Speaking at POC 2010 – ASLR for jailbroken iPhones

December has arrived and it is time to announce my talk for the Power of Community security conference in Seoul. This year I will not only return there for the 3rd time as speaker, but this time I will talk about something not related to PHP or web security at all. My company SektionEins recently started to offer mobile security audits and I am now playing around with iPhone security all the time which resulted in the talk that I will present at POC this year.

Session: Adding Address Space Layout Randomization (ASLR) to jailbroken iPhones
This year has brought bad news for the security of the iPhone. First it was demonstrated during the PWN2OWN contest that ROP payloads can steal information like the SMS database from factory iPhones and later this year jailbreakme.com combined multiple exploits for vulnerabilities in MobileSafari, the iOS kernel and the userland to jailbreak the device from remote. And for jailbroken devices the situation is even worse because the jailbreak weakens the otherwise strong security features of the iPhone in a way that remote exploits are far easier to accomplish.

However it is time to remember that the whole purpose of a jailbreak is to free the device from Apple and to allow users to do whatever they want with their device. The fact that current jailbreaks destroy the security is just because jailbreakers did not bother to find a better solution. This changes now.

In this session the differences in exploiting jailbroken and factory iPhones will be highlighted and it will be explained step by step how a new tool was developed that adds ASLR (address space layout randomization) to jailbroken iPhones. With ASLR an exploit mitigation is added that is not available in factory iPhones and makes exploitation more difficult. And this is only the first step, more mitigations and a full reactivation of the codesigning protection are planed for the next months.

See you in Seoul between 13th and 16th December.