Apple left iOS 10 core unprotected

    Apple iOS security experts have shared some interesting information with the MIT Technology Review. According to their information, Apple took an unprecedented step for itself, leaving the iOS 10 kernel code open. It is known that Apple is famous for its closed approach not only to the development of applications for iOS, but also to its system components. Prior to the release of the preliminary version of iOS 10, Apple subjected the executable code and kernel data of this mobile OS to encryption and obfuscation operations, thereby creating big problems even for that narrow circle of security-rescuers who analyze iOS security.



    It is known that in the case of the cost of exploits for current versions of iOS, we are talking about large amounts of money. We recently wrotethat an exploit for successfully circumventing the anti-bruteforce iOS unlock code mechanisms was sold by unknown FBI hackers for an amount in excess of a million dollars. Zerodium, which also specializes in purchasing vulnerability and exploit information, has offered a million dollars for the RCE + rootLPE exploit for iOS. The closed nature of iOS, its protection mechanisms, and a very narrow circle of iOS security researchers are the main reasons for the high amounts that can be paid to researchers for exploits.

    Earlier, we also wrote that Apple removed the legitimate System and Security Info application of the famous iOS security researcher under the nickname i0n1c from the App Store .. The application passed all the necessary checks that are presented by the App Store in relation to the hosted applications, but was deleted, because, according to Apple, it showed too detailed information about the user's system. This step once again fueled speculation about the closeness of iOS.

    Apple is often blamed for its lack of loyalty to security-seekers who search for vulnerabilities in iOS. Earlier in the blog, we indicatedthat such tactics played a trick on Apple, as intelligence agencies simply turned to hackers about unlocking iOS and then refused to provide Apple with information about vulnerabilities used. This situation is a consequence of the fact that the company does not have a bug bounty program and does not pay a monetary reward for found vulnerabilities in products.

    The aforementioned TechCrunch publication suggests that Apple made some concessions and simplified the task for iOS security-receivers, which could serve the company well and help more quickly find vulnerabilities in the kernel code. Typically, such vulnerabilities are of the type Local Privilege Escalation (LPE) and are present in the system components and the iOS kernel; they allow you to run arbitrary code on the OS with high system privileges.

    The kernel cache doesn't contain any user info, and by unencrypting it we're able to optimize the operating system's performance without compromising security

    Comment of an Apple expert who explains the removal of crypto protection from the kernel of the preliminary version of iOS 10 with concern for performance.

    Apple publishes information about detected vulnerabilities in the kernel from its security bulletins, as well as the Apple Product Security mailing list. Vulnerabilities discovered in the iOS kernel have the following description. The description indicates the list of iOS devices that are subject to update, as well as a description of the vulnerability itself.

    Kernel
    Available for: iPhone 4s and later,
    iPod touch (5th generation) and later, iPad 2 and later
    Impact: An application may be able to execute arbitrary code with
    kernel privileges
    Description: A use after free issue was addressed through improved
    memory management.
    CVE-ID

    Description of a typical LPE vulnerability in the iOS kernel.

    The kernel of any OS has a key role in its functioning; iOS is no exception. So, the current 64-bit versions of Windows are equipped with a special protection mechanism called PatchGuard, which controls the integrity of the Windows kernel, as well as pointers in the critical structures of kernel objects. The method of modifying the kernel, as well as system pointers to kernel objects, is used by rootkits to gain control during the operation of Windows. The Windows kernel also uses obfuscation and encryption mechanisms for its code and data when implementing PatchGuard.

    In addition to implementing basic OS primitives, such as processes, working with memory and a microprocessor, the iOS kernel also specializes in key security issues, including digital signature verification of running applications, as well as the bootloader, which guarantees the security and legitimacy of the copy of iOS used on the device.

    Also popular now: