TruEMU: An Extensible, Open-Source, Whole-System iOS Emulator

Presented at Black Hat USA 2022, Aug. 11, 2022, 1:30 p.m. (40 minutes).

iOS is one of the most valuable targets for security researchers. Unfortunately, studying the internals of this operating system is notoriously hard, due to the closed nature of the iOS ecosystem and the absence of easily-accessible analysis tools.

To address this issue, we developed TruEMU, which we present in this talk. TruEMU is the first open-source, extensible, whole-system iOS emulator. Compared to the few available alternatives, TruEMU enables complete iOS kernel emulation, including emulation of the SecureROM and the USB kernel stack. More importantly, TruEMU is completely free and open-source, and it is based on the well-known and highly extensible emulator QEMU.

This talk will start by presenting the challenges and the solutions we devised to reverse engineer current iOS boot code and kernel code, and explain how to provide adequate support in QEMU. Then, to showcase TruEMU's usefulness and capabilities, we will demonstrate how it can completely boot modern iOS images, including iOS 14 and the latest iOS 15, and how it can properly run different user-space components, such as launchd, restored, etc.

Later, we will showcase two promising ways to use TruEMU as an iOS vulnerability research platform. Specifically, we will demonstrate how to use TruEMU to enable coverage-based fuzzing of the iOS kernel USB stack. Further, we will show how TruEMU provides a platform to implement coverage-based, syscall-level fuzzing. This platform enables security researchers to automatically explore multiple attack surfaces of iOS.

In sum, building a complete emulator for iOS is a daunting task. Many features (i.e., many peripherals) still need to be implemented to allow a complete emulation of a modern iOS device. We hope this talk will also bootstrap a large community involvement in this project that will progressively shed more light on the obscure corners of iOS security.


Presenters:

  • Trung Nguyen - Undergraduate Student, Purdue University
    Trung Nguyen Hoang is an undergraduate student in computer science at Purdue University. In the past, he participated in kernel or browser exploitation CTF challenges. For 2 years, he was a mentor at a high school cybersecurity camp. His current focus is on iOS emulation for security research. Trung can be found on Twitter as @ntrung03.
  • Antonio Bianchi - Assistant Professor, Purdue University
    Antonio Bianchi is an Assistant Professor at Purdue University. His research interest covers the fields of software and system security. Specifically, his current research areas are: emerging security threats in mobile platforms, automatic vulnerability detection, program analysis, binary analysis, reverse engineering, binary hardening, binary patching, and security of embedded and IoT devices. His research focuses on designing and developing novel automated approaches and tools to identify vulnerabilities in existing software, fix them, and prevent them.
  • Dave (Jing) Tian - Assistant Professor, Purdue University
    Dave (Jing) Tian is an Assistant Professor in the Department of Computer Science at Purdue University working on system security, and a faculty member at the PurSec Lab. His research involves embedded systems security, operating systems security, trusted & confidential computing, and hardware security and trust. You can learn more about him at https://davejingtian.org/about/.
  • Kyungtae Kim - Graduate Student, Purdue University
    <p>Kyungtae Kim is a PhD student in the Department of Computer Science at Purdue University. His research interests are in the area of software security and program analysis. Recently, he has been writing advanced fuzzers that enhance vulnerability discovery in various system software.&nbsp;</p> <p>&nbsp;</p>

Links:

Similar Presentations: