logo
allArticlesConferencesPresentations

Story of Jailbreaking iOS 13

Conference:  BlackHat EU 2020

2020-12-10

Summary

The presentation discusses the iOS sandbox design and its weaknesses, as well as the improvements made by Apple over the years. The speaker also shares their personal experience with jailbreaking and visiting libraries in America.
  • The iOS sandbox design is a powerful access control mechanism that neutralizes many vulnerabilities with almost no overhead added.
  • The restrictions placed on a process depend on four conditions: all files must have a code signature to run, processes are limited to their own sandbox, processes cannot access other processes' memory, and processes cannot execute unsigned code.
  • The iOS sandbox design has improved over the years, with Apple implementing stronger restrictions and adding new features like entitlements.
  • The speaker shares their personal experience with jailbreaking and visiting libraries in America, highlighting the positive aspects of free access to libraries and makerspaces.
The speaker shares their experience attending the 2015 Jailbreak Con in San Francisco, where they were the youngest attendee and barely spoke English. They were helped by a man named Alfred, who introduced them to other attendees and even found a female staff member to assist them. The speaker also mentions their love for American libraries and makerspaces, which they believe are gifts for people living in America.

Abstract

Jailbreaking refers to obtaining the kernel privilege of iOS, by means of the development of vulnerabilities. Usually, at least one kernel vulnerability is used. By overwriting the sensitive data structure in the kernel, the jailbreaker could run unauthorized code on the device without restrictions. It could then be used for performing code injection and data interception upon any process on the device. Thus, sometimes, a jailbreaker may not be the owner of the device, but an intruder who wants to steal or manipulate information, and that includes spreading misinformation.This talk will cover in detail how a series of iOS vulnerabilities are exploited to achieve Jailbreak on iOS 13.7. I'll be talking about their root cause, techniques used during the exploit development to bypass the mitigations that are unique to iOS, ultimately get the privilege of reading and writing kernel memory and demonstrate the potential malicious impact of the attack. The rest of my talk will be related to how these vulnerabilities were discovered, tips for reverse engineering. As an independent researcher, I hope to give some inspiration to the audience.
Materials:
Slides
Paper
Tags:

Post a comment

Related work

Everything has Changed in iOS 14, but Jailbreak is Eternal

Conference:  BlackHat USA 2021
Authors:
2021-08-05

KeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be Dangerous

Conference:  BlackHat USA 2018
Authors:
2018-08-08

Eternal War in XNU Kernel Objects

Conference:  BlackHat EU 2018
Authors:
2018-12-05

Your Trash Kernel Bug, My Precious 0-day

Conference:  BlackHat USA 2021
Authors:
2021-11-10

Apple's Predicament: NSPredicate Exploitation on macOS and iOS

Conference:  Defcon 31
Authors: Austin Emmitt Senior Security Researcher at Trellix Advanced Research Center
2023-08-01

One bite and all your dreams will come true: Analyzing and Attacking Apple Kernel Drivers

Conference:  Defcon 26
Authors:
2018-08-01