OS X tool for dumping and reconstructing the IOKit classes hierarchy. iokit-dumper directly generates DOT files (see here, which can then be processed with dot tool. Keep in mind this tool is in its early release, so stuff may happen. Also, careful when playing with the code, since a wrong read in the kernel will cause a kernel panic. Remember to always slide kernel addresses before reading from them.
Tag: Apple
Matthew on x86 boot security
Apple has a lot of work to do, but they just hired LegbaCore, so they should be able to improve.
Linux has a lot of work to do, to catch up to Windows. Luckily there are people like Matthew working on it.
OEMs/Intel has a lot of work to do: they should be working to build the Stateless Laptop that ITL has proposed.
osxlockdown
https://summitroute.com/blog/2015/12/29/osxlockdown/
https://github.com/SummitRoute/osxlockdown
SummitRoute has a new Mac OS X security tool, OSXlockdown. Excerpt from readme follows, note especially the scarily-humorous warnings at the end. 🙂
osxlockdown was built to audit, and remediate, security configuration settings on OS X 10.11 (El Capitan).
This checks and flips various configuration settings. This is a compilation of numerous resources listed in the Resources section which could be converted to bash scripts. This is different than those resources in that instead of requiring the user to read a 100+ page doc, click through numerous GUIs, and try to decide if some esoteric output is good or bad, this tool combines all the steps into a single command. This tool is focused on enterprise deployments of OSX with regard to what it does, but made to be usable for stand-alone home users as well. Running the command by itself will tell you which audit checks passed and failed. Adding the –remediate flag will fix the problems identified. The commands.json file may be edited to disable certain rules by setting enabled to false.
Warning: Many of the rules disable functionality in the name of security. This may make you sad.
Warning: System commands and dark arts are involved, so ensure you have your system backed up first.
Teddy Reed’s SMC fuzzer
In addition to UEFI Firmware Parser, and other tools, Teddy Reed *ALSO* has written a fuzzer for Apple SMC firmware:
devnull’s SMC read/write code, along with simple fuzz options. This smc tool uses the AppleSMC IOKit interface and a userland API for interacting with the System Management Controller (Mac embedded controllers). The tool focuses on the SMC key/value API, but could be expanded to more API methods.
https://github.com/theopolis/smc-fuzzer
Click on the above Twitter URL for the follow-up conversation with some more information about SMC.
Mac OS X System Integrity Protection bypass
Jndok has written stfusip, code and exploit for Mac OS X 10.11.1 System Intgrity Protection:
stfusip: System Integrity Protection (SIP) bypass for OSX 10.11.1
Trammel speaking on Thunderstrike2 at CCC
Trammel Hudson will be speaking at CCC on Apple Thunderstrike2:
https://twitter.com/qrs/status/666636517411004416
https://events.ccc.de/congress/2015/wiki/Main_Page
https://trmm.net/Thunderstrike_2
Apple acquires LegbaCore!!
WOW, LegbaCore closes down, Xeno and Corey join Apple!!!!
https://twitter.com/XenoKovah/
I expect Apple will shortly have MUCH MORE secure firmware/hardware systems, with their help! Other OEMs should be a little scared today.
Apple trashes secure trash
https://twitter.com/ryantate/status/660193276528562176
https://support.apple.com/en-us/HT205267
What do other operating systems do these days, with regard to secure deletion with the above edge cases?
Apple EFI security update for Mac OS X 10.9.5
Apple has announced an EFI securtity update for Mac OS X 10.9.5, apparently due to LegbaCore/MITRE research.
APPLE-SA-2015-10-21-6 Mac EFI Security Update 2015-002
Mac EFI Security Update 2015-002 is now available and addresses the following: EFI
Available for:Â OS X Mavericks v10.9.5
Impact:Â An attacker can exercise unused EFI functions
Description:Â An issue existed with EFI argument handling. This was addressed by removing the affected functions.
CVE-ID: CVE-2015-7035 : Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell of The MITRE Corporation, coordinated via CERT
Installation note: Mac EFI Security Update 2015-002 may be obtained from the Mac App Store.
Full message:
http://support.apple.com/kb/HT1222
https://support.apple.com/en-us/HT205317
https://support.apple.com/en-us/HT204934
In addition to this EFI update, Apple has released Multiple Security Updates:
https://www.us-cert.gov/ncas/current-activity/2015/10/21/Apple-Releases-Multiple-Security-Updates
SyScan360
https://www.syscan360.org/en/schedule/
SyScan is happening soon. There are multiple hardware/firmware-level talks, including one on VxWorks. And, since I’ve a bit of a UEFI focus, there is this one:
Is There An EFI Monster Inside Your Apple?
