Fasten your seatbelts: We are escaping iOS 11 sandbox!

Presented at DEF CON 26 (2018), Aug. 10, 2018, 1:30 p.m. (20 minutes)

Apple's sandbox was introduced as "SeatBelt" in macOS 10.5 which provided the first full-fledged implementation of the MACF policy. After a successful trial on macOS, Apple applied sandbox mechanism to iOS 6. In its implementation, the policy hooked dozens of operations. The number of hooks has been growing steadily when new system calls or newly discovered threats appeared. In the beginning, Apple's sandbox used a black list approach which means Apple originally concentrated on the known dangerous APIs and blocked them, allowing all others by default. However, with the evolution of Apple's sandbox, it applies a white list approach that denies all APIs and only allows secure ones that Apple trusts.

In this talk, we will first introduce Apple's sandbox mechanism and profiles in the latest iOS. Then, we discuss iOS IPC mechanism and review several old classic sandbox escape bugs. Most importantly, we show two new zero-day sandbox escape vulnerabilities we recently discovered in the latest iOS 11.4. Besides, we share our experience of exploiting vulnerabilities in system services through OOL msg heap spray and ROP (Return-oriented programming). In addition, we discuss a task port exploit technique which can be used to control the whole remote process through Mach messages. By using these techniques, security researchers could find and exploit sandbox escape bugs to control iOS user mode system services and further attack the kernel.

Presenters:

• Xiaolong Bai - Security Engineer, Alibaba Inc.
  Xiaolong Bai (twitter@bxl1989, github@bxl1989) is a security engineer in Alibaba Orion Security Lab. Before joining Alibaba, he received his Ph.D. degree in Tsinghua University. He has published several research papers on top conferences including IEEE S&P, Usenix Security, CCS, NDSS, and presented his research in Black Hat USA and Hack In The Box. He has been acknowledged by famous vendors, including Apple, Google, Facebook, Evernote, and Tencent for his contribution in discovering the vulnerabilities in their systems and improving the security of their products. He is a member of the OverSky team for private jailbreaking development. @bxl1989
• Min Zheng / Spark - Security Expert, Alibaba Inc.   as Min (Spark) Zheng
  Min (Spark) Zheng (twitter@SparkZheng, github@zhengmin1989) is a security expert in Alibaba Orion Security Lab. He received his Ph.D. degree in the CSE department of the CUHK. His research focuses on malware analysis, smartphone (Android & iOS) security, system design and implementation. Before receiving Alibaba A-Star offer award in 2015, he worked in FireEye, Baidu and Tencent. He was the champion of GeekPwn 2014 and AliCTF 2015. He won the"best security researcher" award in FIT 2016 for detecting the iOS/macOS vulnerabilities, XcodeGhost virus and WormHole RCE vulnerability. He is a member of the OverSky team for private jailbreaking development. He presented his research in DEF CON, HITB, BlackHat, RUXCON, etc. @SparkZheng

Links:

• https://defcon.org/html/defcon-26/dc-26-speakers.html#Zheng1
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Zheng and Bai - Fasten your seatbelts We are escaping iOS 11 sandbox.mp4
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Zheng and Bai - Fasten your seatbelts We are escaping iOS 11 sandbox.srt (subtitles)
• https://www.youtube.com/watch?v=XD2CHFuaKI8

Similar Presentations:

• REcon 2018 / Exploiting User-land vulnerabilities to Get Rogue App Installed Remotely on iOS 11
• Shakacon X (2018) / The road to iOS sandbox escape
• DEF CON 24 (2016) / Escaping The Sandbox By Not Breaking It