ASLR & the iOS Kernel — How virtual address spaces are randomised

  • what ASLR actually is and how it aims to mitigate exploitation
  • how the iOS kernel implements ASLR for apps & processes that are executed on the device
  • a short experiment you can try that involves patching the iOS kernel to disable ASLR across all user-space processes!

What is ASLR?

ASLR on iOS

  1. random() returns 0x3910fb29
#include <stdio.h>
#include <string.h>
char *str = "HELLO ASLR";int main() { printf("ptr %p\n", str); return 0;
}

Patching the iOS kernel

  • NOP-out this whole section of code so there’s no random generation at all
  • patch read_random() to always return 0x0, so the random number isn’t actually random
  • overwrite the random slide value with 0x0 right after it is generated
bic r0, r1, 0x80000000
movs r0, 0x0
movs r0, 0x0
#define DISABLE_BYTES       0x20002000 // movs r0, 0x0 x 2
#define ENABLE_BYTES 0x4000f021 // bic r0, r1, 0x80000000
#define INSTR_TO_PATCH_ADDR 0x802a3cc4
    uint32_t slide = get_kernel_slide();
printf("[+] KASLR slide is %08x\n", slide);
uint32_t current_bytes = do_kernel_read(INSTR_TO_PATCH_ADDR + slide); printf("[+] Current bytes %08x\n", current_bytes); if (current_bytes == ENABLE_BYTES) {
do_kernel_write(INSTR_TO_PATCH_ADDR + slide, DISABLE_BYTES);
printf("[+] Patched ASLR random instruction. ASLR disabled.\n");
} else {
do_kernel_write(INSTR_TO_PATCH_ADDR + slide, ENABLE_BYTES);
printf("[+] Patched ASLR random instruction. ASLR enabled again.\n");
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store