[dsfjdssdfsd] fyi: Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG

=JeffH <Jeff.Hodges@KingsMountain.com> Mon, 17 March 2014 17:15 UTC

Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 46A451A0432 for <dsfjdssdfsd@ietfa.amsl.com>; Mon, 17 Mar 2014 10:15:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.897
X-Spam-Status: No, score=-0.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 9zXkTDHO9-bP for <dsfjdssdfsd@ietfa.amsl.com>; Mon, 17 Mar 2014 10:15:13 -0700 (PDT)
Received: from gproxy4-pub.mail.unifiedlayer.com (gproxy4-pub.mail.unifiedlayer.com []) by ietfa.amsl.com (Postfix) with SMTP id E47521A01C0 for <dsfjdssdfsd@ietf.org>; Mon, 17 Mar 2014 10:15:12 -0700 (PDT)
Received: (qmail 22109 invoked by uid 0); 17 Mar 2014 17:15:05 -0000
Received: from unknown (HELO cmgw4) ( by gproxy4.mail.unifiedlayer.com with SMTP; 17 Mar 2014 17:15:05 -0000
Received: from box514.bluehost.com ([]) by cmgw4 with id eoEy1n00T2UhLwi01oF1wa; Mon, 17 Mar 2014 18:15:03 -0600
X-Authority-Analysis: v=2.1 cv=Ht/lRSjS c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=4eyjf-e663kA:10 a=U0GcV9K8lpYA:10 a=3NT3xRclEPMA:10 a=8nJEP1OIZ-IA:10 a=ieNpE_y6AAAA:8 a=XYUc-DgfXtMA:10 a=N9f8vlzIAAAA:8 a=P-fCVmJAAAAA:8 a=vciZqZV3_5uKB1QQ6H4A:9 a=jRYIlFMb9d6w7NvS:21 a=2YR6F72-AmfIHhh6:21 a=wPNLvfGTeEIA:10 a=5zrRBKlu_boA:10 a=d2k7d80oREwA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=U32WpdDnZO1P12aMmpbiCAIBjhgl4NKRx4tH9mUK6yI=; b=8Zvjjo/vIuFHoAUIo281MBSgdgrDNJhLyGSSBBqTyrViKkNLmHpMV299TDDECbbxouMuLYvic0YuLHF1sIfiuQMwZrNmV6rdetEDSkTjPtYO5WFSocF9UoKku2rT53Tv;
Received: from [] (port=4597 helo=[]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.80) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1WPb7r-0003WZ-D8 for dsfjdssdfsd@ietf.org; Mon, 17 Mar 2014 11:14:59 -0600
Message-ID: <53272D91.1030001@KingsMountain.com>
Date: Mon, 17 Mar 2014 10:14:57 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130330 Thunderbird/17.0.5
MIME-Version: 1.0
To: IETF Pseudorandom Number Generator PRNG discussion list <dsfjdssdfsd@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth authed with jeff.hodges+kingsmountain.com}
Archived-At: http://mailarchive.ietf.org/arch/msg/dsfjdssdfsd/KvrlCYhiu8Wvj0vGSKxQE1KmEt4
Subject: [dsfjdssdfsd] fyi: Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 17:15:14 -0000

Of possible interest...

Attacking the iOS 7 early_random() PRNG

Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG


Abstract. iOS is by many considered to be one of the most secure mo-
bile platforms due to its stringent security features and relatively strong
focus on mitigation technology. In an eort to improve kernel security,
iOS 6 introduced numerous mitigations including verication cookies and
memory layout randomization. Conceptually, these mitigations seek to
complicate kernel exploitation by leveraging non-predictable data and
therefore require sucient entropy to be provided at boot time. In this
paper, we evaluate the security of the early random pseudorandom num-
ber generator. The early random PRNG is fundamental in supporting
the mitigations leveraged by the iOS kernel. Notably, we show how an
attacker can recover arbitrary outputs generated by the early random
PRNG in iOS 7 without being assisted by additional vulnerabilities or
having any prior knowledge about the kernel address space. Recovering
these outputs essentially allows an attacker to bypass a variety of exploit
mitigations, such as those designed to mitigate specic exploitation tech-
niques or whole classes of vulnerabilities. In turn, this may allow trivial
exploitation of vulnerabilities previously deemed non-exploitable.