SlideShare ist ein Scribd-Unternehmen logo

ZeroNights: Automating iOS blackbox security scanning

Mikhail Sosonkin
Mikhail Sosonkin

A talk on how to fuzz App's response message parsing.

Software
1 von 28
Downloaden Sie, um offline zu lesen
ME! “leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” Employer! - SYNACK.com
Our privacy. Our money.Our freedoms. Wouldn’t want to lose any of those things!
Pangu TaiG
For those that don’t know Aarch64 IdaRef documentation plugin: https://github.com/nologic/idaref
In-process • • • • • External • •
• • • • • • • •
1. Allocate a page - a jump page 2. Set objc_msgSend readable and writable 3. Copy preamble bytes from objc_msgSend 4. Check for branch instructions in preamble 5. Modify objc_msgSend preamble 6. Set jump page to readable and executable 7. Set objc_msgSend readable and executable Objc_Trace Call Sequence Hook Steps
void* hook_callback64_pre(id self, SEL op, void* a1, ...) { Class cls = object_getClass(self); if(cls != NULL && op != NULL) cacheImp = c_cache_getImp(cls, op); if(!cacheImp) { // not in cache, never been called, record the call. … const struct mach_header* libobjc_base = libobjc_dylib_base(); c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000; Only record unseen method calls Find the cache check function cache_getImp
{ '_payload': { '_payload': { '_msg': 'x00x00x08x00x00x00subsystemx00x00x00x00@x00x00x05x0 0x00x00x00x00x00x00ha', 'type': 2048}, 'magic': '!CPX', 'version': 5}, 'msgh_bits': 1250579, 'msgh_id': 268435456, 'msgh_local_port': '0x30b', 'msgh_remote_port': '0x10b', 'msgh_reserved': 2819, 'msgh_size': 256} Machshark
• • • • • • • • • •
“A little engine for driving the UI while doing blackbox testing of an iOS App” - CHAOTICMARCH
• • • • • •
● Simulate the user ● Read and understand the UI
cy# UIApp.keyWindow <UIWindow; frame = (0 0; 320 568); gestureRecognizers = <NSArray>;> | <TiRootViewNeue; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer>> ... <TiUITableViewCell; baseClass = UITableViewCell; text = 'Log On'; | <TiGradientLayer;> (layer) | <UITableViewCellContentView; frame = (0 0; 256 43.5); layer = <CALayer>> | | <UITableViewLabel; frame = (74 0; 167 43.5); text = 'Log On'> | | <UIImageView; frame = (15 0; 44 43.5); layer = <CALayer>> | <_UITableViewCellSeparatorView; frame = (74 43.5; 182 0.5); layer = <CALayer>>
● Lua Scriptable Logic ● Standard functions for touching the device ● Options for record/replay ● Finding UI Components ● Regulating speed of execution ● Support for multiple targets ● Mechanisms for generic logic ● Lightweight injected module Source
• • •
while true do local button = getButton(clickedButtons) -- put some info in. fill_all_fields() click_button(button) if(button["text"] ~= nil) then clickedButtons[button["text"]] = 1 end usleep(2 * 1000000) end
• • • • • • •
MITM Proxy Request Fuzz Parse Mutator
1 - Make a post 2 - Get exploited binary/XSS with phish 3 - Steal creds or tokens 4 - Put up a draft 5 - Request messages 6 - respond with attack content Attacker User We focus on this
while true do local inputs = findOfTypes("UITextField", "") for index, inputField in pairs(inputs) do click_button(inputField) inputText("SomeInput!!") end -- touch login touchDown(3, 138, 619); usleep(83148.83); touchUp(3, 141, 615); check_alert() end Source
• • • • • •
• Apps are important! • Automation of the UI • Collection of coverage information • Fuzzing of responses messages
, blog: debugtrap.com Twitter: @hexlogic Source: CHAOTICMARCH: https://github.com/synack/chaoticmarch Machshark: https://github.com/nologic/machshark Objc_trace: https://github.com/nologic/objc_trace Images: http://iconmonstr.com/

Empfohlen

Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach MessagesMikhail Sosonkin
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable DefCamp
 
PHP Internals and Virtual Machine
PHP Internals and Virtual MachinePHP Internals and Virtual Machine
PHP Internals and Virtual Machinejulien pauli
 
Php arduino
Php arduinoPhp arduino
Php arduinoJonadri Bundo
 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacESET Latinoamérica
 
Php engine
Php enginePhp engine
Php enginejulien pauli
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineMatt Provost
 

Empfohlen

Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach MessagesMikhail Sosonkin
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable DefCamp
 
PHP Internals and Virtual Machine
PHP Internals and Virtual MachinePHP Internals and Virtual Machine
PHP Internals and Virtual Machinejulien pauli
 
Php arduino
Php arduinoPhp arduino
Php arduinoJonadri Bundo
 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacESET Latinoamérica
 
Php engine
Php enginePhp engine
Php enginejulien pauli
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineMatt Provost
 
Book
BookBook
Bookluis_lmro
 
Алексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereАлексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereSergey Platonov
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingJungMinSEO5
 
Endless fun with Arduino and Eventmachine
Endless fun with Arduino and EventmachineEndless fun with Arduino and Eventmachine
Endless fun with Arduino and EventmachineBodo Tasche
 
Catch a spider monkey
Catch a spider monkeyCatch a spider monkey
Catch a spider monkeyChengHui Weng
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
3
33
3Marat Vyshegorodtsev
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus AnalysisGangSeok Lee
 
Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.Platonov Sergey
 
Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++corehard_by
 
Chatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptopChatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptopyayaria
 
The Php Life Cycle
The Php Life CycleThe Php Life Cycle
The Php Life CycleXinchen Hui
 
Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations DVClub
 
An introduction to PHP 5.4
An introduction to PHP 5.4An introduction to PHP 5.4
An introduction to PHP 5.4Giovanni Derks
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
Bug fix sharing : where does bug come from
Bug fix sharing : where does bug come fromBug fix sharing : where does bug come from
Bug fix sharing : where does bug come from宇 申
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_worldfantasy zheng
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
Media evaluation
Media evaluationMedia evaluation
Media evaluationsergiuhowie
 
Leilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BRLeilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BRFrancisco Luz
 

Weitere ähnliche Inhalte

Was ist angesagt?

Алексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereАлексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereSergey Platonov
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingJungMinSEO5
 
Endless fun with Arduino and Eventmachine
Endless fun with Arduino and EventmachineEndless fun with Arduino and Eventmachine
Endless fun with Arduino and EventmachineBodo Tasche
 
Catch a spider monkey
Catch a spider monkeyCatch a spider monkey
Catch a spider monkeyChengHui Weng
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus AnalysisGangSeok Lee
 
Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.Platonov Sergey
 
Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++corehard_by
 
Chatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptopChatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptopyayaria
 
The Php Life Cycle
The Php Life CycleThe Php Life Cycle
The Php Life CycleXinchen Hui
 
Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations DVClub
 
An introduction to PHP 5.4
An introduction to PHP 5.4An introduction to PHP 5.4
An introduction to PHP 5.4Giovanni Derks
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
Bug fix sharing : where does bug come from
Bug fix sharing : where does bug come fromBug fix sharing : where does bug come from
Bug fix sharing : where does bug come from宇 申
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_worldfantasy zheng
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 

Was ist angesagt? (20)

Book
BookBook
Book
 
Алексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhereАлексей Кутумов, Coroutines everywhere
Алексей Кутумов, Coroutines everywhere
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
Endless fun with Arduino and Eventmachine
Endless fun with Arduino and EventmachineEndless fun with Arduino and Eventmachine
Endless fun with Arduino and Eventmachine
 
Catch a spider monkey
Catch a spider monkeyCatch a spider monkey
Catch a spider monkey
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
3
33
3
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
 
Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.Евгений Крутько, Многопоточные вычисления, современный подход.
Евгений Крутько, Многопоточные вычисления, современный подход.
 
Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++Работа с реляционными базами данных в C++
Работа с реляционными базами данных в C++
 
Chatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptopChatting dengan beberapa pc laptop
Chatting dengan beberapa pc laptop
 
The Php Life Cycle
The Php Life CycleThe Php Life Cycle
The Php Life Cycle
 
Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations
 
An introduction to PHP 5.4
An introduction to PHP 5.4An introduction to PHP 5.4
An introduction to PHP 5.4
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friends
 
Bug fix sharing : where does bug come from
Bug fix sharing : where does bug come fromBug fix sharing : where does bug come from
Bug fix sharing : where does bug come from
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 

Andere mochten auch

Media evaluation
Media evaluationMedia evaluation
Media evaluationsergiuhowie
 
Leilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BRLeilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BRFrancisco Luz
 
Como criar um email gmail flavio queiroz
Como criar um email gmail flavio queirozComo criar um email gmail flavio queiroz
Como criar um email gmail flavio queirozFlávio Queiroz
 
Prof. Zhihua Wang, Tsinghua University, Beijing, China
Prof. Zhihua Wang, Tsinghua University, Beijing, China Prof. Zhihua Wang, Tsinghua University, Beijing, China
Prof. Zhihua Wang, Tsinghua University, Beijing, China chiportal
 
CARRIE ADAMS chronological (2)
CARRIE ADAMS chronological (2)CARRIE ADAMS chronological (2)
CARRIE ADAMS chronological (2)Carrie Adams
 
MVP ShowCast 2014 - O dia a dia do Cientista de Dados
MVP ShowCast 2014 - O dia a dia do Cientista de DadosMVP ShowCast 2014 - O dia a dia do Cientista de Dados
MVP ShowCast 2014 - O dia a dia do Cientista de DadosDiego Nogare
 
Ruaridh's bean diary
Ruaridh's bean diaryRuaridh's bean diary
Ruaridh's bean diaryAlan Duncan
 
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncosta
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncostaMic productivity productivity-day-madrid-20110609-socialnetworks-ramoncosta
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncostaRamon Costa i Pujol
 
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...Yury Leonychev
 
Fora Hackers! Proteção em camadas do SQL Server
Fora Hackers! Proteção em camadas do SQL ServerFora Hackers! Proteção em camadas do SQL Server
Fora Hackers! Proteção em camadas do SQL ServerFabrício Catae
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber CrimeBrian Baskin
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Kirill Ermakov
 
Programação dinâmica
Programação dinâmicaProgramação dinâmica
Programação dinâmicaMarcos Castro
 
Prof. Danny Raz, Director, Bell Labs Israel, Nokia
Prof. Danny Raz, Director, Bell Labs Israel, Nokia Prof. Danny Raz, Director, Bell Labs Israel, Nokia
Prof. Danny Raz, Director, Bell Labs Israel, Nokia chiportal
 
Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu GeliştirimesiDrupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu GeliştirimesiMehmet Ince
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 

Andere mochten auch (20)

Media evaluation
Media evaluationMedia evaluation
Media evaluation
 
Leilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BRLeilão da Prefeitura Municipal de Paracuru, Ceará-BR
Leilão da Prefeitura Municipal de Paracuru, Ceará-BR
 
Uso Pedagogico
Uso PedagogicoUso Pedagogico
Uso Pedagogico
 
Como criar um email gmail flavio queiroz
Como criar um email gmail flavio queirozComo criar um email gmail flavio queiroz
Como criar um email gmail flavio queiroz
 
Prof. Zhihua Wang, Tsinghua University, Beijing, China
Prof. Zhihua Wang, Tsinghua University, Beijing, China Prof. Zhihua Wang, Tsinghua University, Beijing, China
Prof. Zhihua Wang, Tsinghua University, Beijing, China
 
CARRIE ADAMS chronological (2)
CARRIE ADAMS chronological (2)CARRIE ADAMS chronological (2)
CARRIE ADAMS chronological (2)
 
System_Safety_Engrg
System_Safety_EngrgSystem_Safety_Engrg
System_Safety_Engrg
 
MVP ShowCast 2014 - O dia a dia do Cientista de Dados
MVP ShowCast 2014 - O dia a dia do Cientista de DadosMVP ShowCast 2014 - O dia a dia do Cientista de Dados
MVP ShowCast 2014 - O dia a dia do Cientista de Dados
 
Ruaridh's bean diary
Ruaridh's bean diaryRuaridh's bean diary
Ruaridh's bean diary
 
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncosta
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncostaMic productivity productivity-day-madrid-20110609-socialnetworks-ramoncosta
Mic productivity productivity-day-madrid-20110609-socialnetworks-ramoncosta
 
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...
Ml based detection of users anomaly activities (20th OWASP Night Tokyo, Japan...
 
SOC training
SOC trainingSOC training
SOC training
 
Apresentação N2
Apresentação N2Apresentação N2
Apresentação N2
 
Fora Hackers! Proteção em camadas do SQL Server
Fora Hackers! Proteção em camadas do SQL ServerFora Hackers! Proteção em camadas do SQL Server
Fora Hackers! Proteção em camadas do SQL Server
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber Crime
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
 
Programação dinâmica
Programação dinâmicaProgramação dinâmica
Programação dinâmica
 
Prof. Danny Raz, Director, Bell Labs Israel, Nokia
Prof. Danny Raz, Director, Bell Labs Israel, Nokia Prof. Danny Raz, Director, Bell Labs Israel, Nokia
Prof. Danny Raz, Director, Bell Labs Israel, Nokia
 
Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu GeliştirimesiDrupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
 

Ähnlich wie ZeroNights: Automating iOS blackbox security scanning

[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade Serverless[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade ServerlessKatyShimizu
 
[NDC 2019] Functions 2.0: Enterprise-Grade Serverless
[NDC 2019] Functions 2.0: Enterprise-Grade Serverless[NDC 2019] Functions 2.0: Enterprise-Grade Serverless
[NDC 2019] Functions 2.0: Enterprise-Grade ServerlessKatyShimizu
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Mikhail Sosonkin
 
Local Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban TothLocal Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban TothCocoaHeads France
 
MFF UK - Advanced iOS Topics
MFF UK - Advanced iOS TopicsMFF UK - Advanced iOS Topics
MFF UK - Advanced iOS TopicsPetr Dvorak
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
Introduction to aop
Introduction to aopIntroduction to aop
Introduction to aopDror Helper
 
Medium TechTalk — iOS
Medium TechTalk — iOSMedium TechTalk — iOS
Medium TechTalk — iOSjimmyatmedium
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek PROIDEA
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackJakub Hajek
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Jvm operation casual talks
Jvm operation casual talksJvm operation casual talks
Jvm operation casual talksYusaku Watanabe
 

Ähnlich wie ZeroNights: Automating iOS blackbox security scanning (20)

[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade Serverless[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade Serverless
 
[NDC 2019] Functions 2.0: Enterprise-Grade Serverless
[NDC 2019] Functions 2.0: Enterprise-Grade Serverless[NDC 2019] Functions 2.0: Enterprise-Grade Serverless
[NDC 2019] Functions 2.0: Enterprise-Grade Serverless
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016
 
Local Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban TothLocal Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban Toth
 
MFF UK - Advanced iOS Topics
MFF UK - Advanced iOS TopicsMFF UK - Advanced iOS Topics
MFF UK - Advanced iOS Topics
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Introduction to aop
Introduction to aopIntroduction to aop
Introduction to aop
 
Onward15
Onward15Onward15
Onward15
 
Medium TechTalk — iOS
Medium TechTalk — iOSMedium TechTalk — iOS
Medium TechTalk — iOS
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
 
Node azure
Node azureNode azure
Node azure
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Jvm operation casual talks
Jvm operation casual talksJvm operation casual talks
Jvm operation casual talks
 

