Apple Says iOS Kernel Cache Left Unencrypted Intentionally, Nothing To Worry About

The iOS 10 kernel, which Apple released to enthusiasts last week, is not encrypted, according to a report. Security experts expressed their surprise and puzzlement over this in a report by MIT News. The iPhone maker, after remaining tight-lipped over the matter for a week, has now offered an explanation. In a statement to The Loop, Apple said: The kernel cache doesn't contain any user info, and by unencrypting it we're able to optimize the operating system's performance without compromising security.It is worth mentioning that Apple is talking about kernel's cache, whereas MIT News' original report talks about kernel code.

Re:What?

[DamnOregonian]

To be fair, Apple uses a weird terminology with regard to the kernel in iOS (don't know about macs or any other XNU-running devices, don't have any experience with them)
the kernel in iOS is in fact called a kernel cache. It's prelinked, ready to be dumped into memory and executed.
Apple is in fact referring to the kernel when are talking about the kernel cache.
Apple and "security experts" are talking about the same thing.

KERNEL vs. CACHE

[mrthoughtful]

So there seems to be some difference over assertions here.
Apple is only talking about the iOS 10 kernel CACHE and that private data is never stored there (fair enough), whereas TFA is talking about the kernel code which is left open to exploitation.

I personally consider that opening the kernel is a wise move. It will, most likely, assist in closing holes in the code and, eventually, would make a stronger kernel. However, as the article suggests, it was probably a mistake...

Re:

[110010001000]

It is sad that most Slashdot readers (and editors) now don't know the difference between CACHE and code.

Re:KERNEL vs. CACHE

[cryptizard]

Kernel cache is what they call the encrypted container that has the kernel in it. The article is not wrong, just a nonstandard use of the term.

Re:

[fustakrakich]

The article is not wrong, just a nonstandard use of the term.

My new campaign slogan! I am not lying. I am just using nonstandard definitions.

Re:

[Diss Champ]

You are late to the party. c.f. Clinton and what the definition of "is" is

Re:

[Parafilmus]

Bill was being pedantic, but he was using the standard (ie, present tense) definition if "is."

Re:

[DamnOregonian]

It's actually Apple that uses the nonstandard term... I had never heard of a kernel referred to as a "kernel cache" before I started hacking iOS back in ye olden days.

Re:

[Timothy Hartman]

I think they should open source the kernel too. If they do they travel back in time to 1996 and put it here [apple.com] so everyone thinks they have always had a transparent security process in regards to the XNU kernel long since before OS X or iOS existed.

Re:

[DamnOregonian]

Apple is talking about the kernel itself, which it calls the "kernel cache"
TFA is talking about the kernel, which Apple calls the "kernel cache"
They're talking about the same thing, Apple just uses a funny term for it.

Translation

[Opportunist]

Our pervasive snooping through our customers' habits and information taught us that they do notice when the phone is slow, but they don't have a clue about security or consider their privacy in any way important.

Re:

[Opportunist]

I dared to paint the sacred cow hot pink and made it look FABULOUS, what did you expect.

Go ahead, I got Karma to burn.

In other words....

[evolutionary]

Canary Warrant. The Government got to them in spite of the public display of resisting.You can be anyone who was relying on Apple phones to keep secrets will use other means now. Doh.As for the claim that kernel cache doesn't contain user data (and bear in mind this took a week of "consideration", and I'm not a security expert), wouldn't it be possible to extrude data from the kernal cache that could lead to the ability to access other encrypted data? seems odd to encrypt it and then remove that encryption

Re:

[BronsCon]

I don't want to say one way or the other because I still want to believe things don't actually work this way, despite clear evidence to the contrary, but you may be right about this. You can't tamper with an encrypted binary unless you have both keys; an unencrypted binary can be messed with and, as long as they checksums match, dropped right in with minimal hassle. And we've already learned that it's not hard to make checksums match.

Re:

[tibit]

we've already learned that it's not hard to make checksums match.

That'd be big news for hashes that are currently considered secure. Got some links?

Re:

[BronsCon]

Anyone with a basic understanding of hashing algorithms knows that to brute-force any hash is a 2^n proposition, where n is the number of bits in the hash. I seem to recall something about a datacenter being built in Utah in the past year or two by an organization that might be interested in the subject.

Re:

[tibit]

There isn't enough material in the entire Universe (that we're aware of, at least) to build a datacenter to brute-force a 512 bit hash. The Universe has roughly 2^400 atoms, the Earth has roughly 2^170, a billion billion is 2^60 only and you'd be very lucky to have a "datacenter" that can do that many hashes per second. End of story. I don't think you have that basic understanding.

