Fried Apples: Jailbreak DIY

Presented at Black Hat Asia 2017, March 30, 2017, 10:15 a.m. (60 minutes).

In this talk we focus on challenges that Fried Apple team solved in a process of making untethered 9.0-9.3.x jailbreak. We will reveal the internal structure of modern jailbreaks, including low level details such as achieving jailbreak persistence, creating a patchfinder to support all device types and finally bypassing kernel patch protection.<br> <br> We will cover a sequence of vulnerabilities and exploitation details that were used for initial arbitrary code execution, sandbox bypassing, kernel address leaking, arbitrary code execution in the kernel and finally persistent code signing bypass.<br> <br>The current talk also covers various tools and techniques used in a process of making a jailbreak. This includes finding ROP gadgets, kernel patch lookup tools (patchfinders), kernel analyzers etc.<br> <br> Another topic is how to build a jailbreak chain. In other words, how to put everything together to get final, simple to use jailbreak utility.<br> <br> Finally, we show new exploit mitigations and security enhancements that Apple added in iOS 10, like KPP, including hardware based patch protection in iPhone 7 and 7+, sandbox enhancements and a new heap management techniques.

Presenters:

  • Alex Hude - Software engineer, BlackMagic Design
    Alexander Hude is a software and hardware reverse engineer with 13 years of experience in mobile technologies and consumer electronics. Started with WindowsMobile/PocketPC applications in 2003, these days he is focused on macOS/iOS security, vulnerabilities, proprietary protocols and embedded firmware research. Alexander holds an Engineering degree in Computer Science and currently works at Blackmagic Design.
  • Max Bazaliy - Staff Security Researcher, Lookout
    Max Bazaliy is a Staff Security Engineer at Lookout who has more than ten years experience in areas as mobile security, security protocols design and analysis, mobile security research, tools and techniques development for vulnerability assessment and post-exploitation, reverse engineering mobile\desktop platforms and penetration testing. Prior to joining Lookout Max was working on code obfuscation and software protection solutions, as well as penetration testing of commercial software protection products. In the past few years, Max was a speaker on various security and engineering conferences, including DEF CON, UIKonf, Mobile Optimized, Mobile Central Europe, Mobius and UAMobile. Max holds a Masters degree in Computer Science and currently is PhD student at the National Technical University of Ukraine "Kyiv Polytechnic Institute" where he's working on dissertation in code obfuscation and privacy area.
  • Vlad Putin - Security Researcher,
    Vlad Putin is a security researcher who interested in areas of exploit research and development, code virtualization, code deobfuscation. Vlad is a member of Fried Apple team, where he was working on Yalu 8.4.1 jailbreak. In addition he was involved in Pegasus investigation and reported CVE-2016-4680.

Links:

Similar Presentations: