embedded, isolation, l4, microkernel, mobile, operating systems and virtualization, security, seL4
So, the FBI cracked the iPhone. With a zero-day and hardware?
The Washington Post reports that the FBI bought a zero-day exploit, and “then [used the] new information to create a piece of hardware that helped the FBI to crack the [San Bernardino] iPhone’s four-digit [PIN]”.
This is a bit intriguing, as there are known physical attack vectors that could be used, with some difficulty, to crack the PIN. If they used a physical attack, why did they need a software exploit?
It is also a bit ironic, as I had just finally caved in and bought an iPhone myself. A strong motivation was the security story, of which our L4 kernel is a significant component. Specifically, modern iOS devices have a security processor, which runs a modified L4 kernel. That kernel is in fact a fork of the L4-embedded kernel we developed more than ten years ago, and which later became OKL4. Apple’s iOS L4 is derived from the L4 kernel that supported our Darbat project.
So, what does this all mean for the security of iOS devices, and specifically, does it mean that L4 was broken?
First off, I find it rather comforting that a physical attack was needed, using some custom hardware. It was always clear that physical attacks would be possible. From the security PoV, such attacks are much less of a concern for the innocent individual (such as me), because they require a lot of effort for each individual device, and they require physical possession, i.e. cannot be done remotely. I don’t object to law enforcement being able to break an individual device if there is a concrete suspicion, as in the San Bernardino case. I do object against anything that enables mass surveillance of innocent citizens, which is what the FBI wanted Apple to enable (really just a mind-boggling stupid request). I’m more than glad that Apple refused to cooperate with this nonsense.
So, whatever the zero-day was the FBI purchased, it seems that on its own it wasn’t enough to break security. That’s a good outcome.
It’s also highly unlikely that the zero-day was against L4. The article makes it clear that the actual PIN was brute-forced (easy to do for a four-digit PIN). L4 cannot protect against this. And it also must be kept in mind that L4 only protects the security processor, which is in charge of crypto operations and, it seems, key management.
The PIN is, by definition, able to unlock the phone. It is stored somewhere on the device in encrypted form, and the security processor (and L4) is responsible for that. But the protection against brute-forcing (by counting unsuccessful attempts etc) require far more infrastructure than the security processor. Some of that is inevitably under control of iOS. So, almost certainly, the zero-day exploit targeted iOS, not L4.
That there are zero-days in iOS is hardly surprising: it is a large, monolithic OS with a trusted computing base (TCB) in the millions of lines of code. It’s a virtual certainty that there are many more exploits lurking in there.
Unlikely as it is, there might be exploits in L4 as well. It’s much less likely, as L4 is orders of magnitude smaller than iOS, and the number of exploits it might have can be expected to be corresponding orders of magnitude smaller. But it’s a legacy L4, not the verified seL4, and therefore there is no guarantee that there are no bugs. And, of course, we don’t know what Apple did with it.
To sum up, recent developments do not change my opinion that the security of iOS devices is strong, almost certainly among the best in mass-market consumer devices. Cracking it required a physical attack, which is practically impossible to defend against, certainly for a mass-market device. L4 likely made the thing harder to crack, and is unlikely to be the part that was compromised.
Update June’16
As people pointed out soon after I posted this blog, the San Bernadino iPhone was an older model that featured a pre-A7 SoC, and as such does not yet have the secure enclave that runs L4. Presumably this means newer phones are much harder to crack…
microkerneldude 
I did not know that iOS devices equip a security processor running a version of l4. Very interesting.
Just a small correction: The San Bernardino iPhone is an older model that has no secure enclave and thus does not run any L4 kernel code.
The rest of the argument remains valid, though. It’s good news for software security that a physical compromise was required.
I *thought* this phone did have it, but you might be right.
In which case the FBI and their zero-day definitely didn’t break L4 😉
Only iPhone 5S and better have a Secure Enclave, iPhone 5C does not.
General rule: if it has a fingerprint sensor, it has a SEP. (Exception: one iPad model doesn’t have a fingerprint sensor, but has a SEP)
did this version of l4 have the same flawed syscall dispatch code that some earlier okl4 versions had?
I’m not aware of “flawed syscall dispatch code” in OKL4, nor do I know (as stated) what Apple did to our L4 before they deployed it on iOS devices. They are different forks of our L4-embedded.
early versions of OKL4 would use a table lookup based on the syscall number, and assumed that system call numbers were aligned by four. If the processor enabled unaligned memory access, the dispatch code would incorrectly lookup and jump to the target address. This could allow the kernel to jump into code controlled by an attacker.
I don’t remember seeing or hearing anything about this. I do remember looking at code that left-shifted a syscall number before using it as an index, but that might have been an even older kernel.
I reported it in late 2012 via email to you (I resent a copy today for reference). I looked around and it looks like darbat uses the nicta pistachio kernel and at least the pistachio–devel–1.1–version-0 release had this same flaw.
Thanks for the reminder… Shows yet again that anything not proved correct must be assumed buggy.
As I said, I don’t know what Apple did with the code. The issue you point to would probably not be exploitable on the security processor, which only runs trusted code anyway.
FWIW, this is the response I got from the GD folks at the time you reported this issue:
“I’m trying to figure out if his scenario is possible or not. We rewrote that to just a proper index sometime after 1.4.1.1, but even then in this scenario I would expect that the unaligned access, if possible, would appear as a user error, for the kernel has already disabled unaligned access as we should never make them (and so you get the proper exception again).”
Yup. Unaligned accesses should be disabled by default, but some vendors, in their infinite wisdom, hack in extra system calls to enable unaligned accesses (also mentioned in my email).