Note: Incomplete; more will be added later.
The iOS sandbox kernel extension implements one of the fundamental security technologies deployed on Apple’s devices (iPhones, iPads, etc.) for limiting local privilege escalation and post-exploitation. The sandbox utilizes Apple-specified policies to restrict what operations both system-provided services and user-installed applications can perform. The sandbox kernel extension is closed-source both on iOS and macOS; furthermore the iOS sandbox policies are not available in plain text, but compiled and packed in the binary of the extension itself. In this talk I will initially present how the iOS sandbox kernel extension specifies and enforces policies, along with implementation details that will be useful for the next step. I will then explain in detail the process of reverse engineering the extension in order to unpack and decompile all the sandbox policies embedded in it. All the presented details apply to and have been tested on the latest iOS version (12.1.3 beta 2 at the time of this writing).
iOS Kernel Exploitation Archaeology
The evasi0n7 jailbreak was released by the evad3rs on 22nd December 2013 targeting devices running iOS 7.0 to 7.1b3. This talk documents the reverse engineering process of evasi0n7’s main kernel exploit, which was performed in order to not only understand the underlying vulnerability, but more importantly to document the exploitation techniques the evad3rs have utilized. The talk will initially focus on the kernel debugging setup (a very important but often ignored step in device/embedded exploitation talks), the encountered problems and how they were overcome. I will then explain the underlying vulnerability, and the reverse engineering of the implemented exploitation techniques. Finally, I will present a detailed step-by-step re-implementation of the kernel exploit.
- 34th Chaos Communication Congress (34C3), Leipzig, Germany, December 2017. [slides] [video]
- WarCon, Warsaw, Poland, June 2017.
The Shadow over Android: Heap Exploitation Assistance
for Android’s libc Allocator
— with Vasilis Tsaousoglou
The jemalloc allocator has been adopted as the default libc malloc(3) implementation on Android since version 5.0, and is being used up to the latest one (7.0 - Nougat). We have previously analyzed in depth memory corruption attacks against jemalloc as a standalone allocator and in the context of the Firefox browser. In this talk we will focus on presenting attacks against jemalloc as the main userland allocator of Android devices (smartphones and tablets). We have extended our jemalloc heap exploration and exploitation tool called ‘shadow’ to support Android (both ARM32 and ARM64), and we will be demonstrating its use on understanding the impact of heap corruption vulnerabilities and developing exploits for them. The new version of shadow (supporting Android ARM32/ARM64 and Firefox x86/x86-64) will be released as open source software along with the talk.
Keynote: Reflections on vulnerability research;
is the only winning move not to play?
- Hackers to Hackers Conference (H2HC), Sao Paulo, Brazil, October 2016.
OR’LYEH? The Shadow over Firefox
In this talk we will expand upon previous work we have published on jemalloc heap exploitation approaches and primitives for Firefox, taking into account its new GC heap implementation. The presentation will demonstrate a major upgrade of our ‘unmask_jemalloc’ Firefox heap exploration utility with new features, and support for Windows (and the WinDbg debugger). The new version of unmask_jemalloc, named ‘shadow’, will of course be released as open source along with the talk.
- Phrack, OR’LYEH? The Shadow over Firefox, Volume 0x0f, Issue 0x45.
- INFILTRATE Security Conference, Miami, USA, April 2015. [slides] [code]
- SummerCon, New York, USA, July 2015.
Heap related bugs (such as buffer overflows, use-after-frees, dangling/stale pointers, double frees) leading to corruptions of virtual memory and vulnerable conditions, constitute the most common type of memory corruption bugs. The exploitation of heap vulnerabilities is a process that requires a lot of time and effort. It requires meticulous understanding of the underlying heap allocator; its data structures (metadata) and its allocation/deallocation algorithms. It requires understanding of how the target application uses the API provided by the heap allocator to manage dynamic memory and the allocation patterns that emerge due to this use. It also requires understanding of the application-specific data and how/where these are placed on the heap. Finally, it requires studying of the way the user can influence the application and use its provided functionality to control its heap as reliably as possible with the goal to create conditions aiding exploitation. All these must be viewed in the context of complicated bugs, since low-hanging fruits are scarce, and the vendors’ adoption of increasingly sophisticated exploitation mitigation technologies. We argue that although the details between the different heap allocators, target applications and bugs at hand obviously vary, the heap exploitation methodologies that have been formed by practical experience can be abstracted to reusable primitives that can be applied to new targets. Project Heapbleed is our attempt to define, clearly articulate, categorize and where applicable implement these primitives, aiming to provide a practical reusable heap exploitation toolset.