Pedro Vilaça
A few months ago I publicly disclosed an Apple EFI firmware zero day. It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time. EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn’t mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog. Very few tools exist to chase them. This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it’s a bit easier than you think and a lot of fun. Thunderstrike 2 (to be presented at BlackHat) is a fine example of the power of EFI rootkits and the problems they present.
Apple updates iOS Security Guide
Recently, Apple updated the “iOS Security Whitepaper, for iOS 9.0 or later. A few excerpts:
Device Firmware Upgrade (DFU) mode:
Restoring a device after it enters DFU mode returns it to a known good state with the certainty that only unmodified Apple-signed code is present. DFU mode can be entered manually: First connect the device to a computer using a USB cable, then hold down both the Home and Sleep/Wake buttons. After 8 seconds, release the Sleep/Wake button while continuing to hold down the Home button. Note: Nothing will be displayed on the screen when the device is in DFU mode. If the Apple logo appears, the Sleep/Wake button was held down too long.
Secure boot chain:
Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust. This includes the bootloaders, kernel, kernel extensions, and baseband firmware. When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code, known as the hardware root of trust, is laid down during chip fabrication, and is implicitly trusted. The Boot ROM code contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load. This is the first step in the chain of trust where each step ensures that the next is signed by Apple. […]
Secure Enclave:
The Secure Enclave is a coprocessor fabricated in the Apple A7 or later A-series processor. It utilizes its own secure boot and personalized software update separate from the application processor. It provides all cryptographic operations for Data Protection key management and maintains the integrity of Data Protection even if the kernel has been compromised. […]
Full whitepaper:
Click to access iOS_Security_Guide.pdf
https://support.apple.com/kb/HT1808
https://support.apple.com/kb/HT202739
https://support.apple.com/HT205212
Apple Lightning Connectors
I missed this news from earlier in the year, just noticed it thanks to a friend:
http://ramtin-amin.fr/#tristar
There are multiple news stories on it, eg:
PS: I am a little suprised we’ve not seen more use of the Thundergate tool in security research.
launchctl for MacOSX
Jonathan Levin has an article about launchd no longer being open-sourced, and a new launchctl interface utility that is available to help:
Apple Bitcode is LLVM IR
https://twitter.com/FredericJacobs/status/647063164371238913
Frederic Jacobs has an excellent discussion on Apple’s new Bitcode opcodes that is helping make applications more architecture-independent …including some security implications of shipping a machine-independent copy of your code for attackers to exploit.
Apple Xcode vulnerability
Multiple updates from Apple
Apple has released security updates for OS X Server, iTunes, Xcode, and iOS to address multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system. Available updates include:
* OS X Server v5.0.3 for OS X Yosemite v10.10.4 or later
* iTunes 12.3 for Windows 7 and later
* Xcode 7.0 for OS X Yosemite v10.10.4 or later
* iOS 9 for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
https://support.apple.com/en-us/HT205219
https://support.apple.com/en-us/HT205212
https://support.apple.com/en-us/HT201222
tool: TELoader, TE image loader for IDA
The EFI Monster (@osxreverser)Â has just released a UEFI TE (Terse Executable) image loader for IDA. See the readme for a pointer to the 44con talk’s PDF, as well as the source:
https://twitter.com/osxreverser/status/643448813567524864
https://github.com/gdbinit/TELoader
RehabMan’s ACPI tools for OSX
I just noticed the project Laptop-DSDT-Patch, by RehabMan. It contains “Common DSDT patches for Ivy/Sandy/Haswell laptops for running OS X“, so it’s for ‘hackintosh’ hackers using non-Apple hardware to run Apple’s OS, OS X, and have to deal with non-Apple hardware/firmware, particularly ACPI’s DSDT table, a nice example of how the modding community generates some interesting firmware tools, if nothing else.
Quoting from from the beginning of RehabMan’s HP-ProBook-4x30s wiki on How to patch your DSDT (useful background even if you don’t this HP model):
Although there are pre-patched DSDTs available as downloads from the tonymacx86.com forums and in installer packages such as the HP ProBook Installer, there can be differences in individual DSDTs that can cause delays in booting and perhaps other problems. Perhaps there are slight differences in BIOS settings, memory installed, etc, that is causing these differences. It is best, therefore, to patch your own DSDT and install it into /Extra/dsdt.aml (Chameleon) or EFI/Clover/ACPI/patched (Clover). I have included five different methods for extracting your native DSDT. Just pick the method that seems easiest for you. The easiest one will depend on whether you still have Windows installed, whether you already have a Linux USB stick prepared, and just how familiar you are with both systems.
