Improving the ASLR of Mac OS X Snow Leopard

Stefan Esser — Sat, 25 Dec 2010 07:36:33 +0000

Last week I presented my research about “Adding ASLR to jailbroken iPhones” at the Power of Community 2010 (POC2010) security conference in Seoul. During my talk I explained how one can use a modified ‘rebase’ utility to rebase the dynamic linker dyld on the iPhone. Rebasing dyld is important because it contains enough code gadgets that can be used to kickstart arbitrary shellcode on jailbroken iPhones. A tool called Antid0te will be released until the end of this year that allows normal users to add ASLR to their iPhones. The release of this tool was originally planned for 24th December 2010 but it had to be postponed because I got really ill and also my glasses broke.

Anyway a few days ago I demonstrated how my “rebase dyld” research that was originally done for the iPhone applies directly to the dynamic linker used by Mac OS X Snow Leopard. I released a short article describing how one can rebase his dyld binary with a patched ‘rebase’ utility which I also released. This can be used to rebase your own dyld binary to a different position. Rebasing dyld to an address other than the normal one, improves the security of your Mac because all the public articles/techniques about state of the art Mac OS X exploitation assume/require the dyld binary to be loaded at a fixed address. All attacks based on this will fail once you have rebased your dynamic linker binary.

So enjoy this little christmas present until I am fit enough to release antid0te.

Speaking at POC 2010 - ASLR for jailbroken iPhones

Stefan Esser — Wed, 01 Dec 2010 10:57:16 +0000

December has arrived and it is time to announce my talk for the Power of Community security conference in Seoul. This year I will not only return there for the 3rd time as speaker, but this time I will talk about something not related to PHP or web security at all. My company SektionEins recently started to offer mobile security audits and I am now playing around with iPhone security all the time which resulted in the talk that I will present at POC this year.

Session: Adding Address Space Layout Randomization (ASLR) to jailbroken iPhones
This year has brought bad news for the security of the iPhone. First it was demonstrated during the PWN2OWN contest that ROP payloads can steal information like the SMS database from factory iPhones and later this year jailbreakme.com combined multiple exploits for vulnerabilities in MobileSafari, the iOS kernel and the userland to jailbreak the device from remote. And for jailbroken devices the situation is even worse because the jailbreak weakens the otherwise strong security features of the iPhone in a way that remote exploits are far easier to accomplish.

However it is time to remember that the whole purpose of a jailbreak is to free the device from Apple and to allow users to do whatever they want with their device. The fact that current jailbreaks destroy the security is just because jailbreakers did not bother to find a better solution. This changes now.

In this session the differences in exploiting jailbroken and factory iPhones will be highlighted and it will be explained step by step how a new tool was developed that adds ASLR (address space layout randomization) to jailbroken iPhones. With ASLR an exploit mitigation is added that is not available in factory iPhones and makes exploitation more difficult. And this is only the first step, more mitigations and a full reactivation of the codesigning protection are planed for the next months.

See you in Seoul between 13th and 16th December.

서울에서 12월 13일에서 16일에 만나요!

Suspekt... » iPhone

Improving the ASLR of Mac OS X Snow Leopard

Speaking at POC 2010 - ASLR for jailbroken iPhones