HackPac: Hacking Pointer Authentication in iOS User Space
Pointer Authentication (in short, PAuth) is the latest security mechanism in iOS. It is proposed to protect the integrity of pointers with hardware-assisted encryption, thus eliminating the threats of code-reuse attacks. In PAuth, a cryptographic signature called PAC is calculated from a pointer val...
| Main Authors: | , , |
|---|---|
| Format: | Article in Journal/Newspaper |
| Language: | English |
| Published: |
DEF CON
2019
|
| Subjects: | |
| Online Access: | https://dx.doi.org/10.5446/48426 https://av.tib.eu/media/48426 |
| id |
ftdatacite:10.5446/48426 |
|---|---|
| record_format |
openpolar |
| spelling |
ftdatacite:10.5446/48426 2023-05-15T18:32:43+02:00 HackPac: Hacking Pointer Authentication in iOS User Space Bai, Xiaolong Zheng, Min Spark Qu, Hunter 2019 https://dx.doi.org/10.5446/48426 https://av.tib.eu/media/48426 en eng DEF CON Information Technology Conference/Talk MediaObject article Audiovisual 2019 ftdatacite https://doi.org/10.5446/48426 2021-11-05T12:55:41Z Pointer Authentication (in short, PAuth) is the latest security mechanism in iOS. It is proposed to protect the integrity of pointers with hardware-assisted encryption, thus eliminating the threats of code-reuse attacks. In PAuth, a cryptographic signature called PAC is calculated from a pointer value and inserted into the pointer. When the pointer is about to be used, the PAC is extracted and verified whether it is consistent with the original pointer value. In this way, PAuth is able to ensure that the pointers are not tampered. iOS deployed PAuth in user-space system services, protecting pointers that may affect the control flow and preventing code-reuse attacks like ROP and JOP. However, in our study, we found that a fatal flaw in the implementation of iOS PAuth makes user-space system services till vulnerable to code-reuse attacks. The flaw is: iOS uses the same signing key in different user-space processes. This flaw allows a signed pointer from a malicious process can be correctly verified in a system service, thus making it possible to launch JOP. In this talk, we will explain how we found the flaw and why it is inevitable. In advance, we will demonstrate how to leverage this flaw and launch JOP attacks in a PAuth-protected system service. Also, we will propose a new tool, PAC-gadget, to automatically find JOP gadgets in PAuth-protected binaries. Article in Journal/Newspaper The Pointers DataCite Metadata Store (German National Library of Science and Technology) |
| institution |
Open Polar |
| collection |
DataCite Metadata Store (German National Library of Science and Technology) |
| op_collection_id |
ftdatacite |
| language |
English |
| topic |
Information Technology |
| spellingShingle |
Information Technology Bai, Xiaolong Zheng, Min Spark Qu, Hunter HackPac: Hacking Pointer Authentication in iOS User Space |
| topic_facet |
Information Technology |
| description |
Pointer Authentication (in short, PAuth) is the latest security mechanism in iOS. It is proposed to protect the integrity of pointers with hardware-assisted encryption, thus eliminating the threats of code-reuse attacks. In PAuth, a cryptographic signature called PAC is calculated from a pointer value and inserted into the pointer. When the pointer is about to be used, the PAC is extracted and verified whether it is consistent with the original pointer value. In this way, PAuth is able to ensure that the pointers are not tampered. iOS deployed PAuth in user-space system services, protecting pointers that may affect the control flow and preventing code-reuse attacks like ROP and JOP. However, in our study, we found that a fatal flaw in the implementation of iOS PAuth makes user-space system services till vulnerable to code-reuse attacks. The flaw is: iOS uses the same signing key in different user-space processes. This flaw allows a signed pointer from a malicious process can be correctly verified in a system service, thus making it possible to launch JOP. In this talk, we will explain how we found the flaw and why it is inevitable. In advance, we will demonstrate how to leverage this flaw and launch JOP attacks in a PAuth-protected system service. Also, we will propose a new tool, PAC-gadget, to automatically find JOP gadgets in PAuth-protected binaries. |
| format |
Article in Journal/Newspaper |
| author |
Bai, Xiaolong Zheng, Min Spark Qu, Hunter |
| author_facet |
Bai, Xiaolong Zheng, Min Spark Qu, Hunter |
| author_sort |
Bai, Xiaolong |
| title |
HackPac: Hacking Pointer Authentication in iOS User Space |
| title_short |
HackPac: Hacking Pointer Authentication in iOS User Space |
| title_full |
HackPac: Hacking Pointer Authentication in iOS User Space |
| title_fullStr |
HackPac: Hacking Pointer Authentication in iOS User Space |
| title_full_unstemmed |
HackPac: Hacking Pointer Authentication in iOS User Space |
| title_sort |
hackpac: hacking pointer authentication in ios user space |
| publisher |
DEF CON |
| publishDate |
2019 |
| url |
https://dx.doi.org/10.5446/48426 https://av.tib.eu/media/48426 |
| genre |
The Pointers |
| genre_facet |
The Pointers |
| op_doi |
https://doi.org/10.5446/48426 |
| _version_ |
1766216904092942336 |