logo

Behind the scenes of iOS and Mac Security

Conference:  BlackHat USA 2019

2019-08-08

Summary

Apple announces expansion of their security bounty program and introduces iOS security research device program
  • Apple has expanded their security bounty program to include all researchers and all their platforms, including TV OS, iPad OS, Watch OS, and Mac OS
  • The maximum payout for the bounty program ranges from $100,000 to $1,000,000 depending on the severity of the vulnerability
  • Apple has also introduced the iOS security research device program, which is a fully supported iOS security research platform with advanced debug capabilities
  • The program is by application only and will be evaluated from anyone with a track record of high-quality system security research
  • Apple will reward up to $1,000,000 for a 0 click iOS full chain with kernel code execution and persistence
Apple has revised and expanded their security bounty program to include all researchers and platforms, with the maximum payout ranging from $100,000 to $1,000,000 depending on the severity of the vulnerability. They have also introduced the iOS security research device program, which is a fully supported iOS security research platform with advanced debug capabilities. This program is by application only and will be evaluated from anyone with a track record of high-quality system security research. Apple will reward up to $1,000,000 for a 0 click iOS full chain with kernel code execution and persistence. These initiatives demonstrate Apple's commitment to improving their security measures and encouraging researchers to identify vulnerabilities before they reach customers' hands.

Abstract

With over 1.4 billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in user security with every new product and software release. We will discuss three iOS and Mac security topics in unprecedented technical detail, offering the first public discussion of several key technologies new to iOS 13 and the Mac.Code integrity enforcement has long been a critical part of the iOS security architecture. Starting with iPhone 7, we began to fortify core pieces of this security mechanism with new features built directly into Apple silicon. We will delve into the history of code and memory integrity technologies in the iOS kernel and userland, culminating in Pointer Authentication Codes (PAC) in the Apple A12 Bionic and S4 chips. PAC prohibits modification of function pointers, return addresses and certain data, preventing traditional exploitation of memory corruption bugs. We will take a close look at how PAC is implemented, including improvements in iOS 13. We will also discuss previously-undisclosed VM permission and page protection technologies that are part of our overall iOS code integrity architecture. The T2 Security Chip brought powerful secure boot capabilities to the Mac. Comprehensively securing the boot process required protections against sophisticated direct memory access (DMA) attacks at every point, even in the presence of arbitrary Option ROM firmware. We will walk through the boot sequence of a Mac with the T2 Security Chip and explain key attacks and defenses at each step, including two industry-first firmware security technologies that have not been publicly discussed before.The Find My feature in iOS 13 and macOS Catalina enables users to receive help from other nearby Apple devices in finding their lost Macs, while rigorously protecting the privacy of all participants. We will discuss our efficient elliptic curve key diversification system that derives short non-linkable public keys from a user’s keypair, and allows users to find their offline devices without divulging sensitive information to Apple.

Materials:

Tags: