You could be one of the many people who want to jailbreak their iPhone, but are concerned about a reduction in security. A computer consultant is embarking where Apple has refused to go, adding a security measure known as ASLR to iPhones to make them more resistant to malware attacks.
Short for address space layout randomization, ASLR has been noticeably absent from all iOS devices since their inception, making possible the types of attacks that commandeered a fully patched iPhone at this year’s Pwn2Own hacker contest. By randomizing the memory locations where injected code is executed, ASLR aims to thwart such exploits by making it impossible to know ahead of time where malicious payloads are located.
At a conference scheduled for next week, Stefan Esser, a security consultant and application developer for Germany-based SektionEins, plans to unveil a process for jailbreaking iDevices that automatically fortifies them with ASLR. It works by reordering the contents of dyld_shared_cache, a massive file that houses the libraries.
The hack will come as good news to those who want to jailbreak their iDevices but don’t want to make them unnecessarily more vulnerable. As things stand now, jailbreaking iPhones, iPod Touches and iPads diminishes another security protection known as DEP, or data execution protection, and another measure known as application sandboxing. It also introduces a command shell and other features that can enable attackers.
You should still be wary of jailbreaking your iPhone if it’s an enterprise device, but normal users will have one less thing to worry about. “With Stefan’s stuff, now maybe it’s an option, if you’re a security-conscious person, to still jailbreak your phone because you can pick up ASLR, which is going to make it a lot harder to do exploits,” explains Miller.
Apple’s iOS currently lacks ASLR, though Apple has made some inroads with their Mac OS X. Windows Phone 7, Windows 7, and Windows Vista, on the other hand, already include ASLR. Esser will be unveiling his ASLR solution for the iPhone on Tuesday at the Power of Community security conference in Seoul, South Korea. Stay safe, jailbreakers.