Another security weakness found in iOS 7

Researcher finds a flaw that would allow attackers to exploit the OS kernel

A researcher has discovered a weakness in iOS 7 that would enable an attacker to bypass a number of mechanisms Apple uses to prevent exploitation of the operating system's kernel.

The problem stems from being able to brute force the random number generator, called the Early Random PRNG, to predict its outcomes. The generator is used by a number of important memory protections for iOS devices.

The PRNG generates numbers used by the physical kernel map randomization, stack-check guard, zone cookie protections and kernel map randomization. These attack mitigations prevent hackers from executing buffer overflows and other exploits that could be used to take over a device with malware that takes advantage of how memory is allocated to safely execute code.

Tarjei Mandt, senior security researcher at Azimuth Security, found that the PRNG in iOS 7, the latest version of the OS, is weaker than the one used in iOS 6. In a paper presented this week at CanSecWest, Mandt described the impact of knowing the PRNG's outputs.

"Recovering these outputs essentially allows an attacker to bypass a variety of exploit mitigations, such as those designed to mitigate specific exploitation techniques or whole classes of vulnerabilities," the paper says.

"In turn, this may allow trivial exploitation of vulnerabilities previously deemed non-exploitable."

Scott Morrison, senior vice president and distinguished engineer at CA Technologies, called Mandt's work an "important discovery."

"PRNGs are fundamental to many computer security functions, particularly those around cryptography," Morrison said. "PRNGs are a common point of attack because if they are in any way predictable, the entire security system built on them can collapse like a house of cards."

The random number generator in iOS 7 uses an algorithm called a linear congruential generator (LCG), which produces sequences of random numbers calculated with a linear equation. One of the oldest and best-known random number generators, it is known for being fast and easy to implement, the paper authored by Mandt, said.

While these algorithms work well in devices with limited resources, such as smartphones, "they exhibit severe defects and are easily broken when confronted by an adversary who can monitor outputs," Mandt wrote.

"As such, LCGs should not be used for cryptographic applications or security related work," he said.

Mandt told the security blog ThreatPost that he had not disclosed his findings to Apple. Representatives of the company had requested to see his slides shortly before his presentation.