Re:

[BronsCon]

GPUs of 2014 were able to calculate a little over 100 million SHA-512 hashes per second, dual GPUs double that per system. We can expect that this number has doubled yearly for the past 2 years, giving us 400 million per GPU, per second; 800 million per dual-GPU system. 100k such systems (well within the reach of a government budget) would be able to churn through 80 trillion hashes per second, roughly 7 quintillion (7 billion billion) hashes per day. That is quite a number of years, indeed, to brute-force.

Re:

[tibit]

7 billion billion per day is still 2^63, 58 orders of magnitude short of 2^256, 135 orders of magnitude short of 2^512. Whatever "datacenter" you think of is irrelevant, pretty much.

The extra layer of protection offered by asymmetric encryption will be moot once a key secure hash falls.

Re:

[BronsCon]

7 billion billion per day is still 2^63, 58 orders of magnitude short of 2^256, 135 orders of magnitude short of 2^512.

You must've stopped reading before you finished my first paragraph... I actually admit as much.

The extra layer of protection offered by asymmetric encryption will be moot once a key secure hash falls.

Not if the asymmetric encryption isn't vulnerable to the same exploit as the failed hash. Seriously, think about that for half a second; if you're able to keep up an argument on this topic (and I'd say you've been doing a fine job of it until now) you shouldn't need any longer than that. You're a smart fella, act like it.

Re:

[evolutionary]

Perhaps but I could think of better ways to create hype. All this would do is create concern and possibly distrust. Not what I think apple's stockholders would have in mind. If anything, this could move more people to Android just to see if it's more secure (or just the same, but less expensive phones). Apple is already slowing down on profits from their iphones recently. Not the best timing on something like this. Marketing typically tries to put a positive spin. This doesn't feel positive as much as relu

no subject at all

[Anonymous Coward]

There is no story here.

LINUX NOT SECURE

[CajunArson]

The Linux Kernel: NOT ENCRYPTED. Go panic now, the world is ending.

In fact, do you know that Linus Torvalds has personally made it possible for the MUTHAFUCKIN NSA to read every single line of source code in the Linux Kernel??

Just think about that the next time "they" tell you that it's OK for your computer to SEND IT'S DAMN IP ADDRESS OUT TO THE INTERNET!

The black helicopters are coming for me man!!

Re:

[Anonymous Coward]

I find it ironic about people fearing the NSA. They wrote SELinux, which has done a lot of good overall with Linux security. They also have a lot of decent guides for server hardening.

To me, I've found their publications and security work, as well as hardening of operating systems, well worth my tax dollars.

Re:

[NotInHere]

The NSA has two tasks: snooping and protecting US data. It takes the first task more seriously, and because of the snooping many people fear NSA, but it does stuff to fulfill the second task as well, like writing SELinux.

Re:

[fustakrakich]

it does stuff to fulfill the second task as well, like writing SELinux.

Yeah, I like to think we're getting the "Pro" version. But with sufficient network sniffing there is little to worry about, right?

Re:

[Anonymous Coward]

Lucky you man! You get to ride in a helicopter!

Re:

[TangoMargarine]

They don't send them for you during the day, dude. Middle of the night.

Re:

[crtreece]

OMG! I just checked on the websites for FreeBSD, OpenBSD, and NetBSD, they all have source code available too! Drug dealers, pedophiles, terrorists, and the NSA ALL have access to this source code.

They all leak IP addresses to the internet as well. It looks like they only leak MAC addresses to the local network, so they've done a little better there.

Re:

[Timothy Hartman]

OMG Apple does too [apple.com]!

Filesystem change?

[nine-times]

Is the new iOS running on Apple's new filesystem? Supposedly part of the features of the new filesystem is that it has greater control over file encryption. Given this explanation, it may be that they previously encrypted the kernel because it was the best way to encrypt user data, whereas with a new filesystem they may be able to encrypt the files they want to encrypt without needing to encrypt anything else.

Just a shot in the dark, though.

Re:

[BronsCon]

It might for new phones, but I highly doubt they'll convert the filesystem during an upgrade. Even with perfect code doing the conversion on a clean filesystem, it's a risky operation.

Re:

[BronsCon]

Eh? You're referring to Lion and no, it did not do that during an upgrade if user files resided on the drive. If installed from EFI recovery, yes, it would create those partitions, but it certainly did not during an upgrade involving existing user data.

