A Look at iMessage in iOS 14

Having been in this silly industry of hacking for 20yrs, I really wish publishing negative results became more normalized. There are orders of magnitude more unpublished info regarding stories of not finding vulns there are about finding vulns. It just goes to show how much the industry really is flashy/stunt hacking.

p.s. Samuel who published the research OP posted is one of the best hackers I've ever met, he helped me code our interview challenge test that we still use (it's that good!)

Security researchers sometime publish informative blog posts from time to time that don't deal with a specific vulnerability; this is one of them. Of course, being Project Zero usually these deep dives often turn up a bug or two (for example, this document on Apple's PAC implementation, which is probably one of the best resources describing it, stumbles upon a bug fixed by Apple while it was being written: https://googleprojectzero.blogspot.com/2019/02/examining-poi...), but this case it does seem like they just happened to not find anything. Whether that is because they couldn't probe very deeply due to the complete rewrite, or because the new architecture and use of a memory safe language upped the bar a bit (or a combination of both) is not clear but the thing I wanted to say here is that these blog posts are useful regardless of whether there is an exploit PoC attached. People may not want to write them, but they certainly stand on their own as good reference material.

Academic research is starting to address publication bias:

https://en.wikipedia.org/wiki/Series_of_Unsurprising_Results...

https://www.cbc.ca/radio/asithappens/as-it-happens-thursday-...

discussed on HN (2019): https://news.ycombinator.com/item?id=19968679

> Nothing to be found here as far as we know

I disagree, it's a fantastic, approachable disection of what Apple did to mitigate some nasty security holes. Worth the price of entry by far.

I feel like you are claiming researchers do not do it.

Me too! I wonder why that is?

I suspect that they wanted to use conditional expressions or something without having to use a "real" programming language with loops or I/O, which risks freezing the interpreter and leaking data.

Interesting! Is it actually a dialect of Scheme or just a LISP syntax custom language? s-expressions are a fairly nice way to create small custom rules languages or configuration languages as they are very easy to parse.

I vaguely remember that some settings / control-panel-thingy was written in Scheme on Windows. That was at least 20 years ago, though, so it’s probably gone by now.

They’re not out of the woods yet:

> However, it is worth noting that while the high level control flow logic is written in Swift, some of the parsing steps still involve the existing ObjectiveC or C implementations. For example, XML is being parsed by libxml, and the NSKeyedArchiver payloads by the ObjectiveC implementation of NSKeyedUnarchiver.

Even if it turns out to be a bit slower, it is the pursuit of speed at the expense of bounds checking that has brought us here, although other ill fated OSes proved that it didn't had to be that way.

I am posting this as an independent comment.

There isn't a "popular" CPU architecture that is 100% PIC for all of the allowed address ranges. There are "optimizations" the compiler can choose for limited addresses "reaches". Please consider independently compiled libraries that are aggregated into something larger, specifically languages that permit subclassing and inheritance. How can they be moved within an address space?

If there is a hierarchy of address availability this means that ASLR cannot be implemented in a pure way - it must involve runtime fix-ups if the base address changes. If the length of an instruction must change because of the addressing mode, what happens? How can you do ALSR? Do you rewrite all instructions (is there space? was space allocated?) or always use the most expensive address mode?

Slap, slap, slap. I do not think you did a complete or accurate analysis.

Randomization is NOT free. Randomization either requires that the values are pre-computed before install (which means delivering and pre-computing N different versions) or it is computed it on device.

If the randomization is computed on-device how to you validate that the binary or a library has not been "substituted" - persistent malware, APT?

The "compute on device" was a feature of very old macOS versions - it was annoying and took quite a lot of resources.

"TOTAL ASLR" depends on a CPU arch if it fully endorses over all addresses position independent code and data (Q: homework for ARM, x86_64...). If the ABI allows violations of this you cannot glide / slide all code and data addresses without significant runtime costs. This will likely result in a compromise.

The attacker in this situation already has the ability to deny service to the recipient, except they’ve also had the ability to utilize the crashes as an ASLR oracle too. The backoff attempts to prevent this from being possible.

That caught my eye too. I guess you would need a way of reliably being able to crash the service but that seems like a relatively low bar. Presumably the impact would also depend on how much work the service does.

Better than the alternative.

Well the attacker could probably DOS the victim anyway by rapidly sending crashing messages. The update just means the attacker only has to send the message every 20 minutes.

Open source aside, it would be great if any developer could do this on iOS. Unfortunately -- in contrast to macOS -- Apple keeps the XPC API on iOS private, so that it is impossible for "normal" app developers to properly sandbox the more critical and exposed parts of their application.

Only Apple can provide the described security for their messenger, but other messengers which face similar challenges (rendering untrusted content) cannot protect themselves.

Perhaps I’m too dense to get the hint?

Guile has its own sandbox. You can probably also use lua-JIT.

I'm no admin but wanted to ask for you to refrain commenting like this, it's probably against the site's guidelines and brings nothing to the discussion.

Per the guidelines: "Please don't comment about the voting on comments. It never does any good, and it makes boring reading."

HN upvotes what HN wants to see. Apple is one of the biggest companies in the world with products that a large majority of HN commenters use, and this blog post is in-depth technical praise / validation written by a representative from one of their biggest competitors. It feels like classic top-post material to me.

> This thing has only 190 upvotes

190 upvotes isn't "only". Things can be at the top with 20 upvotes if they come in fast enough, and all younger submissions that could outcompete it are at noticably lower numbers.

> ridiculous 12 comments

irrelevant for ranking.

It’s a conspiracy of course. Now go buy your Apple stock, sit back and enjoy the profit /s

The only thing faster than an Apple post to the top, goes a comment questioning this weird pattern. -1 in one minute in a 12 comment post.

Not bad

I've read that three times and I still can't parse it. Why would being on the latest version make a zero day worm more likely?

The days of internet massive worms are behind us. Or at least mostly.

Security is vastly better than it used to be and good zero day exploits are guarded jealously. Making a big worm is a quick way to expose a zero day.

The people who have access to these zero day exploits keep them tight for targeted attacks where they are less likely to be discovered.