SlideShare une entreprise Scribd logo

Rump : iOS patch diffing

Cyber Security Alliance
Cyber Security Alliance

Julien Bachmann, Cyber Security Conference 2016

Logiciels
1  sur  13
Télécharger pour lire hors ligne
iOS patch diffing #cybsec16 rump session Julien Bachmann @milkmix_
intro | pegasus • Last August: information about new malware for iOS • Better: infected device through a browser exploit ! • Looked like a good idea to finally start analysing iOS patches
patches | up to iOS 9 • Updates • rootfs is encrypted and decrypted only on device • need keys but only available for devices before A6 • kernelcache is also encrypted • OTA updates • Initially only partial updates • From around September 2015, full OTA updates made available
patches | up to iOS 9
patches | iOS 10 • Updates • rootfs is no more encrypted • kernelcache is encrypted (again…)
patches | extracting rootfs $ mkdir rootfs $ unzip 2f3a0cb8c741f31b19576656765fad3616ecbfef.zip $ pbzx AssetData/payloadv2/payload > rootfs/pb.xz && cd rootfs $ xz --decompress pb.xz $ otaa -e '*' ./pb
patches | finding modified files • Using partial update
patches | extracting frameworks • On iOS all frameworks are bundled into cache file • dyld_shared_cache_arm64 • Possible to extract specific frameworks using jtool $ jtool -extract JavaScriptCore /tmp/System/Library/ Caches/com.apple.dyld/dyld_shared_cache_arm64
diffing | diaphora
diffing | diaphora
finding the vuln | analysis • Last browser exploit I did was 10 years ago on ActiveX applets • heap spray all the things • Was expecting for the exploit to be released and then trace using debugger starting from slowAppend
finding the vuln | analysis • All that to say…
finding the vuln | analysis • Use Slack, use Github

Recommandé

OpenNebulaConf2017EU: OpenNebula Companion tools: Admins Little Helpers by Bo...
OpenNebulaConf2017EU: OpenNebula Companion tools: Admins Little Helpers by Bo...OpenNebulaConf2017EU: OpenNebula Companion tools: Admins Little Helpers by Bo...
OpenNebulaConf2017EU: OpenNebula Companion tools: Admins Little Helpers by Bo...OpenNebula Project
 
Kinect Workshop Part 1/2
Kinect Workshop Part 1/2Kinect Workshop Part 1/2
Kinect Workshop Part 1/2Seiya Konno
 
Ci system part i
Ci system part iCi system part i
Ci system part i振維 李
 
Ci system part ii
Ci system part iiCi system part ii
Ci system part ii振維 李
 
Homebrew atlrug
Homebrew atlrugHomebrew atlrug
Homebrew atlrugWill Farrington
 
ASP.NET 5 auf Raspberry PI & docker
ASP.NET 5 auf Raspberry PI & dockerASP.NET 5 auf Raspberry PI & docker
ASP.NET 5 auf Raspberry PI & dockerJürgen Gutsch
 
Deploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleDeploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleOrestes Carracedo
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)Jose Hernandez
 

Recommandé

OpenNebulaConf2017EU: OpenNebula Companion tools: Admins Little Helpers by Bo...
OpenNebulaConf2017EU: OpenNebula Companion tools: Admins Little Helpers by Bo...OpenNebulaConf2017EU: OpenNebula Companion tools: Admins Little Helpers by Bo...
OpenNebulaConf2017EU: OpenNebula Companion tools: Admins Little Helpers by Bo...OpenNebula Project
 
Kinect Workshop Part 1/2
Kinect Workshop Part 1/2Kinect Workshop Part 1/2
Kinect Workshop Part 1/2Seiya Konno
 
Ci system part i
Ci system part iCi system part i
Ci system part i振維 李
 
Ci system part ii
Ci system part iiCi system part ii
Ci system part ii振維 李
 
Homebrew atlrug
Homebrew atlrugHomebrew atlrug
Homebrew atlrugWill Farrington
 
ASP.NET 5 auf Raspberry PI & docker
ASP.NET 5 auf Raspberry PI & dockerASP.NET 5 auf Raspberry PI & docker
ASP.NET 5 auf Raspberry PI & dockerJürgen Gutsch
 
Deploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleDeploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleOrestes Carracedo
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)Jose Hernandez
 
Drone your Ansible
Drone your AnsibleDrone your Ansible
Drone your AnsibleDennis Rowe
 
Deploying Elixir/Phoenix with Distillery - Yaroslav Martsynuyk
Deploying Elixir/Phoenix with Distillery - Yaroslav MartsynuykDeploying Elixir/Phoenix with Distillery - Yaroslav Martsynuyk
Deploying Elixir/Phoenix with Distillery - Yaroslav MartsynuykElixir Club
 
Continuous Kernel Integration
Continuous Kernel IntegrationContinuous Kernel Integration
Continuous Kernel IntegrationMajor Hayden
 
Using Nagios to monitor your WO systems
Using Nagios to monitor your WO systemsUsing Nagios to monitor your WO systems
Using Nagios to monitor your WO systemsWO Community
 
Nebula container orchestrator
Nebula container orchestratorNebula container orchestrator
Nebula container orchestratorNaor Livne
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
 
Ansible PyWAW
Ansible PyWAWAnsible PyWAW
Ansible PyWAWgnosek
 
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013Puppet
 
An introduction to php shells
An introduction to php shellsAn introduction to php shells
An introduction to php shellsRichieSM
 
せめてログサーバの稟議を通す方法
せめてログサーバの稟議を通す方法せめてログサーバの稟議を通す方法
せめてログサーバの稟議を通す方法歩 奥山
 
Investigation of testing with ansible
Investigation of testing with ansibleInvestigation of testing with ansible
Investigation of testing with ansibleDennis Rowe
 
Deployment tales
Deployment talesDeployment tales
Deployment talesAleksandr Simonov
 
Deployment tales
Deployment talesDeployment tales
Deployment talesAmoniac OÜ
 
Introduction to Configuration Management
Introduction to Configuration ManagementIntroduction to Configuration Management
Introduction to Configuration Managementripienaar
 
Monitor-Driven Development Using Ansible
Monitor-Driven Development Using AnsibleMonitor-Driven Development Using Ansible
Monitor-Driven Development Using AnsibleItamar Hassin
 
How Openstack is Built
How Openstack is BuiltHow Openstack is Built
How Openstack is BuiltAnton Weiss
 
FrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) SwiftFrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) SwiftChris Bailey
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)Jose Hernandez
 
זרעים של הצלחה
זרעים של הצלחהזרעים של הצלחה
זרעים של הצלחהnili_g
 
Universidad Nacional de Chimborazo Proyecto de Estadistica
Universidad Nacional de Chimborazo Proyecto de EstadisticaUniversidad Nacional de Chimborazo Proyecto de Estadistica
Universidad Nacional de Chimborazo Proyecto de EstadisticaDario Pilco
 
Toronto Best Places to Work Roadshow | Ceridian
Toronto Best Places to Work Roadshow | Ceridian Toronto Best Places to Work Roadshow | Ceridian
Toronto Best Places to Work Roadshow | Ceridian Glassdoor
 
Running Meetings Workshop
Running Meetings Workshop Running Meetings Workshop
Running Meetings Workshop Montana State University Billings Student Union & Events Office
 

Contenu connexe

Tendances

Drone your Ansible
Drone your AnsibleDrone your Ansible
Drone your AnsibleDennis Rowe
 
Deploying Elixir/Phoenix with Distillery - Yaroslav Martsynuyk
Deploying Elixir/Phoenix with Distillery - Yaroslav MartsynuykDeploying Elixir/Phoenix with Distillery - Yaroslav Martsynuyk
Deploying Elixir/Phoenix with Distillery - Yaroslav MartsynuykElixir Club
 
Continuous Kernel Integration
Continuous Kernel IntegrationContinuous Kernel Integration
Continuous Kernel IntegrationMajor Hayden
 
Using Nagios to monitor your WO systems
Using Nagios to monitor your WO systemsUsing Nagios to monitor your WO systems
Using Nagios to monitor your WO systemsWO Community
 
Nebula container orchestrator
Nebula container orchestratorNebula container orchestrator
Nebula container orchestratorNaor Livne
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
 
Ansible PyWAW
Ansible PyWAWAnsible PyWAW
Ansible PyWAWgnosek
 
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013Puppet
 
An introduction to php shells
An introduction to php shellsAn introduction to php shells
An introduction to php shellsRichieSM
 
せめてログサーバの稟議を通す方法
せめてログサーバの稟議を通す方法せめてログサーバの稟議を通す方法
せめてログサーバの稟議を通す方法歩 奥山
 
Investigation of testing with ansible
Investigation of testing with ansibleInvestigation of testing with ansible
Investigation of testing with ansibleDennis Rowe
 
Deployment tales
Deployment talesDeployment tales
Deployment talesAmoniac OÜ
 
Introduction to Configuration Management
Introduction to Configuration ManagementIntroduction to Configuration Management
Introduction to Configuration Managementripienaar
 
Monitor-Driven Development Using Ansible
Monitor-Driven Development Using AnsibleMonitor-Driven Development Using Ansible
Monitor-Driven Development Using AnsibleItamar Hassin
 
How Openstack is Built
How Openstack is BuiltHow Openstack is Built
How Openstack is BuiltAnton Weiss
 
FrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) SwiftFrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) SwiftChris Bailey
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)Jose Hernandez
 

Tendances (18)

Drone your Ansible
Drone your AnsibleDrone your Ansible
Drone your Ansible
 
Deploying Elixir/Phoenix with Distillery - Yaroslav Martsynuyk
Deploying Elixir/Phoenix with Distillery - Yaroslav MartsynuykDeploying Elixir/Phoenix with Distillery - Yaroslav Martsynuyk
Deploying Elixir/Phoenix with Distillery - Yaroslav Martsynuyk
 
Continuous Kernel Integration
Continuous Kernel IntegrationContinuous Kernel Integration
Continuous Kernel Integration
 
Using Nagios to monitor your WO systems
Using Nagios to monitor your WO systemsUsing Nagios to monitor your WO systems
Using Nagios to monitor your WO systems
 
Nebula container orchestrator
Nebula container orchestratorNebula container orchestrator
Nebula container orchestrator
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 
Ansible PyWAW
Ansible PyWAWAnsible PyWAW
Ansible PyWAW
 
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
 
An introduction to php shells
An introduction to php shellsAn introduction to php shells
An introduction to php shells
 
せめてログサーバの稟議を通す方法
せめてログサーバの稟議を通す方法せめてログサーバの稟議を通す方法
せめてログサーバの稟議を通す方法
 
Investigation of testing with ansible
Investigation of testing with ansibleInvestigation of testing with ansible
Investigation of testing with ansible
 
Deployment tales
Deployment talesDeployment tales
Deployment tales
 
Deployment tales
Deployment talesDeployment tales
Deployment tales
 
Introduction to Configuration Management
Introduction to Configuration ManagementIntroduction to Configuration Management
Introduction to Configuration Management
 
Monitor-Driven Development Using Ansible
Monitor-Driven Development Using AnsibleMonitor-Driven Development Using Ansible
Monitor-Driven Development Using Ansible
 
How Openstack is Built
How Openstack is BuiltHow Openstack is Built
How Openstack is Built
 
FrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) SwiftFrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) Swift
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)
 

En vedette

זרעים של הצלחה
זרעים של הצלחהזרעים של הצלחה
זרעים של הצלחהnili_g
 
Universidad Nacional de Chimborazo Proyecto de Estadistica
Universidad Nacional de Chimborazo Proyecto de EstadisticaUniversidad Nacional de Chimborazo Proyecto de Estadistica
Universidad Nacional de Chimborazo Proyecto de EstadisticaDario Pilco
 
Toronto Best Places to Work Roadshow | Ceridian
Toronto Best Places to Work Roadshow | Ceridian Toronto Best Places to Work Roadshow | Ceridian
Toronto Best Places to Work Roadshow | Ceridian Glassdoor
 
Top-Notch Slimmest Smartphones on Earth
Top-Notch Slimmest Smartphones on EarthTop-Notch Slimmest Smartphones on Earth
Top-Notch Slimmest Smartphones on EarthTechAhead
 
China: kicking the can down the road
China: kicking the can down the roadChina: kicking the can down the road
China: kicking the can down the roadRBS Economics
 
Grafico diario del dax perfomance index para el 07 11-2013
Grafico diario del dax perfomance index para el 07 11-2013Grafico diario del dax perfomance index para el 07 11-2013
Grafico diario del dax perfomance index para el 07 11-2013Experiencia Trading
 
Planning and development club, November 2016
Planning and development club, November 2016Planning and development club, November 2016
Planning and development club, November 2016Browne Jacobson LLP
 
Digital Marketing and Social Personal Media
Digital Marketing and Social Personal MediaDigital Marketing and Social Personal Media
Digital Marketing and Social Personal MediaIb Potter
 
Keene Neighborhood
Keene NeighborhoodKeene Neighborhood
Keene NeighborhoodJenny Darrow
 
أهمية الوقت
أهمية الوقتأهمية الوقت
أهمية الوقتSabry Zein
 
Informe de actividades en vía pública, del 30 dic de 2016 al 5 de ene 2017
Informe de actividades en vía pública, del 30 dic de 2016 al 5 de ene 2017Informe de actividades en vía pública, del 30 dic de 2016 al 5 de ene 2017
Informe de actividades en vía pública, del 30 dic de 2016 al 5 de ene 2017Delegación Miguel Hidalgo
 
Twitter for co p bex lewis & david rush
Twitter for co p bex lewis & david rushTwitter for co p bex lewis & david rush
Twitter for co p bex lewis & david rushBex Lewis
 

En vedette (20)

זרעים של הצלחה
זרעים של הצלחהזרעים של הצלחה
זרעים של הצלחה
 
Universidad Nacional de Chimborazo Proyecto de Estadistica
Universidad Nacional de Chimborazo Proyecto de EstadisticaUniversidad Nacional de Chimborazo Proyecto de Estadistica
Universidad Nacional de Chimborazo Proyecto de Estadistica
 
Toronto Best Places to Work Roadshow | Ceridian
Toronto Best Places to Work Roadshow | Ceridian Toronto Best Places to Work Roadshow | Ceridian
Toronto Best Places to Work Roadshow | Ceridian
 
Running Meetings Workshop
Running Meetings Workshop Running Meetings Workshop
Running Meetings Workshop
 
319 554-1-sm
319 554-1-sm319 554-1-sm
319 554-1-sm
 
Daily Newsletter: 18th July, 2011
Daily Newsletter: 18th July, 2011Daily Newsletter: 18th July, 2011
Daily Newsletter: 18th July, 2011
 
Top-Notch Slimmest Smartphones on Earth
Top-Notch Slimmest Smartphones on EarthTop-Notch Slimmest Smartphones on Earth
Top-Notch Slimmest Smartphones on Earth
 
أحدث اختراعات العالم
أحدث اختراعات العالمأحدث اختراعات العالم
أحدث اختراعات العالم
 
ECRI INSTITUTE - Monitores Fetales, Parte I
ECRI INSTITUTE - Monitores Fetales, Parte IECRI INSTITUTE - Monitores Fetales, Parte I
ECRI INSTITUTE - Monitores Fetales, Parte I
 
China: kicking the can down the road
China: kicking the can down the roadChina: kicking the can down the road
China: kicking the can down the road
 
Grafico diario del dax perfomance index para el 07 11-2013
Grafico diario del dax perfomance index para el 07 11-2013Grafico diario del dax perfomance index para el 07 11-2013
Grafico diario del dax perfomance index para el 07 11-2013
 
News A 40 2016
News A 40 2016News A 40 2016
News A 40 2016
 
Planning and development club, November 2016
Planning and development club, November 2016Planning and development club, November 2016
Planning and development club, November 2016
 
Digital Marketing and Social Personal Media
Digital Marketing and Social Personal MediaDigital Marketing and Social Personal Media
Digital Marketing and Social Personal Media
 
กรอบไทย
กรอบไทยกรอบไทย
กรอบไทย
 
Keene Neighborhood
Keene NeighborhoodKeene Neighborhood
Keene Neighborhood
 
JavaFund
JavaFundJavaFund
JavaFund
 
أهمية الوقت
أهمية الوقتأهمية الوقت
أهمية الوقت
 
Informe de actividades en vía pública, del 30 dic de 2016 al 5 de ene 2017
Informe de actividades en vía pública, del 30 dic de 2016 al 5 de ene 2017Informe de actividades en vía pública, del 30 dic de 2016 al 5 de ene 2017
Informe de actividades en vía pública, del 30 dic de 2016 al 5 de ene 2017
 
Twitter for co p bex lewis & david rush
Twitter for co p bex lewis & david rushTwitter for co p bex lewis & david rush
Twitter for co p bex lewis & david rush
 

Similaire à Rump : iOS patch diffing

SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPSyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPStefan Esser
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
 
eu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdf
eu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdfeu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdf
eu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdfssuser6e61b3
 
Re: 제로부터시작하는텐서플로우
Re: 제로부터시작하는텐서플로우Re: 제로부터시작하는텐서플로우
Re: 제로부터시작하는텐서플로우Mario Cho
 
No Docker? No Problem: Automating installation and config with Ansible
No Docker? No Problem: Automating installation and config with AnsibleNo Docker? No Problem: Automating installation and config with Ansible
No Docker? No Problem: Automating installation and config with AnsibleJeff Potts
 
08 mobile development
08 mobile development08 mobile development
08 mobile developmentdarwinodb
 
Running CentOS on the Facebook fleet
Running CentOS on the Facebook fleetRunning CentOS on the Facebook fleet
Running CentOS on the Facebook fleetDavide Cavalca
 
Midwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & howMidwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & howdotCloud
 
