To address the threat posed by the OSX/RRoll family of worms, Antid0te adds Address Space Layout Randomization (ASLR) to a jailbroken iPhone, explained Jimmy Shah, a mobile security researcher for McAfee.
“ASLR modifies the layout of system libraries and data structures in memory to prevent easy exploitation by attackers. Specifically, it makes attacks, such as the Return-Oriented Programming (ROP) one, used against an iPhone 3GS to win the CanSecWest Pwn2Own contest, much harder”, Shah wrote in a blog.
The risk to a jailbroken iPhone comes from insecure defaults and reduced security caused by the jailbreaking process, which includes getting root access, installing native apps, and adding or modifying themes.
Shah noted that ASLR was cited by Vincent Iozzo, one of two security researchers who created the Pwn2Own exploit of the iPhone, as a key in preventing attacks: “If [the iPhone] would ever support ASLR, attacking it will be significantly harder than any desktop [operating system]. In fact, most applications are sandboxed, which greatly limits their abilities of doing harm and code signing is always in place. ASLR will limit the ability of creating ROP payloads.”
Esser, who is a speaker at the Korean Power of Community 2010 conference this week, said in his conference bio that the “jailbreak weakens the otherwise strong security features of the iPhone in a way that remote exploits are far easier to accomplish”.
He added that “it is time to remember that the whole purpose of a jailbreak is to free the device from Apple and to allow users to do whatever they want with their device. The fact that current jailbreaks destroy the security is just because jailbreakers did not bother to find a better solution.”
Esser said his solution adds ASLR that makes jailbroken iPhone “exploitation more difficult. And this is only the first step; more mitigations and a full reactivation of the codesigning protection are planned for the next months.”
The initial release of Antid0te is scheduled for Christmas Eve. With the Antid0te tool and the additional mitigations measures planned by Esser, “we will eventually see an overall increase in the security of jailbroken [iPhone] devices”, Shah concluded.