Apple security guru Charlie Miller said he has uncovered a bug in Apple iOS that allows an attacker to circumvent Apple’s code signing approach.
According to Miller, who is principal research consultant with Accuvant Labs and a veteran of the Apple bug-finding world, the vulnerability could spell trouble for iOS users if exploited.
Code signing has been a key element of Apple’s security strategy for iOS. Code signing is used to validate executables and libraries and to determine whether or not code has been modified by someone besides the signer. In a presentation at the upcoming SyScan 11 conference in Taiwan however, Miller intends to demonstrate how a bug can help attackers get around all this.
Except at execution time, code signing is continually enforced, with one important exception from iOS 4.3 on – the Nitro JIT compiler is allowed to add dynamic, unsigned code to a process while running.
“The exception allows them to do Just-in-time compiling which will speed up the performance of any JavaScript engine,” he told SecurityWeek. “The drawback is it allows for unsigned code to run in this one case. They work very hard to restrict it to only in the browser and only one time, but they made one small mistake.”
To demonstrate the vulnerability on YouTube, he used a proof-of-concept app called Instastock, which successfully made its way into the App store. It has since been removed.
“We can trust all the apps in the App Store because they have all been reviewed by Apple engineers,” he said. “But, this flaw shows that apps which have been reviewed can use this flaw to download new unsigned, unreviewed code and run it. It basically means we can’t trust the app store until it’s fixed. People could place ‘safe’ programs into the App Store that then download malicious code like malware.”
According to Miller, the bug is hard to find, but trivial to exploit.
“It is in the XNU kernel so source code is available, but is deceptive,” he said. “I found it by reverse engineering the kernel. I probably wouldn’t have found it looking at the source code. It’s an interesting bug. Exploitation is easy. It’s a logic bug, you just have to send in the right data to circumvent the checks they have to stop you from executing unsigned code. No buffer overflow, no heap manipulation, etc.”
After announcing this afternoon that Apple had pulled his app from the AppStore, Miller disclosed via Twitter on Monday evening that Apple had kicked him out of the iOS Developer Program.
Miller’s presentation is scheduled for Nov. 18.