ASP.NET 5 on the Raspberry PI 2
ASP.NET 5 on the Raspberry PI 2ASP.NET 5 on the Raspberry PI 2
ASP.NET 5 on the Raspberry PI 2Jürgen Gutsch
 
Java EE with NetBeans on OpenShift
Java EE with NetBeans on OpenShiftJava EE with NetBeans on OpenShift
Java EE with NetBeans on OpenShiftMarkus Eisele
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionveerababu penugonda(Mr-IoT)
 
Workshop For pycon13
Workshop For pycon13Workshop For pycon13
Workshop For pycon13Steven Pousty
 

Similaire à Rump : iOS patch diffing (20)

Appsec rump reverse-i_os_machook
Appsec rump reverse-i_os_machookAppsec rump reverse-i_os_machook
Appsec rump reverse-i_os_machook
 
Building an iOS Build Server
Building an iOS Build ServerBuilding an iOS Build Server
Building an iOS Build Server
 
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPSyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreaking
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
 
eu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdf
eu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdfeu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdf
eu-19-Afek-Booting-The-iOS-Kernel-To-An-Interactive-Bash-Shell-On-QEMU.pdf
 
Re: 제로부터시작하는텐서플로우
Re: 제로부터시작하는텐서플로우Re: 제로부터시작하는텐서플로우
Re: 제로부터시작하는텐서플로우
 
No Docker? No Problem: Automating installation and config with Ansible
No Docker? No Problem: Automating installation and config with AnsibleNo Docker? No Problem: Automating installation and config with Ansible
No Docker? No Problem: Automating installation and config with Ansible
 
Deep Dive into the AOSP
Deep Dive into the AOSPDeep Dive into the AOSP
Deep Dive into the AOSP
 
OpenSolaris 2009.06 Workshop
OpenSolaris 2009.06 WorkshopOpenSolaris 2009.06 Workshop
OpenSolaris 2009.06 Workshop
 
08 mobile development
08 mobile development08 mobile development
08 mobile development
 
CentOS at Facebook
CentOS at FacebookCentOS at Facebook
CentOS at Facebook
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
Running CentOS on the Facebook fleet
Running CentOS on the Facebook fleetRunning CentOS on the Facebook fleet
Running CentOS on the Facebook fleet
 
Midwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & howMidwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & how
 
ASP.NET 5 on the Raspberry PI 2
ASP.NET 5 on the Raspberry PI 2ASP.NET 5 on the Raspberry PI 2
ASP.NET 5 on the Raspberry PI 2
 
Java EE with NetBeans on OpenShift
Java EE with NetBeans on OpenShiftJava EE with NetBeans on OpenShift
Java EE with NetBeans on OpenShift
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Workshop For pycon13
Workshop For pycon13Workshop For pycon13
Workshop For pycon13
 

Plus de Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

Plus de Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 

Dernier

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 

Dernier (20)

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 

Rump : iOS patch diffing

  • 1. iOS patch diffing #cybsec16 rump session Julien Bachmann @milkmix_
  • 2. intro | pegasus • Last August: information about new malware for iOS • Better: infected device through a browser exploit ! • Looked like a good idea to finally start analysing iOS patches
  • 3. patches | up to iOS 9 • Updates • rootfs is encrypted and decrypted only on device • need keys but only available for devices before A6 • kernelcache is also encrypted • OTA updates • Initially only partial updates • From around September 2015, full OTA updates made available
  • 4. patches | up to iOS 9
  • 5. patches | iOS 10 • Updates • rootfs is no more encrypted • kernelcache is encrypted (again…)
  • 6. patches | extracting rootfs $ mkdir rootfs $ unzip 2f3a0cb8c741f31b19576656765fad3616ecbfef.zip $ pbzx AssetData/payloadv2/payload > rootfs/pb.xz && cd rootfs $ xz --decompress pb.xz $ otaa -e '*' ./pb
  • 7. patches | finding modified files • Using partial update
  • 8. patches | extracting frameworks • On iOS all frameworks are bundled into cache file • dyld_shared_cache_arm64 • Possible to extract specific frameworks using jtool $ jtool -extract JavaScriptCore /tmp/System/Library/ Caches/com.apple.dyld/dyld_shared_cache_arm64
  • 11. finding the vuln | analysis • Last browser exploit I did was 10 years ago on ActiveX applets • heap spray all the things • Was expecting for the exploit to be released and then trace using debugger starting from slowAppend
  • 12. finding the vuln | analysis • All that to say…
  • 13. finding the vuln | analysis • Use Slack, use Github