Kürzlich hochgeladen

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456KiaraTiradoMicha
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyAnusha Are
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 

Kürzlich hochgeladen (20)

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 

ZeroNights: Automating iOS blackbox security scanning

  • 1.
  • 2. ME! “leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” Employer! - SYNACK.com
  • 3. Our privacy. Our money.Our freedoms. Wouldn’t want to lose any of those things!
  • 5. For those that don’t know Aarch64 IdaRef documentation plugin: https://github.com/nologic/idaref
  • 8. 1. Allocate a page - a jump page 2. Set objc_msgSend readable and writable 3. Copy preamble bytes from objc_msgSend 4. Check for branch instructions in preamble 5. Modify objc_msgSend preamble 6. Set jump page to readable and executable 7. Set objc_msgSend readable and executable Objc_Trace Call Sequence Hook Steps
  • 9. void* hook_callback64_pre(id self, SEL op, void* a1, ...) { Class cls = object_getClass(self); if(cls != NULL && op != NULL) cacheImp = c_cache_getImp(cls, op); if(!cacheImp) { // not in cache, never been called, record the call. … const struct mach_header* libobjc_base = libobjc_dylib_base(); c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000; Only record unseen method calls Find the cache check function cache_getImp
  • 10.
  • 11. { '_payload': { '_payload': { '_msg': 'x00x00x08x00x00x00subsystemx00x00x00x00@x00x00x05x0 0x00x00x00x00x00x00ha', 'type': 2048}, 'magic': '!CPX', 'version': 5}, 'msgh_bits': 1250579, 'msgh_id': 268435456, 'msgh_local_port': '0x30b', 'msgh_remote_port': '0x10b', 'msgh_reserved': 2819, 'msgh_size': 256} Machshark
  • 13.
  • 14. “A little engine for driving the UI while doing blackbox testing of an iOS App” - CHAOTICMARCH
  • 16. ● Simulate the user ● Read and understand the UI
  • 17. cy# UIApp.keyWindow <UIWindow; frame = (0 0; 320 568); gestureRecognizers = <NSArray>;> | <TiRootViewNeue; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer>> ... <TiUITableViewCell; baseClass = UITableViewCell; text = 'Log On'; | <TiGradientLayer;> (layer) | <UITableViewCellContentView; frame = (0 0; 256 43.5); layer = <CALayer>> | | <UITableViewLabel; frame = (74 0; 167 43.5); text = 'Log On'> | | <UIImageView; frame = (15 0; 44 43.5); layer = <CALayer>> | <_UITableViewCellSeparatorView; frame = (74 43.5; 182 0.5); layer = <CALayer>>
  • 18. ● Lua Scriptable Logic ● Standard functions for touching the device ● Options for record/replay ● Finding UI Components ● Regulating speed of execution ● Support for multiple targets ● Mechanisms for generic logic ● Lightweight injected module Source
  • 20. while true do local button = getButton(clickedButtons) -- put some info in. fill_all_fields() click_button(button) if(button["text"] ~= nil) then clickedButtons[button["text"]] = 1 end usleep(2 * 1000000) end
  • 23. 1 - Make a post 2 - Get exploited binary/XSS with phish 3 - Steal creds or tokens 4 - Put up a draft 5 - Request messages 6 - respond with attack content Attacker User We focus on this
  • 24.
  • 25. while true do local inputs = findOfTypes("UITextField", "") for index, inputField in pairs(inputs) do click_button(inputField) inputText("SomeInput!!") end -- touch login touchDown(3, 138, 619); usleep(83148.83); touchUp(3, 141, 615); check_alert() end Source
  • 27. • Apps are important! • Automation of the UI • Collection of coverage information • Fuzzing of responses messages
  • 28. , blog: debugtrap.com Twitter: @hexlogic Source: CHAOTICMARCH: https://github.com/synack/chaoticmarch Machshark: https://github.com/nologic/machshark Objc_trace: https://github.com/nologic/objc_trace Images: http://iconmonstr.com/