Quoting from the OSx86 wiki, for the Mac OSX-perspective on it, ACPI’s DSDT is:
The Differentiated System Description Table is the main table in the ACPI part of a computer’s BIOS. The Advanced Configuration and Power Interface (ACPI) defines a large number of tables that provide the interface between an ACPI-compliant operating system and system firmware. These allow description of system hardware in a platform-independent manner in ACPI Machine Language (AML). The problem is that OS X has an incomplete ACPI implementation which supports only a subset of DSDT. Modifying the DSDT allows the user to better support their hardware. For example, fixing Time Machine and the UUID 35 error is possible after modifying the DSDT. To patch your DSDT, you must either use a new table file that someone else has provided, or extract and modify your own. Then tell your bootloader to use the new DSDT file instead of the BIOS. On a few motherboards it is also possible to replace the BIOS with an updated BIOS with a patched DSDT. One of the simplest ways to extract your DSDT from your BIOS is by using DSDT Editor. Once you have downloaded DSDT Editor, open it and press File –> Extract DSDT. After 2-15 seconds, your DSDT should appear on the screen.
Look at the various ACPI-centric projects RepoMan has, there’re many! Also, the Ubuntu wiki and SmackerelOfOpinion blog are both excellent for ACPI diagnostic tips.
These ‘modding community’-based ACPI changes for OS X are educational, to see how people can extend their purchases for use cases beyond those that the vendor could imagine. As systems get more tamper-proof, it seems likely that users will have less and less ability to change things. [There also exists a HUGE modding community by photographers and their smartcameras (embedded devices). They add amazing new features. The other day I saw one talk about how they update the system to be able to take pictures of lighting better. Nice example of how owners can add features to their purchases, if able to update their firmware. 🙂 And of course there is custom ‘firmware’ for smartphones, entire distros.]
Personal modding hobbies aside, how much time, if any, do enterprise sysadmins currently spend fixing OEM ACPI tables and other firmware features, to make their systems work properly?
More Info:
https://github.com/RehabMan/Laptop-DSDT-Patch
https://github.com/RehabMan/HP-ProBook-4x30s-DSDT-Patch/wiki/How-to-patch-your-DSDT
https://bitbucket.org/RehabMan/os-x-maciasl-patchmatic
http://www.insanelymac.com/forum/topic/223205-dsdt-editor-and-patcher/
https://github.com/RehabMan?tab=repositories
http://uefi.org/acpi
http://smackerelofopinion.blogspot.com/2009/10/dumping-acpi-tables-using-acpidump-and.html
http://acpi.sourceforge.net/dsdt/
https://01.org/linux-acpi/documentation/overriding-dsdt
http://www.tldp.org/HOWTO/ACPI-HOWTO/dsdt.html
http://wiki.osdev.org/DSDT
http://wiki.osx86project.org/wiki/index.php/DSDT
https://msdn.microsoft.com/en-us/library/windows/hardware/dn495660%28v=vs.85%29.aspx#dsdt
https://wiki.debian.org/OverridingDSDT
http://www.insanelymac.com/forum/topic/278170-dsdt-%E2%80%94-what-is-it-and-how-do-i-get-it/
https://wiki.ubuntu.com/Kernel/Reference/ACPITricksAndTips
https://www.kernel.org/doc/Documentation/acpi/dsdt-override.txt
http://smackerelofopinion.blogspot.com/search/label/ACPI
http://clover-wiki.zetam.org/Configuration/ACPI#DSDT
iOS App Reverse Engineering book
This is my gift to the jailbreak community as a 5-year n00b, enjoy! iOS App Reverse Engineering is the world’s 1st book of very detailed iOS App reverse engineering skills, targeting 4 kinds of readers:
* iOS enthusiasts;
*Â Senior iOS developers, who have good command of App development and have the desire to understand iOS better;
* Architects. During the process of reverse engineering, they can learn architectures of those excellent Apps so that they can improve their ability of architecture design;
 * Reverse engineers in other systems who’re also interested in iOS.
The book consists of 4 parts, i.e. concepts, tools, theories and practices. The book follows an “abstraction, concrete, abstraction, concrete” structure, starting from basic concepts like iOS filesystem hierarchy and iOS file types that Apple didn’t expose to App developers but iOS (jailbreak) researchers should know, then goes through the most commonly used tools like class-dump, Theos, Cycript, Reveal, IDA and LLDB to introduce what to do in iOS reverse engineering. After that, iOS reverse engineering theories based on Objective-C and ARM assembly are explained in a methodological way, pointing out the core of this book. Last but not least, 4 originally elaborated practices are there to cover all previous contents of the book and give you the most intuitive perception of iOS reverse engineering. Happy hacking!
44con presentations available
44con just finished. I didn’t mention this event earlier, but it included a few interesting presentations and workshops:
Is there an EFI monster inside your apple?
Pedro Vilaça
Hands-on JTAG for fun and root shells
Joe FitzPatrick
Pen Test Partners IoT Workshop
Dave Lodge
http://www.slideshare.net/44Con
Firmware Security 
You must be logged in to post a comment.