
A survey of recent iOS kernel exploits - edmorley
https://googleprojectzero.blogspot.com/2020/06/a-survey-of-recent-ios-kernel-exploits.html
======
LucidLynx
For people who think that there is far more CVE on iOS than Android (based on
this article):
[https://www.cvedetails.com/top-50-products.php?year=2019](https://www.cvedetails.com/top-50-products.php?year=2019)

And it's for 2019 _only_

~~~
saagarjha
Number of CVEs in general is a fairly poor way to evaluate the security of a
platform.

~~~
albntomat0
Agreed. In other comments here however, there are folks arguing that this
shows iOS both is/isn't secure and that Project Zero has a hidden goal of
making Apple look bad. I think the poster above is trying to respond/provide
context to that.

~~~
dontbenebby
Apple provides security updates longer than Android though.

One could argue being able to own a phone for 5 years and receive security
updates for a higher up front cost is preferable to buying a new phone every
two years.

To be blunt, that policy + the fact Apple has no business units actively
incentivized to invade my privacy (no targeted marketing dept) makes me choose
iOS, even if it's "less free".

My phone is home to my most intimate conversations, I need to know it's secure
for the long haul.

~~~
albntomat0
I agree with you, and that's why I have the phone that I do. There are clear
tradeoffs between the two ecosystems. My comment was providing context to the
one above it.

------
robocat
Great summary list near end of article of the various mitigations used by iOS
- there is quite a few hardware protections implemented within the processors
themselves.

Android is less of a monoculture, but also has less opportunity to tune the
processor to include strong hardware mitigations against whole classes of
vulnerabilities.

~~~
stefan_
While iOS seems to pioneer every mitigation technique ever described in the
literature, they also shipped ancient versions of C image parsing libs
(OpenEXR), have an endless stream of remote code execution vulnerabilities
from their peculiar serialization schemes and all the other issues you would
expect from the use of native ObjC.

Their commitment is squarely to mitigating issues that threaten the walled
garden (and therefore the kernel), not so much userspace.

~~~
dontbenebby
>Their commitment is squarely to mitigating issues that threaten the walled
garden (and therefore the kernel), not so much userspace.

As a practical matter, doesn't this mean if I'm confident in my ability to
avoid phishing messages, iOS is better?

Anything that "roots" a phone can also run roughshod, turn on my mic, grab
signal messages stored locally, etc, correct?

What I'm getting at is a phone in a walled garden + a laptop that's open
source might be the best way to get the security of the walled garden _and_
the utility of open source.

~~~
fomine3
"confident in my ability to avoid phishing messages" is not a good way for
security.

~~~
dontbenebby
I literally designed antiphishing trainings.

I also have Firefox containers for important things like banking - a phishing
url from my email will not open in the correct container. Huge red flag.

------
AnonC
Hoping to see such a list for Android too. I don’t see one right now. [1] Some
kind of comparison between iOS and Android on the kinds of issues and
underlying causes would also be interesting.

[1]:
[https://duckduckgo.com/?q=site%3Agoogleprojectzero.blogspot....](https://duckduckgo.com/?q=site%3Agoogleprojectzero.blogspot.com+android+kernel)

~~~
numbsafari
I really appreciate and enjoy the work done by Project Zero.

But, it often does feel like it could be retitled Project Schadenfreude. This
particular post almost feels timed specifically for release right before WWDC.

~~~
snazz
They're doing Apple a huge favor by discovering these bugs. They're doing the
security community a huge favor by publishing blog posts about them for others
to learn from. They also do plenty of Android research, although iOS is a
higher priority since most security-conscious people use iOS (including the
researchers themselves). This is not a hit piece on Apple.

~~~
zepto
I’m not sure how this argument makes sense. Most _people_ use Android. I don’t
see any evidence that supports the claim that most “security-conscious“ people
use iOS.

If it is somehow meaningful to make that claim, then it is all the _more_
important for project zero to focus on Android, since people who are not
security conscious are less likely to practice other forms of security.

Project zero simply doesn’t seem to publish these pieces about Android at the
same rate they do about iOS. Perhaps this is unintentional.

~~~
albntomat0
I was curious, so I poked around the project zero bug tracker to try to find
ground truth about their bug reporting: [https://bugs.chromium.org/p/project-
zero/issues/list](https://bugs.chromium.org/p/project-zero/issues/list)

For all issues, including closed:

product=Android returns 81 results

product=iOS returns 58

vendor=Apple returns 380

vendor=Google returns 145 (bugs in Samsung's Android kernel,etc. are tracked
separately)

vendor=Linux return 54

To be fair, a huge number of things make this not an even comparison,
including the underlying bug rate, different products (Google lacks a desktop
OS and an iMessage equivalent, for example), and downstream Android vendors
being tracked separately. Also, # bugs found != which ones they choose to
write about.

~~~
toast0
> Google lacks a desktop OS and an iMessage equivalent, for example

Nitpicking, but Chrome OS is a desktop OS, and Google has had at least 7
things similar to iMessage.

On topic, fron my perspective when I was working somewhere that got bug
reports from project zero, it was great. I mean, not great that we had the bug
they found first, or the follow-up bug they found after we fixed that one; but
great that they were clear problems that we could solve. If we didn't want to
be written up, we could have done better to begin with, and taken more care in
looking around when the first bug was reported.

~~~
albntomat0
> Chrome OS

Is Chrome OS sufficiently unique enough from Linux to be its own category
(genuinely asking)? I was aware of it when I made the original comment, but
considered it more a subset of Linux, in that most major kernel security bugs
would be shared.

Also, what are you considering similar to iMessage? My view is that iMessage
presents its own unique & powerful attack surface that hangouts/etc dont have.
Maybe RCS?

~~~
toast0
I think Chrome OS at least has a unique libc and GUI stack versus normal
desktop Linux distributions? And there's certainly room for errors in their
updater stack and all that.

gChat, Allo, Duo, SMS (whatever it's called today), Hangouts, Meet, ???
They're all relatively similar, send messages including media (remember
stagefright)

~~~
albntomat0
> gChat, Allo, Duo, SMS (whatever it's called today), Hangouts, Meet, ???
> They're all relatively similar, send messages including media (remember
> stagefright)

Most of those have a much more limited attack surface than iMessage, at least
in my understanding. SMS is shared and doesn't try to do what iMessage does,
thus the issues

------
fortran77
Amazing how something marketed as "secure by design" is, in fact, designed
with the same issues as other competitive operating systems.

[https://www.apple.com/business/docs/site/AAW_Platform_Securi...](https://www.apple.com/business/docs/site/AAW_Platform_Security.pdf)

~~~
saagarjha
Rather than responding to this again, I'll let the responses you got the other
times you asked this do the talking:
[https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...](https://hn.algolia.com/?dateRange=all&page=0&prefix=true&query=%22secure%20by%20design%22%20fortran77&sort=byPopularity&type=comment)

------
panpanna
Looking the bottom part, is APRR the only mitigation exclusive to Apples own
CPUs?

Also, is trustzone not available on these?

~~~
RL_Quine
There's no trustzone, no, but boot is completely verified in much stronger
ways. Software updates are uniquely signed per device, per execution to
prevent downgrade attacks.

~~~
panpanna
This confused me.

How does these unique signatures work and how does it improve boot security?

~~~
ghostpepper
IIRC the general idea is that the pin code or password is required to be
entered when an update is requested, which unlocks a key pair. The public key
is included in the update request, which is then sent to Apple. Apple sends
back a download that is signed in a way that the firmware can verify, and
Apple guarantees never to send another download in response to that exact
request. This protection also relies on the secure enclave never authorizing
the installation of an unsigned OS update.

~~~
runeks
> Apple sends back a download that is signed in a way that the firmware can
> verify, and Apple guarantees never to send another download in response to
> that exact request.

Interesting! Thank you for the detailed explanation.

------
cancerSpreads
Bookmarked for anytime someone tells me Apple products are secure.

Marketing doesn't line up with reality.

Not that those who parrot the marketing would be convinced with evidence.

~~~
simonh
So according to this article those of us on iOS 13.x (93% of the installed
base) used to have one vulnerability, which we got patched through auto-
updates 8 months ago. I'm quaking in my boots.

I hope you remember to point out the historical nature of this when you pass
on the link.

~~~
yjftsjthsd-h
In fairness, the question is less "how many vulns does this exact device have
so far" and more "how many vulns are likely to occur for this device total",
in which case this article could be evidence that the last few versions of iOS
have each had their share, and therefore it is reasonable to extrapolate that
to expect a handful of issues on _this_ version. Now the first obvious catch
is that you can't necessarily accurately project the past into the future; if
most of these are the result of some underlying design strategy that Apple has
stopped doing, then the exploits would dry up. On the other hand, of course,
they could start shipping some new technology that turns out to introduce more
vulns (not likely, but it could happen).

Of course, I'm pretty sure the same list of exploits per-version of Android
would be _much_ longer, so if anything this list, if complete, really does
paint iOS in a very good light.