- ZeroNights, Moscow, Russia, November 2014. [slides] [video]
- BalCCon, Novi Sad, Serbia, September 2014. [video]
Exploiting the jemalloc Memory Allocator: Owning Firefox’s Heap
— with Chariton Karamitas
jemalloc is a userland memory allocator that is being increasingly adopted by software projects as a high performance heap manager. It is used in Mozilla Firefox for the Windows, Mac OS X and Linux platforms, and as the default system allocator on the FreeBSD and NetBSD operating systems. Facebook also uses jemalloc in various components to handle the load of its web services. However, despite such widespread use, there is no work on the exploitation of jemalloc.
Our research addresses this. We will begin by examining the architecture of the jemalloc heap manager and its internal concepts, while focusing on identifying possible attack vectors. jemalloc does not utilize concepts such as unlinking or frontlinking that have been used extensively in the past to undermine the security of other allocators. Therefore, we will develop novel exploitation approaches and primitives that can be used to attack jemalloc heap corruption vulnerabilities. As a case study, we will investigate Mozilla Firefox and demonstrate the impact of our developed exploitation primitives on the browser’s heap. In order to aid the researchers willing to continue our work, we will also release our jemalloc debugging tool belt.
- Phrack, Pseudomonarchia jemallocum, Volume 0x0e, Issue 0x44.
- Phrack, The Art of Exploitation: Exploiting VLC, Volume 0x0e, Issue 0x44.
- Black Hat USA, Las Vegas, USA, July 2012. [slides] [code]
- AthCon, Athens, Greece, June 2013. [slides]
Heap Exploitation Abstraction by Example
— with Chariton Karamitas
In the first part of the talk we focused on presenting examples of exploiting heap managers. Specifically, we talked about attacking the FreeBSD kernel allocator (UMA), the Linux kernel allocator (SLUB), and the jemalloc userland allocator. In the second part, we identified the common elements of these three allocators and categorized them into the following:
- End-user allocations
- Allocation containers
- Container groupings
- Execution-specific (thread, CPU core) metadata
We then proceeded to make an argument that the value of abstracting heap exploitation is in having a library of attack techniques, or primitives, that can be reused on other allocators. We took the concept of weird machines, as defined by Sergey Bratus and Halvar Flak, and applied it to heap managers. We consider an allocator to be a deterministic automaton; metadata corruption attacks can then be viewed as corruptions of the automaton’s transition function. Application-specific attacks, like adjacent memory region corruptions, can be viewed as manipulations of the automaton’s determinacy.
- OWASP AppSec Research, Athens, Greece, July 2012. [slides]
- FOSSCOMM, Patras, Greece, May 2011. [slides]
Protecting the Core: Kernel Exploitation Mitigations
— with Dimitrios Glynos
The exploitation of operating system kernel vulnerabilities has received a great deal of attention lately. In userland most generic exploitation approaches have been defeated by countermeasure technologies. Contrary to userland protections, exploitation mitigation mechanisms for kernel memory corruptions have not been widely adopted. Recently this has started to change. Most operating system kernels have started to include countermeasures against NULL page mappings, stack and heap corruptions, as well as for other vulnerability classes. At the same time, researchers have concentrated on developing ways to bypass certain kernel protections on various operating systems. This presentation will describe in detail the state-of-the-art in kernel exploitation mitigations adopted (or not) by various operating systems (Windows, Linux, Mac OS X, FreeBSD) and mobile platforms (iOS, Android). Moreover, it will also provide approaches, notes, hints and references to existing work for bypassing some of these kernel protections.
Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation
FreeBSD is widely accepted as one of the most reliable and performance-driven operating systems currently available in both the open source and proprietary worlds. While the exploitation of kernel vulnerabilities has been researched in the context of the Windows and Linux operating systems, FreeBSD, and BSD systems in general, have not received the same attention. This presentation will initially examine the exploitation of kernel stack overflow vulnerabilities on FreeBSD. The development process of a privilege escalation kernel stack smashing exploit will be documented for vulnerability CVE-2008-3531. The second part of the presentation will present a detailed security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel’s memory allocator. We will examine how UMA overflows can lead to arbitrary code execution in the context of the latest stable FreeBSD kernel (8.0-RELEASE), and we will develop an exploitation methodology for privilege escalation and kernel continuation.
- Phrack, Exploiting UMA, FreeBSD’s kernel memory allocator, Volume 0x0d, Issue 0x42.
- Black Hat Europe, Barcelona, Spain, April 2010. [slides] [paper] [code]
- PH-Neutral, Berlin, Germany, May 2011. [slides]
- University of Piraeus, Athens, Greece, May 2008. [slides (in greek)]
For my older academic publications see my Google Scholar page.