Re:

[SvnLyrBrto]

Who would take that chance anyway? On my Mac, I do a full data backup to an external drive, then physically disconnect it, before routine OS updates. On my iDevices, I do backups to both iCloud and my Mac before updates. I've never actually lost data. But I'm a bit paranoid on that score and, as they say, better to have the backup and not need it than the other way around. And really, if anything calls for a backup, re-partition, re-format, and install everything from scratch; a filesystem update s tha

Re:

[BronsCon]

Who would take that chance? The more than 90% of the population who doesn't have backups.

Re:

[Anubis IV]

The new filesystem, APFS, doesn't yet run on the phones. In fact, it can't even be used for a boot drive yet. They seem to be aiming for a 2017 release with it, but filesystems tend to suffer from catastrophic failure when bugs occur, so it's no surprise that Apple is playing this very carefully and getting it into the hands of developers well in advance. They'll doubtless re-add missing functionality over that time, such as being able to boot from it, use it for Time Machine, use it with FileVault, etc., b

Re:

[cryptizard]

Encrypting the kernel image didn't do anything to protect user data though, since it is decrypted during boot time so the phone can actually run. It was done, presumably, to prevent people from decompiling the binary and trying to find holes in it to make jailbreaks and such. Once the phone is booted, the kernel will of course refuse to dump itself so it only needs to be protected while the device is off.

They are not wrong

[wwalker]

As much as I dislike Apple, they are not wrong here. What's the point of encrypting *code*?! Sign it, check sum it - yes, by all means, so that it's not replaced by something malicious. But why would you need to hide the actual content of the code?! Haven't we learned that security by obscurity doesn't work?

Re:

[Anonymous Coward]

Since you used ALL CAPS and "swear" words you clearly must be authoritative on the subject.

Re:

[Megol]

You are wrong. To prove otherwise please upload your custom Intel microcode update.

Re:

[iCEBaLM]

Not saying the guy is right, but how does a custom intel microcode update prove anything about a custom iphone kernel?

Re:

[Anonymous Coward]

They are right up there with people who don't know the difference between 'to' and 'too'. They're the worst.

Huh?

[Viol8]

I thought the encryption key was securely stored in the iPhone hardware and can only be accessed by firmware running on that hardware which then decrypts the kernel.

Re:

[BronsCon]

They might claim that, but the iPhone emulator provided with XCode has no problem doing the job. That should tell you something.

Re:Security Researcher == any random idiot

[cryptizard]

That's actually not how it works. The decryption key is burned into the processor, that is why there is a different firmware image for different versions of the phone. Only some of the phone versions (older ones) have had their keys extracted and released. Also, with new technologies like SGX (shipped in some current desktop CPUs and soon phones) software publishers will be able to write code that can only be decrypted in the hardware's trusted enclave, so the key can never be observed. So stop yelling please when you don't know what you're talking about.

Re:

[BronsCon]

The decryption key is burned into the processor

How do they pull that off for the emulator?

Re:

[Anonymous Coward]

Because it's a Simulator not an emulator. It's a special version of the OS compiled for x86.

Re:

[BronsCon]

So you're saying that version isn't encrypted? Or that it's encrypted but the key is readily accessible by disassembling the simulator code? Or... what, exactly, are you saying? Is the kernel in the x86 version encrypted or not?

You're focusing your argument on the wrong point.

Re:

[BronsCon]

Interesting that they'd do that; seems it'd introduce a fair bit of inconsistency in how things work between the simulator and the real device. An ideal solution would execute the same code in the same way at the same speed; an acceptable tradeoff would be one that executed the same code in the same way, with speed constraints based on the actual hardware being used. Anything that causes the same code to execute differently in the simulator vs the real device is, IMO, a bug.

Re:

[BronsCon]

Understood; however, there is no reason it cannot run as a VM with its own kernel and resources. My point wasn't at all related to the underlying architecture, just the software that runs on it.

Re:

[BitZtream]

heh, thats cute. Not done much embedded work have you?

I have. With those processors specifically. Extracting the encryption key is non-trivial but documented if you know where to look (not the processor documentation mind you (OH FACE)

I assure you that anyone who actually knew what they were doing can easily 'decrypt' the code and nothing you've said changes what I've said, other than you think that because they've embedded it in prom on the CPU that its secure. Just because its a custom chip apple laid

Re:

[cryptizard]

Then please explain to me why there are tons of models of the phone that don't have their keys extracted yet. They are specifically designed to not have the key leave the enclave. Why don't you go ahead and do it then since you're some kind of expert and it's so easy? The jailbreak community would appreciate it. Or just keep talking out of your ass on Slashdot.

It doesn't matter that it's burned in

[YesIAmAScript]

The key is burned into the processor, but you can employ the key in the processor to decrypt it. Just as the boot code decrypts the kernel cache, you can use the hardware to decrypt it for your own nefarious ends.

