Posts Tagged ‘shellcode’

From BlackHat Europe 09

April 22, 2009 Leave a comment

Charlie Miller and Vincenzo Iozzo did a wonderful presentation at BlackHat – Europe 2009 on Mac OS X and iPhone hacking. You can find video and a paper from their presentation here. Sections 4 and 5 (of the paper) are on the iPhone. They give a brief introduction to the ARM architecture and iPhone OS security.

It turns out that Apple has done a decent job of making it very hard to execute shellcode on the iPhone. Pretty much all memory except the programs (and libraries) on the phone are not executable and cannot be made executable (at least not yet). This means no executing shellcode on the stack or in the heap; your only attack vector is large return-to-libc attacks. They give some example shellcode in their paper that will run on a “virgin” iPhone (not jailbroken).

Return-to-libc attacks work by tricking the machine into running code in libraries or the loaded program in such a way that you accomplish some malicious task (or benign but unintended like the vibrate code in the paper). It is a pretty standard way to exploit systems with non-executable stacks and/or heaps.

Categories: iPhone Tags: ,