==Phrack Inc.== Volume 0x10, Issue 0x46, Phile #0x02 of 0x0f |=--------------------=[ PHRACK PROPHILE ON XERUB ]=--------------------=| |=----------------------------------------------------------------------=| |=------------------------=[ Phrack Staff ]=----------------------------=| |=---=[ Specs Handle: xerub AKA: concat(*given_name, surname) Handle origin: Completely made up. Any semblance with literary or real life is purely coincidental. The X is to be read like a Latin X, or even the the Greek letter X, if you prefer, but never like 'sh'. Also, Quake3's Xaero is my cousin. Age of your body: Old enough to remember the horrors of the Eastern Bloc. Also XOR AX, AX is faster than MOV AX, 0. Change my mind! Height & weight: 170+ & slender Produced in: Romania Urlz: https://github.com/xerub, https://twitter.com/xerub Computers: AMD K5, K6, Pentium Pro, Celeron, Core2 Duo, Core-iX Creator of: The concept of kppless jailbreaks [sic] Member of: XXX Admin of: XXX Projects: 0x41con Codez: img4lib, ROP compiler, many other incomplete tools used in jailbreaking Active since: Around the turn of the millennium Inactive since: 2020 |=---=[ Favs Actors: J.P. Belmondo, Gheorghe Dinica. Films: Brazil, Blade Runner, Fight Club. Authors: Raymond Chandler, Oscar Wilde, Aldous Huxley, George Orwell. Meetings: 0x41con, Warcon early editions. Sex: Promiscuous & dirty. Books: Dead classics, mostly. No technical book ever. Novel: The Picture of Dorian Gray. Meeting: Richard Feynman, +ORC Music: Deep Purple, Led Zeppelin, Queen before '92. Alcohol: Single malt scotch, straight. Red dry wine. Cars: BMW Women: Young, tall and slender with a sexy ass. Men: Nop. Food: Italian, SE Asian seafood. I like: Freedom, sunny weather, unhealthy habits, scantily-clad babes. I dislike: Hypocrisy, political correctness, authority, the philosophical Left. Zealots of any kind. Fat people occupying two seats in a bus. |=---=[ Life in 3 sentences After being raised in a rural area, I went to high school in a medium-sized city. High school changed my life, because it meant the opportunity to use a real computer. During university, a nasty car accident paused my studies, but around the same time I landed a couple of jobs, ultimately settling for a security company and staying with them ever since. |=---=[ Passions, what makes you tick Understanding the intricate details of a machinery. Any machinery, starting with mechanical ones down to the most complex Rube Goldberg-esque software exploits. But the true joy begins when I build such machineries myself. Even when not doing vulnerability research, I spent my hacking days close to the hardware, squeezing the last bit out of it; be it 3D graphics cards drivers or x86 protected mode system software. |=---=[ Memorable experiences Going backwards in time that would be: the two 0x41con meetings; greetz to all the people involved, here's to hoping for the next one. My first trip to East Asia; amazing history, amazing people, amazing food. My very first iOS vulnerability - a dyld codesign bypass; I was stupid enough to pass it down to someone who then used it without my permission. Taking apart my 1.1.2 OTB iPhone and performing a baseband hardware unlock by pulling the A17 trace high, following geohot blogposts. Understanding the genius behind ZMist. Trying, and failing to crack SoftIce; I guess I wanted to have my name on it but I had to settle with Marquis de Soiree instead. The first contact with a computer; it changed my life. |=---=[ Quotes "The smart way to keep people passive and obedient is to strictly limit the spectrum of acceptable opinion, but allow very lively debate within that spectrum" -N. Chomsky "The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience." -C.S. Lewis |=---=[ What's your opinion about Phrack? I am often asked by young people how and where to find materials related to hacking and my invariable response would be Phrack. They can find here pretty much everything, from the venerable stack overflows -- Aleph One's Smashing the Stack for Fun and Profit -- to the most complex hacking of relatively modern software. Phrack is THE place to learn about hacking. |=---=[ What you would like to see published in Phrack? I believe the most valuable articles are those describing techniques and not specific bugs. Two of these seminal papers were extremely important to me: nemo's Modern Objective-C Exploitation Techniques and saelo's Attacking JavaScript engines. These are only a couple of papers which allowed hackers to pull their magic for years to come. We definitely need more of these! |=---=[ Who or what inspired you to start hacking? Razor 1911. As a boy, I imagined I would like to crack games and play them for the rest of my life. |=---=[ We know that no one will ever admit he's part of the underground, but, when and how did you enter it? :> I did NOT enter the