[dsfjdssdfsd] fyi: Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG
=JeffH <Jeff.Hodges@KingsMountain.com> Mon, 17 March 2014 17:15 UTC
Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46A451A0432 for <dsfjdssdfsd@ietfa.amsl.com>; Mon, 17 Mar 2014 10:15:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.897
X-Spam-Level:
X-Spam-Status: No, score=-0.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9zXkTDHO9-bP for <dsfjdssdfsd@ietfa.amsl.com>; Mon, 17 Mar 2014 10:15:13 -0700 (PDT)
Received: from gproxy4-pub.mail.unifiedlayer.com (gproxy4-pub.mail.unifiedlayer.com [69.89.23.142]) by ietfa.amsl.com (Postfix) with SMTP id E47521A01C0 for <dsfjdssdfsd@ietf.org>; Mon, 17 Mar 2014 10:15:12 -0700 (PDT)
Received: (qmail 22109 invoked by uid 0); 17 Mar 2014 17:15:05 -0000
Received: from unknown (HELO cmgw4) (10.0.90.85) by gproxy4.mail.unifiedlayer.com with SMTP; 17 Mar 2014 17:15:05 -0000
Received: from box514.bluehost.com ([74.220.219.114]) by cmgw4 with id eoEy1n00T2UhLwi01oF1wa; Mon, 17 Mar 2014 18:15:03 -0600
X-Authority-Analysis: v=2.1 cv=Ht/lRSjS c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=4eyjf-e663kA:10 a=U0GcV9K8lpYA:10 a=3NT3xRclEPMA:10 a=8nJEP1OIZ-IA:10 a=ieNpE_y6AAAA:8 a=XYUc-DgfXtMA:10 a=N9f8vlzIAAAA:8 a=P-fCVmJAAAAA:8 a=vciZqZV3_5uKB1QQ6H4A:9 a=jRYIlFMb9d6w7NvS:21 a=2YR6F72-AmfIHhh6:21 a=wPNLvfGTeEIA:10 a=5zrRBKlu_boA:10 a=d2k7d80oREwA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=U32WpdDnZO1P12aMmpbiCAIBjhgl4NKRx4tH9mUK6yI=; b=8Zvjjo/vIuFHoAUIo281MBSgdgrDNJhLyGSSBBqTyrViKkNLmHpMV299TDDECbbxouMuLYvic0YuLHF1sIfiuQMwZrNmV6rdetEDSkTjPtYO5WFSocF9UoKku2rT53Tv;
Received: from [216.113.168.128] (port=4597 helo=[10.244.137.220]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.80) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1WPb7r-0003WZ-D8 for dsfjdssdfsd@ietf.org; Mon, 17 Mar 2014 11:14:59 -0600
Message-ID: <53272D91.1030001@KingsMountain.com>
Date: Mon, 17 Mar 2014 10:14:57 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130330 Thunderbird/17.0.5
MIME-Version: 1.0
To: IETF Pseudorandom Number Generator PRNG discussion list <dsfjdssdfsd@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Archived-At: http://mailarchive.ietf.org/arch/msg/dsfjdssdfsd/KvrlCYhiu8Wvj0vGSKxQE1KmEt4
Subject: [dsfjdssdfsd] fyi: Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 17:15:14 -0000
Of possible interest... Attacking the iOS 7 early_random() PRNG http://blog.azimuthsecurity.com/2014/03/attacking-ios-7-earlyrandom-prng.html Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG http://mista.nu/research/early_random-paper.pdf http://mista.nu/research/early_random-slides.pdf Abstract. iOS is by many considered to be one of the most secure mo- bile platforms due to its stringent security features and relatively strong focus on mitigation technology. In an eort to improve kernel security, iOS 6 introduced numerous mitigations including verication cookies and memory layout randomization. Conceptually, these mitigations seek to complicate kernel exploitation by leveraging non-predictable data and therefore require sucient entropy to be provided at boot time. In this paper, we evaluate the security of the early random pseudorandom num- ber generator. The early random PRNG is fundamental in supporting the mitigations leveraged by the iOS kernel. Notably, we show how an attacker can recover arbitrary outputs generated by the early random PRNG in iOS 7 without being assisted by additional vulnerabilities or having any prior knowledge about the kernel address space. Recovering these outputs essentially allows an attacker to bypass a variety of exploit mitigations, such as those designed to mitigate specic exploitation tech- niques or whole classes of vulnerabilities. In turn, this may allow trivial exploitation of vulnerabilities previously deemed non-exploitable.