypassing the anti-bruteforce iOS unlock code was sold by unknown FBI hackers for an amount in excess of a million dollars. The company Zerodium, which also specializes in purchasing information about vulnerabilities and exploits, offered a million dollars for the RCE + rootLPE exploit for iOS. The closeness of iOS, its protection mechanisms and a very narrow circle of iOS security researchers are the main reasons for such high amounts that researchers can pay for exploits.
')
Earlier, we also wrote that Apple removed the legitimate System and Security Info application from the well-known iOS security researcher i0n1c from the App Store. The application passed all the necessary checks that are shown by the App Store in relation to the hosted applications, but was removed because, according to Apple, it showed too detailed information about the user's system. This step has once again fueled speculation about the closeness of iOS.
Apple is often blamed for the lack of loyalty to security receivers who are looking for vulnerabilities in iOS. Earlier in the blog, we pointed out that this tactic played a cruel joke with Apple, as the security services simply turned to hackers about unlocking iOS and then refused to provide Apple with information about the vulnerabilities used. This situation is due to the fact that the company does not have a bug bounty program and it does not pay a cash reward for the found vulnerabilities in the products.
The above TechCrunch edition assumes that Apple made some sort of concessions and simplified the task of iOS security receivers, which could do a good job for the company and help to more quickly search for vulnerabilities in the kernel code. As a rule, such vulnerabilities are of the type of Local Privilege Escalation (LPE) and are present in the system components and the iOS kernel, they allow to run arbitrary code in the OS with high system privileges.
Apple expert commentary, who explains the removal of crypto-protection from the kernel of the preliminary version of iOS 10 concerns about performance.
Apple publishes information about detected vulnerabilities in the kernel from its security bulletins, as well as the Apple Product Security mailing list. The vulnerabilities found in the iOS kernel have the following description. The description indicates a list of devices running iOS that are to be updated, as well as a description of the vulnerability itself.
A description of a typical LPE vulnerability in the iOS kernel.
The core of any OS has a key role in its functioning, iOS is no exception. Thus, the current 64-bit versions of Windows are equipped with a special protection mechanism called PatchGuard, which controls the integrity of the Windows kernel, as well as pointers in critical structures of kernel objects. The method of modifying the kernel, as well as the system pointers of kernel objects, is used by rootkits to gain control during the Windows operation. The Windows kernel also uses obfuscation and encryption of its code and data when implementing PatchGuard.
In addition to implementing basic OS primitives, such as processes, working with memory and a microprocessor, the iOS kernel also specializes in key security issues, including verification of the digital signature of applications being launched, as well as the bootloader, which is a guarantee of the security and legitimacy of the iOS copy used on the device.
It is known that in the case of the cost of exploits for current versions of iOS, we are talking about large sums of money. We recently wrote that an exploit for successfully bypassing the anti-bruteforce iOS unlock code was sold by unknown FBI hackers for an amount in excess of a million dollars. The company Zerodium, which also specializes in purchasing information about vulnerabilities and exploits, offered a million dollars for the RCE + rootLPE exploit for iOS. The closeness of iOS, its protection mechanisms and a very narrow circle of iOS security researchers are the main reasons for such high amounts that researchers can pay for exploits.
')
Earlier, we also wrote that Apple removed the legitimate System and Security Info application from the well-known iOS security researcher i0n1c from the App Store. The application passed all the necessary checks that are shown by the App Store in relation to the hosted applications, but was removed because, according to Apple, it showed too detailed information about the user's system. This step has once again fueled speculation about the closeness of iOS.
Apple is often blamed for the lack of loyalty to security receivers who are looking for vulnerabilities in iOS. Earlier in the blog, we pointed out that this tactic played a cruel joke with Apple, as the security services simply turned to hackers about unlocking iOS and then refused to provide Apple with information about the vulnerabilities used. This situation is due to the fact that the company does not have a bug bounty program and it does not pay a cash reward for the found vulnerabilities in the products.
The above TechCrunch edition assumes that Apple made some sort of concessions and simplified the task of iOS security receivers, which could do a good job for the company and help to more quickly search for vulnerabilities in the kernel code. As a rule, such vulnerabilities are of the type of Local Privilege Escalation (LPE) and are present in the system components and the iOS kernel, they allow to run arbitrary code in the OS with high system privileges.
It is not possible to optimize the operating system.
Apple expert commentary, who explains the removal of crypto-protection from the kernel of the preliminary version of iOS 10 concerns about performance.
Apple publishes information about detected vulnerabilities in the kernel from its security bulletins, as well as the Apple Product Security mailing list. The vulnerabilities found in the iOS kernel have the following description. The description indicates a list of devices running iOS that are to be updated, as well as a description of the vulnerability itself.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may be arbitrary arbitrary code with
kernel privileges
Description:
memory management.
CVE-ID
A description of a typical LPE vulnerability in the iOS kernel.
The core of any OS has a key role in its functioning, iOS is no exception. Thus, the current 64-bit versions of Windows are equipped with a special protection mechanism called PatchGuard, which controls the integrity of the Windows kernel, as well as pointers in critical structures of kernel objects. The method of modifying the kernel, as well as the system pointers of kernel objects, is used by rootkits to gain control during the Windows operation. The Windows kernel also uses obfuscation and encryption of its code and data when implementing PatchGuard.
In addition to implementing basic OS primitives, such as processes, working with memory and a microprocessor, the iOS kernel also specializes in key security issues, including verification of the digital signature of applications being launched, as well as the bootloader, which is a guarantee of the security and legitimacy of the iOS copy used on the device.
Source: https://habr.com/ru/post/303966/
All Articles