Home > iPhone > From BlackHat Europe 09

From BlackHat Europe 09

Charlie Miller and Vincenzo Iozzo did a wonderful presentation at BlackHat – Europe 2009 on Mac OS X and iPhone hacking. You can find video and a paper from their presentation here. Sections 4 and 5 (of the paper) are on the iPhone. They give a brief introduction to the ARM architecture and iPhone OS security.

It turns out that Apple has done a decent job of making it very hard to execute shellcode on the iPhone. Pretty much all memory except the programs (and libraries) on the phone are not executable and cannot be made executable (at least not yet). This means no executing shellcode on the stack or in the heap; your only attack vector is large return-to-libc attacks. They give some example shellcode in their paper that will run on a “virgin” iPhone (not jailbroken).

Return-to-libc attacks work by tricking the machine into running code in libraries or the loaded program in such a way that you accomplish some malicious task (or benign but unintended like the vibrate code in the paper). It is a pretty standard way to exploit systems with non-executable stacks and/or heaps.

Categories: iPhone Tags: ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: