iOS Hacker's Handbook,9781118204122

iOS Hacker's Handbook

by ; ; ; ; ;
Edition: 1st
ISBN13: 9781118204122
ISBN10: 1118204123
Format: Paperback
Pub. Date: 2012-05-08
Publisher(s): Wiley
List Price: $44.99

Buy New

Usually Ships in 2-3 Business Days.
$44.54
Add to Cart

Buy Used

Usually Ships in 24-48 Hours
$33.74
Add to Cart

Rent Book

Select for Price
Add to Cart
There was a problem. Please try again later.

eBook

We're Sorry
Not Available

Buy from our Marketplace starting at $6.59

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

This book discusses the internals of iOS. It explains how the operating system works, security risks associated with it, how it can be used in the Enterprise, and the overall security architecture of the operating system. It explains how vulnerabilities can be found in it, exploits developed for it, and rootkits and other payloads developed for it. There is no other book that comes close to covering iOS on this level and the book is written by a panel of some of the world's leading experts in iOS. Overview iOS Security Architecture iOS vulnerability hunting and exploit writing iOS enterprise and encryption How iOS jailbreaks work Specifically, the book will cover: iOS in the Enterprise , Encryption, Code signing and memory protections, Sandboxing, iPhone Fuzzing, Exploitation , ROP payloads, Rootkits, Kernel Debugging and Exploitation, Jailbreaking , Baseband attacks

Author Biography

Charlie Miller is Principal Research Consultant at Accuvant Labs and a four-time CanSecWest Pwn20wn winner. Dionysus Blazakis is an expert on iOS and OS X sandbox security mechanisms. Dino Dai Zovi is coauthor of The Mac Hackers Handbook and a popular conference speaker. Stefan Esser is a PHP security expert and leading researcher of iOS security topics. Vincenzo Iozzo is an independent security researcher focused on Mac OS X and smartphones. Ralf-Philipp Weinmann holds a PhD in cryptography and has an extensive security background.

Table of Contents

Introductionp. xv
iOS Security Basicsp. 1
iOS Hardware/Device Typesp. 2
How Apple Protects the App Storep. 2
Understanding Security Threatsp. 3
Understanding iOS Security Architecturep. 5
The Reduced Attack Surfacep. 5
The Stripped-Down iOSp. 6
Privilege Separationp. 6
Code Signingp. 7
Data Execution Preventionp. 7
Address Space Layout Randomizationp. 8
Sandboxingp. 8
A Brief History of iOS Attacksp. 9
Libtiffp. 9
Fun with SMSp. 10
The Ikee Wormp. 10
Storm8p. 11
SpyPhonep. 12
Pwn2Own2010p. 13
Jailbreakme.com 2 ("Star")p. 13
Jailbreakme.com 3 ("Saffron")p. 14
Summaryp. 14
iOS in the Enterprisep. 15
iOS Configuration Managementp. 16
Mobile Configuration Profilesp. 16
iPhone Configuration Utilityp. 18
Creating a Configuration Profilep. 18
Installing the Configuration Profilep. 20
Updating Profilesp. 25
Removing Profilesp. 25
Applications and Provisioning Profilesp. 26
Mobile Device Managementp. 26
MDM Network Communicationp. 27
Lion Server Profile Managerp. 28
Setting Up Profile Managerp. 29
Creating Settingsp. 35
Enrolling Devicesp. 38
Summaryp. 45
Encryptionp. 47
Data Protectionp. 47
Data Protection APIp. 48
Attacking Data Protectionp. 51
Attacking User Passcodesp. 51
iPhone Data Protection Toolsp. 55
Installation Prerequisitesp. 55
Building the Ramdiskp. 58
Booting Ramdiskp. 61
Brute-Force Attacking Four-Digit Passcodesp. 62
Dumping Keychainp. 64
Dumping Data Partitionp. 65
Decrypting Data Partitionp. 66
Summaryp. 68
Code Signing and Memory Protectionsp. 69
Understanding Mandatory Access Controlp. 70
AMFI Hooksp. 71
AMFI and execvp. 72
How Provisioning Worksp. 74
Understanding the Provisioning Profilep. 74
How the Provisioning File Is Validatedp. 77
Understanding Application Signingp. 78
Inside Entitlementsp. 79
How Code Signing Enforcement Worksp. 80
Collecting and Verifying Signing Informationp. 80
How Signatures Are Enforced on Processesp. 84
How the iOS Ensures No Changes Are Made to Signed Pagesp. 88
Discovering Dynamic Code Signingp. 89
Why MobileSafari Is So Specialp. 89
How the Kernel Handles JITp. 91
Attacking Inside MobileSafarip. 94
Breaking Code Signingp. 95
Altering iOS Shellcodep. 96
Using Meterpreter on iOSp. 101
Gaining App Store Approvalp. 103
Summaryp. 104
Sandboxingp. 107
Understanding the Sandboxp. 108
Sandboxing Your Appsp. 109
Understanding the Sandbox Implementationp. 116
Understanding User Space Library Implementationp. 117
Into the Kernelp. 121
Implementing TrustedBSDp. 121
Handling Configuration from User Spacep. 123
Policy Enforcementp. 125
How Profile Bytecode Worksp. 126
How Sandboxing Impacts App Store versus Platform Applicationsp. 133
Summaryp. 137
Fuzzing iOS Applicationsp. 139
How Fuzzing Worksp. 139
The Recipe for Fuzzingp. 141
Mutation-Based ("Dumb") Fuzzingp. 141
Generation-Based ("Smart") Fuzzingp. 142
Submitting and Monitoring the Test Casesp. 143
Fuzzing Safarip. 144
Choosing an Interfacep. 144
Generating Test Casesp. 144
Testing and Monitoring the Applicationp. 145
Adventures in PDF Fuzzingp. 148
Quick Look Fuzzingp. 153
Fuzzing with the Simulatorp. 155
Fuzzing MobileSafarip. 158
Selecting the Interface to Fuzzp. 158
Generating the Test Casep. 158
Fuzzing and Monitoring MobileSafarip. 158
PPT Fuzzing Funp. 160
SMS Fuzzingp. 162
SMS Basicsp. 163
Focusing on the Protocol Data Unit Modep. 165
Using PDUspyp. 167
Using User Data Header Informationp. 167
Working with Concatenated Messagesp. 168
Using Other Types of UDH Datap. 169
Generation-Based Fuzzing with Sulleyp. 170
SMS iOS Injectionp. 175
Monitoring SMSp. 177
SMS Bugsp. 182
Summaryp. 184
Exploitationp. 185
Exploiting Bug Classesp. 186
Object Lifetime Vulnerabilitiesp. 186
Understanding the iOS System Allocatorp. 188
Regionsp. 188
Allocationp. 189
Deallocationp. 189
Taming the iOS Allocatorp. 190
Tools of the Tradep. 190
Learning Alloc/Dealloc Basicsp. 191
Exploiting Arithmetic Vulnerabuitiesp. 195
Exploiting Object Lifetime Issuesp. 198
Understanding TCMallocp. 200
Large Object Allocation and Deallocationp. 201
Small Object Allocationp. 201
Small Object Deallocationp. 202
Taming TCMallocp. 202
Obtaining a Predictable Heap Layoutp. 202
Tools for Debugging Heap Manipulation Codep. 204
Exploiting Arithmetic Vulnerabilities with TCMalloc - Heap Feng Shuip. 206
Exploiting Object Lifetime Issues with TCMallocp. 211
ASLR Challengesp. 211
Case Study: Pwn20wn 2010p. 213
Testing Infrastructurep. 217
Summaryp. 218
Return-Oriented Programmingp. 219
ARM Basicsp. 220
iOS Calling Conventionp. 220
System Calls Calling Conventionp. 221
ROP Introductionp. 222
ROP and Heap Bugsp. 224
Manually Constructing a ROP Payloadp. 225
Automating ROP Payload Constructionp. 230
What Can You Do with ROP on iOS?p. 232
Testing ROP Payloadsp. 232
Examples of ROP Shellcode on iOSp. 235
Exfiltrate File Content Payloadp. 235
Using ROP to Chain Two Exploits (JailBreakMe v3)p. 242
Summaryp. 247
Kernel Debugging and Exploitationp. 249
Kernel Structurep. 249
Kernel Debuggingp. 250
Kernel Extensions and IOKit Driversp. 256
Reversing the IOKit Driver Object Treep. 257
Finding Vulnerabilities in Kernel Extensionsp. 261
Finding Vulnerabilities in IOKit Driversp. 264
Attacking through Device Propertiesp. 265
Attacking through External Traps and Methodsp. 266
Kernel Exploitationp. 269
Arbitrary Memory Overwritep. 269
Patching a Vulnerability into the Kernelp. 270
Choosing a Target to Overwritep. 271
Locating the System Call Tablep. 272
Constructing the Exploitp. 273
Uninitialized Kernel Variablesp. 274
Kernel Stack Buffer Overflowsp. 279
Kernel Heap Buffer Overflowsp. 285
Kernel Heap Zone Allocatorp. 286
Kernel Heap Feng Shuip. 291
Detecting the State of the Kernel Heapp. 293
Exploiting the Kernel Heap Buffer Overflowp. 294
Summaryp. 296
Jailbreakingp. 297
Why Jailbreak?p. 298
Jailbreak Typesp. 298
Jailbreak Persistencep. 299
Tethered Jailbreaksp. 299
Untethered Jailbreaksp. 299
Exploit Typep. 300
Bootrom Levelp. 300
iBoot Levelp. 300
Userland Levelp. 301
Understanding the Jailbreaking Processp. 301
Exploiting the Bootromp. 302
Booting the Ramdiskp. 303
Jailbreaking the Filesystemp. 303
Installing the Untethering Exploitp. 304
Installing the AFC2 Servicep. 305
mstalling Base Utilitiesp. 306
Application Stashingp. 307
Bundle Installationp. 307
Post-Installation Processp. 309
Executing Kernel Payloads and Patchesp. 309
Kernel State Reparationp. 309
Privilege Escalationp. 310
Kernel Patchingp. 312
security.mac.proc_enforcep. 312
cs_enforcement_disable (kernel)p. 313
cs_enforcement_disable (AMFI)p. 314
PE_i_can_has_debuggerp. 315
vm_map_enterp. 316
vm_map_protectp. 318
AMFI Binary Trust Cachep. 319
Task_for_pid 0p. 320
Sandbox Patchesp. 322
Clearing the Cachesp. 324
Clean Returnp. 324
Summaryp. 325
Baseband Attacksp. 327
GSM Basicsp. 329
Setting up OpenBTSp. 331
Hardware Requiredp. 331
OpenBTS Installation and Configurationp. 332
Closed Configuration and Asterisk Dialing Rulesp. 335
RTOSes Underneath the Stacksp. 335
Nucleus PLUSp. 336
ThreadXp. 337
REX/OKL4/Iguanap. 337
Heap Implementationsp. 338
Dynamic Memory in Nucleus PLUSp. 338
Byte Pools in ThreadXp. 340
The Qualcomm Modem Heapp. 341
Vulnerability Analysisp. 342
Obtaining and Extracting Baseband Firmwarep. 343
Loading Firmware Images into IDA Prop. 344
Application/Baseband Processor Interfacep. 345
Stack Traces and Baseband Core Dumpsp. 345
Attack Surfacep. 346
Static Analysis on Binary Code Like it's 1999p. 347
Specification-Guided Fuzz Testingp. 348
Exploiting the Basebandp. 348
A Local Stack Buffer Overflow: AT+XAPPp. 348
The ultrasn0w Unlockp. 350
An Overflow Exploitable Over the Airp. 356
Summaryp. 362
Appendix Referencesp. 365
Indexp. 369
Table of Contents provided by Ingram. All Rights Reserved.

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.