HackPac: Hacking Pointer Authentication in iOS User Space

Presented at DEF CON 27 (2019), Aug. 9, 2019, 1 p.m. (45 minutes)

Pointer Authentication (in short, PAuth) is the latest security mechanism in iOS. It is proposed to protect the integrity of pointers with hardware-assisted encryption, thus eliminating the threats of code-reuse attacks. In PAuth, a cryptographic signature called PAC is calculated from a pointer value and inserted into the pointer. When the pointer is about to be used, the PAC is extracted and verified whether it is consistent with the original pointer value. In this way, PAuth is able to ensure that the pointers are not tampered. iOS deployed PAuth in user-space system services, protecting pointers that may affect the control flow and preventing code-reuse attacks like ROP and JOP. However, in our study, we found that a fatal flaw in the implementation of iOS PAuth makes user-space system services till vulnerable to code-reuse attacks. The flaw is: iOS uses the same signing key in different user-space processes. This flaw allows a signed pointer from a malicious process can be correctly verified in a system service, thus making it possible to launch JOP. In this talk, we will explain how we found the flaw and why it is inevitable. In advance, we will demonstrate how to leverage this flaw and launch JOP attacks in a PAuth-protected system service. Also, we will propose a new tool, PAC-gadget, to automatically find JOP gadgets in PAuth-protected binaries.

Presenters:

• Min Zheng / Spark   as Min (Spark) Zheng
  Min (Spark) Zheng (twitter@SparkZheng, github@zhengmin1989) is a security expert in Alibaba Orion Security Lab. He received his Ph.D. degree in the CSE department of the CUHK. His research focuses on malware analysis, smartphone (Android & iOS) security, system design and implementation. Before receiving Alibaba A-Star offer award in 2015, he worked in FireEye, Baidu and Tencent. He was the champion of GeekPwn 2014 and AliCTF 2015. He won the "best security researcher" award in FIT 2016 for detecting the iOS/macOS vulnerabilities, XcodeGhost virus and WormHole RCE vulnerability. He is a member of the OverSky team for private jailbreaking development. He presented his research in DEF CON, HITB, BlackHat, RUXCON, etc. Twitter: @SparkZheng
• Xiaolong Bai
  Xiaolong Bai (twitter@bxl1989, github@bxl1989) is a security engineer in Alibaba Orion Security Lab. Before joining Alibaba, he received his Ph.D. degree in Tsinghua University. He has published several research papers on top conferences including IEEE S&P, Usenix Security, CCS, NDSS, and presented his research in Black Hat, DEF CON, HITB, CanSecWest, etc. He has been acknowledged by famous vendors, including Apple, Google, Facebook, Evernote, and Tencent for his contribution in discovering the vulnerabilities in their systems and improving the security of their products. He is a member of the OverSky team for private jailbreaking development. Twitter: @bxl1989 Website: https://xiaolongbai.weebly.com/ Github: https://github.com/bxl1989/

Links:

• https://defcon.org/html/defcon-27/dc-27-speakers.html#Bai
• https://infocon.org/cons/DEF CON/DEF CON 27/DEF CON 27 video and slides/DEF CON 27 - Xiaolong Bai - HackPac Hacking Pointer Authentication in iOS User Space.mp4
• https://infocon.org/cons/DEF CON/DEF CON 27/DEF CON 27 video and slides/DEF CON 27 - Xiaolong Bai - HackPac Hacking Pointer Authentication in iOS User Space.srt (subtitles)
• https://www.youtube.com/watch?v=DJFxhShJ6Ns

Similar Presentations:

• 31C3 (2014) / Code Pointer Integrity: ... or how we battle the daemons of memory safety
• Black Hat Asia 2021 Virtual / Pre-built JOP Chains with the JOP ROCKET: Bypassing DEP without ROP
• DEF CON 27 (2019) / The JOP ROCKET: A Supremely Wicked Tool for JOP Gadget Discovery, or What to Do If ROP Is Too Easy