It just means you have to do the decryption on the device.

So the original writer was correct in that this encryption didn't stop all observers, just casual ones. Anyone who could get a significant jailbreak on a device could decrypt the kernel caches.

Re:

[cryptizard]

Good point, that is true, but it is a bit of a chicken and egg problem. People want the unencrypted kernel code so they can make jailbreaks.

Re:

[BronsCon]

Yes, you have the decryption key, but not the encryption key. Before you read on, try and guess what I'm getting at; then read on to see if you were right.

--

It is possible to modify an unencrypted binary, pad it so the checksums match, and get it onto the device, either by slipping that binary back into the original update blob or by desoldering the NVRAM from the phone, flashing it, and soldering it back in. The various TLAs you types are always worried about can do either of those.

Just thought you m

Re:Security Researcher == any random idiot

[DamnOregonian]

AES is symmetrical. The kernelcache is encrypted using AES. You're describing a hash collision on a signature. You're ignorant of the topic being discussed, please stop posting with such a confident posture.

Re:

[BronsCon]

Do you have documentation you can point me to stating that AES is being used? Given that the user is literally handed the key, that would be an idiotic choice. I don't think Apple necessarily has the best and brightest engineers, but they also don't employ idiots.

Re:

[BronsCon]

Nice argumentum per viam modum. Here's a reference [apple.com] (thanks to cryptizard for providing that) in case you need it. No, AES is not used; AES does not have a public and private key (as you stated, it's symmetric) and Apple specifically states the existence of a public key, which implies a separate private key.

Re:

[DamnOregonian]

AES is (well, was prior to most recent beta referenced in TFA) in fact used.
I need not read the reference, as I'm intimately familiar with the boot process.
My guess is that you read "signature" in there and something about a cert, and assumed that actually applied to the encryption used on the kernel binary itself rather than the signature for it.
A signature must necessarily be asymmetric so that someone can decrypt it without being able to encrypt a new signature.
This concept exists in regular SSL as w

Re:

[BronsCon]

My guess is that you read "signature" in there and something about a cert, and assumed that actually applied to the encryption used on the kernel binary itself rather than the signature for it.

No, I read the following, on page 5, under the heading "Secure boot chain":

The Boot ROM code contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load. This is the first step in the chain of trust where each step ensures that the next is signed by Apple. When the LLB finishes its tasks, it verifies and runs the next-stage bootloader, iBoot, which in turn verifies and runs the iOS kernel.

Yes, that does specifically mention the signature; no, it does not mention the encryption used, if any, on the various components of the boot chain. The remainder of the document does make many mentions of the use of AES, on the data partition, for secure communications, in the secure enclave for storing fingerprint hashes, for ApplePay, but no mention of its use anywhere in the boot process.

Perhaps you do need to read the referenc

Re:

[DamnOregonian]

Perhaps you do need to read the reference? You don't seem to be as familiar with the boot process as you think.

No, I really don't. Because I helped author literature that describes the process, as I was writing software to decrypt, and dump the symbol tables in the kernel. For your reference, here's the iOS IMG3 boot-chain container structure:
typedef struct img3File {
uint32_t magic; // ASCII_LE("Img3")
uint32_t fullSize; // full size of fw image
uint32_t sizeNoPack; // size of fw image without header
uint32_t sigCheckArea;// although that is just my name for it, this is the
// size of the start of

Re:

[BronsCon]

See? This is why credentials are important. We could have avoided this whole back-and-forth if you'd just described your experience at the start (and not even in this much detail).

I've watched enough of Louis Rossmann's videos that I should have expected Apple's own documentation to be incorrect or, at the very least, incomplete.

I stand corrected and kindly thank you for the information.

Re:

[cryptizard]

Usually the firmwares are checked with a cryptographic hash though, so it is not as simple as just fiddling with it a bit to make the checksum match. It should be (nearly) impossible to make changes to the binary without them being detected.

Re:

[BronsCon]

Yes, the firmware is checked during an upgrade; it is not verified during the boot process as this would take too long (the flash used doesn't read that fast). Te is definitely open to a physical attack (desolder/flash/resolder) during which the install-time hash check can also be disabled, allowing the attacker to push their own updates remotely. As for the "nearly" impossible, yes, for you or I it likely is; for someone with a government budget for computing power, perhaps not so much.

I'm gonna go ahead

Re:

[cryptizard]

That is interesting, I didn't know that it wasn't checked during boot. That seems like a bad idea. As to whether or not some people can break cryptographic hashes, I would lean toward not. It is not a matter of computing power, but some theoretic break on the algorithm itself. And a lot of really smart people in academia have been looking at, for instance, SHA-2 for over 15 years now with no substantial attacks.

