of 14
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  Tufts University Computer Science Introduction to Computer Security Fuzzing an iOS Application Author: Aaron  Wishnick Mentor: Ming  Chow December 13, 2013 Abstract The question of iOS and mobile security in general has been onthe minds of many people since the creation of the smartphone. Thesmartphone is essentially a computer that we carry around with useverywhere we go and that stores our most personal information, sonaturally it has become a large target for malicious intent. And withapps such as Google Wallet coming out on the market now, it is evenmore important that these devices be secure. In this paper I willdiscuss iOS security and, more specifically, exploiting apps using atechnique known as fuzzing.  1 Introduction Since the creation of the iPhone in 2007, the amount of smartphones inexistence has increased to almost 25% of the mobile market. This has forcedsmartphone makers and more specifically for this paper, Apple, to focus alarge amount of time on making their devices more secure. 1.1 Securing iOS The first version of iOS began as simply a stripped down version of OS X andcame with essentually no added security measures. And since at the timevery few people carried iPhones, this was not a huge problem. But whenpopularity of the device sky-rocketed, the first big step they took towardssecuring it was introducing the dual-core processor which caused many pre-existing exploits to become much less reliable. Another large step they tookwas disabling java and flash from being able to run, both of which havea history of security vulnerabilities, thereby greatly decreasing the attacksurface of iOS when compared to a much heavier operating system like OSX. They also removed the shell from the srcinal operating system preventingany possible execution of malicious shell scripts, which is often the goal of an OS X exploit.The last two security measures I am going to cover are code signingand sandboxing, these two have made it very difficult, but not impossible,to discover vulnerabilities in iOS. Code signing means that in order for anapplication to run on an iPhone it must (in most cases) have come from theApple App Store. And in order for an application to be available on theapp store, it must first have passed an inspection to make sure the app doesnot have malicious intent. Once accepted to the app store all components of the app receive a specific signature which must be available in order for itto execute. What this means for security is that even if the app is able todownload malicious, executable content on to the phone after being acceptedby the App Store, that content will not get executed because it is not signed.This eliminates a large number of potential exploits. And in the unlikelycase that an attacker is able to create an app that successfully downloads andexecutes malicious content, sandboxing prevents the damage from spreading.The term sandboxing refers to the organizational structure of applicationswithin the iOS operating system. Each app exists in its own ”sandbox”where it can do whatever it wants within that box, but cannot venture very1  far outside of it. There are certain things, such as photos and contacts,which are accessible to all applications (with user permission), but for themost part sandboxing prevents apps from talking to each other. For example,an application would be able to download all of a person’s contacts but wouldnot be able to send text messages from that phone, because that function isreserved for the messages app.There have been many more actions taken by Apple to protect the iPhonefrom attacks, the one’s listed above are just a few of the more notable ones. 1.2 Exposing iOS Vulnerabilities It would appear, then, that Apple has made their operating system impene-trable. However, while the attacks are different from that of OS X, they doexist. One way to find a vulnerability within iOS is simply brute force. Jose”Barraquito” Rodriguez has employed this method many times throughouthis career as a Spanish soldier while waiting around in cars. He is the personcredited with discovering the lock-screen vulnerability within iOS 7. Clearly,this is not the most efficient way to discover vulnerabilities. Fuzzing, thetopic of this paper, is the next step up. It is still a brute force attack, thedifference being that the brute forcing is done by the computer and not bythe attacker himself. This paper will discuss fuzzing in greater detail lateron.Another, much more difficult attack utilizes return-oriented program-ming(ROP). This is a technique by which the attacker inserts and executesmachine instructions, known as ”gadgets”, into the call stack. There are afew reasons why this exploit is so difficult on iOS: 1. due to code signing,the entire exploit must be written in ROP and 2. it is absolutely necessaryto understand both the ARM architecture basics and the calling conventionused on iOS 1 . However, in his article on exploiting the iPhone, Dan Goodinpoints out that Apple has done attackers the favor of leaving in a few func-tions from the srcinal OS X operating system that allow easier access to thekernel, where all of the ROP will take place. One of these leftovers is thekernel debugger, which serves no purpose within the iOS operating system.But if an attacker is able to force a crash within the kernel, the debuggerwill give him access to the CPU allowing him to read/write memory andread/change register values. Essentially all the bases are now belong to the 1 Charlie Miller, Chapter 8 - Return-Oriented Programming 2  attacker.The final attack this paper will cover is the baseband attack. This refersto an attack on the internal chip - the digital baseband processor. This is thechip that interfaces between the actual phone component within the iPhoneand cellular towers operated by the carrier. To attack a device over the air,an adversary would operate a rogue base station in close enough proximityto the target device such that the two can communicate  2 . Setting up a basestation is as simple as downloading open-source software such as OpenBTS[8] and running it on a computer. Once the attacker gets another person’sphone on their base station instead of their carrier’s, he/she will be able tocorrupt the memory and execute custom malicious code on the basebandprocessor. 2 Fuzzing Fuzzing is a form of vulnerability testing that can be used to test any kindof application (web,mobile,etc...). It is a very important tool that anyoneplanning on creating an application, iOS or not, should know about. It is of course not the end all be all of penetration testing, but it is a really goodplace to start, excellent for exposing very serious vulnerabilities. The con-cept behind it is simple: repeatedly send malformed data to the applicationin the hopes(or not) that it causes it to crash. Since this is essentially allthat is involved in fuzzing, it is important to note then, that source codeis not required, making it an easier place for an attacker to start. Thereare two forms of fuzzing: mutation-based and generation-based, each withit’s benefits and detriments. A key concept to note is that without a pro-gram running that monitors the crash, it doesn’t matter which technique of fuzzing is used because the attacker won’t know what causes a crash or anyinformation about the crash. 2.1 Mutation-Based Fuzzing Mutation-based fuzzing could be considered the naive way of approachingfuzzing. It requires little to no working knowledge of the input being providedand can be done in under 100 lines of code (see 6.1). As the figure indicates,the fuzz buffer function takes in a buffer and than selects a random number of  2 Charlie Miller, Chapter 11 - Baseband Attacks 3
Similar documents
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks