TruEMU: An Extensible, Open-Source, Whole-System iOS Emulator

The presentation discusses the development of an open-source iOS emulator for research purposes, with a focus on kernel debugging and fuzzing.

• The iOS emulator was developed to address the challenges posed by real devices, which are expensive, rare, and highly secure.
• The emulator aims to model actual hardware as closely as possible and supports a wide range of iOS versions, including iOS 14 to iOS 16.
• The emulator also supports custom CPU features by Apple and USB support, and allows for easy kernel debugging and fuzzing.
• The development process involved reverse engineering the device tree and building a stop model, followed by dynamic and static reverse engineering to understand hardware behavior and write emulation code.
• The emulator is open source and available for use in research.

The presenter notes that real iOS devices are expensive and highly secure, making them difficult to use for research purposes. They describe the Checkmate exploit as one option for debugging, but note that it requires building custom cables and is limited to jailbroken devices. The presenter also mentions the challenges posed by interrupts and the lack of sanitizer bills for iOS, and discusses potential solutions such as hooking allocator functions. Overall, the presentation emphasizes the importance of lowering the entry barrier to iOS research to improve security for all users.

iOS is one of the most valuable targets for security researchers. Unfortunately, studying the internals of this operating system is notoriously hard, due to the closed nature of the iOS ecosystem and the absence of easily-accessible analysis tools.To address this issue, we developed TruEMU, which we present in this talk. TruEMU is the first open-source, extensible, whole-system iOS emulator. Compared to the few available alternatives, TruEMU enables complete iOS kernel emulation, including emulation of the SecureROM and the USB kernel stack. More importantly, TruEMU is completely free and open-source, and it is based on the well-known and highly extensible emulator QEMU.This talk will start by presenting the challenges and the solutions we devised to reverse engineer current iOS boot code and kernel code, and explain how to provide adequate support in QEMU. Then, to showcase TruEMU's usefulness and capabilities, we will demonstrate how it can completely boot modern iOS images, including iOS 14 and the latest iOS 15, and how it can properly run different user-space components, such as launchd, restored, etc.Later, we will showcase two promising ways to use TruEMU as an iOS vulnerability research platform. Specifically, we will demonstrate how to use TruEMU to enable coverage-based fuzzing of the iOS kernel USB stack. Further, we will show how TruEMU provides a platform to implement coverage-based, syscall-level fuzzing. This platform enables security researchers to automatically explore multiple attack surfaces of iOS.In sum, building a complete emulator for iOS is a daunting task. Many features (i.e., many peripherals) still need to be implemented to allow a complete emulation of a modern iOS device. We hope this talk will also bootstrap a large community involvement in this project that will progressively shed more light on the obscure corners of iOS security.