Re:

[BronsCon]

It's not a matter of breaking the hash, simply finding a collision. Whenever what you're hashing is larger than your hash, there will always be collisions.

Re:

[cryptizard]

Yes there will always be collisions, in fact infinitely many, but it is computationally infeasible to find them. To date there have never been found two inputs that create the same hash in SHA-2. Since the output is 256 bits, you would have to try about 2^128 inputs in expectation before you find one, which is quite a few. You would need something like 10^20 times more storage than exists on the whole planet.

Re:

[BronsCon]

Since the output is 256 bits, you would have to try about 2^128 inputs in expectation before you find one

Or one lucky guess. Or double that and you still haven't found one. Don't oversimplify for my sake, I do understand these things, you can speak to me as a peer.

You would need something like 10^20 times more storage than exists on the whole planet.

Perhaps, if you were storing all of your test inputs. However, you can just as easily programmatically generate them and only store the ones that match.

Re:

[BronsCon]

I love how you assume I'm speaking from a position of ignorance. Look at my posting history and you'll learn that I tend not to do that; and when someone does manage to teach me something I thank them for doing so.

Re:

[cryptizard]

This security document from Apple implies that every stage of the boot process does a complete verification on the next stage before booting continues, first the Low Level Bootloader, then iBoot and finally the iOS kernel. So you could mess with the userland stuff but not the kernel. If you think about it, the whole boot chain including the kernel is probably only 10 MB or less. That is not so burdensome to verify every boot.

Re:

[cryptizard]

Whoops forgot to put the URL https://www.apple.com/business... [apple.com]

Re:

[BronsCon]

I see...

Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust. This includes the bootloaders, kernel, kernel extensions, and baseband firmware. When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code, known as the hardware root of trust, is laid down during chip fabrication, and is implicitly trusted.

The Boot ROM code contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load. This is the first step in the chain of trust where each step ensures that the next is signed by Apple. When the LLB finishes its tasks, it verifies and runs the next-stage bootloader, iBoot, which in turn verifies and runs the iOS kernel.

I stand corrected, the binary decrypting properly was merely a secondary protection. The primary protection is the signature, which is made much weaker by the removal of the encryption, as the binary no longer has to both be signed properly and be able to be decrypted with the public key. If you think there's not a datacenter in Utah with the compute power to "solve" this in a matter of hours (maybe days), you're mistaken.

Also, thank you for providing that document, hopefully DamnOregonian sees an

Re:

[cryptizard]

I'm pretty positive there isn't, or else if there is we have much bigger problems than our iPhones. Literally all of internet security relies on hash functions. If they are broken then we might as well just give up.

Also, testing if something is "able to be decrypted" implicitly relies on a hash because how else do you know if what you decrypted is valid? If you use something simple like a checksum or padding to check, it actually leads to an attack that can be used to decrypt the file called a padding

Re:

[BronsCon]

Which security document? You seem to have not linked to anything. But yes, it's verified by attempting to decrypt; if decryption fails, it's been tampered with. The encryption was removed from the kernel, ergo the kernel can no longer be verified.

Re:

[mccrew]

You may have had a point, but I stopped reading at the first very unnecessary F-bomb.

Re:

[BronsCon]

Eh? Jailbreak, disable the code that disabled the hardware keygen, done. Yes, this has been done; it's a bit beyond me how to actually pull it off, mostly because I haven't looked into it because I don't care (don't have an iPhone), but it's been done.

Re:

[BronsCon]

I never said anything about disabling the chain of trust, I referenced disabling the code that disables the hardware keygen, the piece of hardware that allows system binaries to be decrypted, actually quite the opposite. Since that is done by a command issued by the kernel during boot, before userland components are loaded, it certainly can be skipped.

Re:

[BronsCon]

The kernel loads several kernel-mode drivers, which are encrypted and signed, requiring this hardware to still be available for a short while after the kernel takes control. Doing otherwise would open the device to kernel-level vulnerabilities injected by modified drivers, which would be a gold-mine for jailbreakers.

Also of note: the very article we're discussing happens to be about the kernel no longer being encrypted so, no, you don't need to re-encrypt it, you're left with the (still difficult, but muc

Re:

[BronsCon]

Huh, interesting. Learn something every day...

Also, and I'm not sure why I didn't think of this earlier, it's not necessary to load a modified kernel with the same hash; it would be much easier to move the kernel and replace it with a binary that loads the kernel, patches it in RAM, then hands off execution. The binary itself would be small, leaving plenty of "slack" which can be modified as needed to match the hashes, while allowing the file size to remain constant.