Publications

Discover all the security risks and exploits that can threaten iOS-based mobile devices.

iOS is Apple's mobile operating system for the iPhone and iPad. With the introduction of iOS5, many security issues have come to light. This book explains and discusses them all. The award-winning author team, experts in Mac and iOS security, examines the vulnerabilities and the internals of iOS to show how attacks can be mitigated. The book explains how the operating system works, its overall security architecture, and the security risks associated with it, as well as exploits, rootkits, and other payloads developed for it.

• Covers iOS security architecture, vulnerability hunting, exploit writing, and how iOS jailbreaks work
• Explores iOS enterprise and encryption, code signing and memory protection, sandboxing, iPhone fuzzing, exploitation, ROP payloads, and baseband attacks
• Also examines kernel debugging and exploitation
• Companion website includes source code and tools to facilitate your efforts

As more and more vulnerabilities are found in the Mac OS X (Leopard) operating system, security researchers are realizing the importance of developing proof-of-concept exploits for those vulnerabilities. This unique tome is the first book to uncover the flaws in the Mac OS X operating system and how to deal with them. Written by two white hat hackers, this book is aimed at making vital information known so that you can find ways to secure your Mac OS X systems, and examines the sorts of attacks that are prevented by Leopard's security defenses, what attacks aren't, and how to best handle those weaknesses.

Modern exploit payloads in commercial and open-source penetration testing frameworks have grown much more advanced than the traditional shellcode they replaced. These payloads permit interactive access without launch- ing a shell, network proxying, and many other rich fea- tures. Available payload frameworks have several limitations, however. They make little use of encryption to secure delivery and communications, especially in earlier stage payloads. In addition, their richer features require a constant network connection to the penetration tester, making them unsuitable against mobile clients, such as laptops, PDAs, and smart phones.

This work introduces a first-stage exploit payload that is able to securely establish an encrypted channel using ElGamal key agreement and the RC4 stream cipher. The key agreement implementation requires only modular exponentiation and RC4 also lends itself to an implemen- tation requiring a very small amount of executable code. This secure channel is used to send further executable code and deliver a fully-featured interpreter to execute mission logic written in the high-level Lua scripting language. This scripting environment permits secure code delivery as well as disconnected operation and execution of penetration testing mission logic.

Drawing on decades of experience in application and penetration testing, this book's authors can help you transform your approach from mere "verification" to proactive "attack." The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize software debugging tools to test the unique aspects of any program and then analyze the results to identify exploitable vulnerabilities.

Wireless 802.11 networking is becoming so prevalent that many users have become accustomed to having available wireless networks in their workplace, home, and many public places such as airports and coffee shops. Modern client operating systems implement automatic wireless network discovery and known network identification to facilitate wireless networking for the end-user. In order to implement known network discovery, client operating systems remember past wireless networks that have been joined and automatically look for these networks (referred to as Preferred or Trusted Networks) whenever the wireless network adapter is enabled. By examining these implementations in detail, we have discovered previously undisclosed vulnerabilities in the implementation of these algorithms under the two most prevalent client operating systems, Windows XP and MacOS X. With custom base station software, an attacker may cause clients within wireless radio range to associate to the attacker's wireless network without user interaction or notification. This will occur even if the user has never connected to a wireless network before or they have an empty Preferred/Trusted Networks List. We describe these vulnerabilities as well as their implementation and impact.

Binary code injection into an executing program is a common form of attack. Most current defenses against this form of attack use a 'guard all doors' strategy, trying to block the avenues by which execution can be diverted. We describe a complementary method of protection, which disrupts foreign code execution regardless of how the code is injected. A unique and private machine instruction set for each executing program would make it difficult for an outsider to design binary attack code against that program and impossible to use the same binary attack code against multiple machines. As a proof of concept, we describe a randomized instruction set emulator (RISE), based on the open-source Valgrind x86-to-x86 binary translator. The prototype disrupts binary code injection attacks against a program without requiring its recompilation, linking, or access to source code. The paper describes the RISE implementation and its limitations, gives evidence demonstrating that RISE defeats common attacks, considers how the dense x86 instruction set affects the method, and discusses potential extensions of the idea.

The last 13 years have seen a large number of serious computer security vulnerabilities. Some of the most pernicious of these vulnerabilities have been buffer overflow and format string vulnerabilities in widely used software applications. A number of Internet worms have exploited these vulnerabilities to infect target hosts. The first part of this work introduces a framework for understanding and describing attacks that dynamically inject machine code into a process and the vulnerabilities that enable these attacks. The techniques used in these attacks are described in detail. The second part of this work describes the application of dynamic binary translation, previously a technique primarily for dynamic optimization, to stopping and mitigating these sorts of attacks. The implementations of several known techniques using a dynamic binary translation system are described in detail. Finally, some conclusions about the applicability of dynamic binary translation to computer security are made.

Recent work with dynamic optimization in platform independent, virtual machine based languages such as Java has sparked interest in the possibility of applying similar techniques to arbitrary compiled binary programs. Systems such as Dynamo, DAISY, and FX!32 exploit dynamic optimization techniques to improve performance of native or foreign architecture binaries. However, research in this area is complicated by the lack of openly licensed, freely available, and platform-independent experimental frameworks. SIND aims to fill this void by providing a easily-extensible and flexible framework for research and development of applications and techniques of binary translation. Current research focuses are dynamic optimization of running binaries and dynamic security augmentation and integrity assurance.

Loadable Kernel Modules (LKMs) allow the running operating system kernel to be extended dynamically. Most modern UNIX-like systems, including Solaris, Linux, and FreeBSD, use or support loadable kernel modules. The facility offers more flexibility than the traditional method of recompiling the kernel to add new hardware support or functionality; new drivers or functionality can be loaded at any time. A loaded kernel module has the same capabilities as code compiled into the kernel. This gives loadable drivers a lot of flexibility and power. However, it also allows a maliciously written kernel module to subvert the entire operating system kernel.