underground when I created my first keylogger, I think. I just found out about TSR (terminate and stay resident) feature of DOS and set out to steal some user passwords from the school lab. INT 09 ftw! |=---=[ What do you consider your most notable technical achievement? I guess the most anticipated response to this question would be: owning the bootchain. It's not, let me explain why: the bootchain is a mixed blessing. While it is regarded by many as a Holy Grail, it is truly a white elephant. First, it was never really needed for continuing research; second, speaking of such rare bugs is a one-way trip to killing them; and third, most of the time they end up used by entities I personally would not like to have them. My bootchain research started somewhere in 2015 and ended around 2017, and while it did produce a couple of bugs, I do not consider them to be notable technical achievements, because they pretty much lack complexity, with the exception of the most useless one: the HFS+ iBoot stack overflow. While this may sound bizarre, I do not rate my hacking on the value of the end goal itself, but on the complexity of the attack. Most of my exploits were, in turn, my most notable technical achievement up to that respective point. If I had to pick one, it was getting shell into a locked iPhone, about five years ago. And then again this year, with CVE-2021-30737. |=---=[ Related to the previous question: Can you give us some background information? How and why did you come up with this? Can you give us an anecdote story related to it? Back at the time it was considered an extremely hard job, except for owning the bootchain. It happened in the wake of the FBI vs Apple lawsuit over backdooring iOS. I set out to do it with the help of some friends, but we were using some freshly patched bugs. As a result, it didn't end up being very useful, but the full chain was probably one of the most complex I have ever written. Also, the experience I accrued during the process helped me greatly to repeat it five years later using an 0day with minimal effort. |=---=[ You have published a lot of work (code, keys, etc) on Apple-specific technology. What do you find attractive about Apple as a research target? All the cool kids were doing it. Besides, in the beginning, it was fun to break into an iPhone, if only to stick it to Apple who thought their OS was impregnable. But on the other hand, I truly liked their phones, both from a hardware and software standpoint. |=---=[ When have you started looking into Apple technology? I think it was in December 2007, when I got my first iPhone. My boss gave it to me at the company party as a reward for something I can't remember. There is a strong probability the whole deal involved bribes and women of dubious moral standards. |=---=[ What's your opinion about Apple's stance on software and hardware security? Apple has a lot of code to deal with. The sheer amount of their own code makes security bugs become almost a certainty, but they are alleviating this by compartmentalisation and other security mitigations, with varying degree of success. Their bug-fixing sucks, most of the time it is either an incomplete patch or downright a bad one. They also use a lot of third party code, but do not seem to do a good job of tracking security fixes in those libraries. This leads to some of the most embarrassing security problems. On the hardware front they are doing a pretty good job, however. Isolating the sensitive crypto material in the Secure Enclave outside the Application Processor is probably one of the best ideas they had so far. Unfortunately, they overlooked a couple of things in the early models (mainly 32bit SEP), allowing them to be hacked with relative ease. |=---=[ What's the future of Apple-related security research (not only jailbreaking, more generally speaking) in the light of ARMv8.3 features (PAC, etc) and Apple's hardware security measures according to your opinion? PAC is a good mitigation because it significantly raises the bar of gaining an initial foothold, at least in certain scenarios. However, when PAC first landed it was not as pervasive as it should have been, protecting only code pointers while leaving out crucial data pointers: CoreFoundation runtime, internal kernel structures, etc. Apple will also add MTE to their chips in the near future, which may raise the difficulty of future exploits even more. But then again, it all depends on how it will be implemented. Unfortunately, Apple-related security research boils down to either use a Security Research Device or use an exploit chain to break into the iPhone for further exploration. The former is a strong No for many people because of Apple's Terms and Conditions, while the latter implies an n-day or even a 0-day. In the near future we can still go that route, but as the current devices become obsolete and newer ones come packed with hw mitigations, it will become increasingly difficult. On the bright side, the Macs are slightly more open for the time being and fortunately for us, the same research often applies to their mobile devices because they share an enormous amount of code with the Macs. This somehow postpones the aforementioned problems for a while. Another solution would be to resort to iOS/device emulation, but that holds an uncertain future and is not available to the public at large. I have no experience whatsoever in this area. |=---=[ Is the Apple "underground" still as strong as it was, say, 5 years ago? Relating to the previous question, what do you thing about its future? It certainly is not. Many talented researchers have left, become inactive, got a job (at Apple or elsewhere) or entered the exploit market. |=---=[ What open problems and emerging technologies do you think are good research topics? Current and future. The best research topics are those areas that are not very well understood, especially in closed, proprietary systems: basebands, wifi firmwares, etc. |=---=[ Do you prefer offensive or defensive research? Which of the two do you think helps learning and understanding more? I certainly like both. Defensive is much, much harder though. My personal experience tells me it's easier to go the offensive route, and move to the other side once you have gained enough insight and experience. This allows you to have a clear image about a mitigation in your system: what are you supposed to defend, where is the security boundary, how is this mitigation helpful, etc. |=---=[ What's your take on the IT security industry vs. "the underground"? For a long time, the underground was the crucible from where the new talent emerged. In the past, it was the only place where one could find knowledge and acquire true skill. And the Dark Side is more appealing to youngsters, especially during their teen years. But as they grow older, they need to get real jobs and oftentimes they join the Industry. On top of that, things have changed, because nowadays one could learn about security in school, or from the myriad of published exploits. This means the Industry can bypass the underground, which is beginning to fade. |=---=[ Some claim that the hacking scene is growing old and that there are not enough talented young people interested in hacking to replace it. What are your thoughts on this? I believe there is enough talented young people interested. The "problem" is that they are snatched as young as possible by the Industry, lured by fat paychecks. As such, their voyage through the hacking scene is rather short, if at all. This may lead to a starvation of the scene, at least to some degree. |=---=[ What is your advice to the new hackers reading this? Start early, when you have enough energy, time and ideas. Do not dismiss old techniques and bugs, there is always something to be learned in those lessons. Most often than not, there is an overlooked bug next to the one that just got patched. Also, no amount of books, slides and papers can beat hands-on experience, ever. Roll up your sleeves and prepare to dive in. |=---=[ What was your most "enlightening" insight so far? Either technical or not (or both). Time is our most precious resource during our lifetime. It is probably the only thing one can never recoup or buy. Use it wisely and enjoy life. Hack away as long as hacking brings joy and satisfaction, and then move on. |=---=[ What is your stance on full-disclosure vs non-disclosure? Are there situations where both are needed, or is it one or the other? I am leaning towards full-disclosure. While there may be circumstances in which non-disclosure is preferable, I still think full-disclosure raises the awareness of certain bugs and forces both the software vendor and the customers to realize the gravity and patch as soon as possible. |=---=[ What is the future of hacking? The future of "the underground"? Very few hackers are left to hack for the sake of hacking. Most of them get early jobs in security, but oftentimes they end up doing boring stuff. On top of that, the bar for hacking the most interesting targets nowadays is much higher than, say ten or twenty years ago. My personal feeling is that hackers gonna hack, but the golden age is behind us now. |=---=[ What do you think is the role of Phrack in the current "scene" that is dominated by "cons"? Cons are a great way of meeting friends, new people in the field, have fun and generally speaking, do networking. However, a deck of slides will never be as detailed as a white-paper, or an elaborate article. And this is where Phrack shines. Another aspect is that Phrack goes back in history. There is plenty of material starting from the simplest to the more complex hacking techniques and it is the go-to place for a newbie. |=---=[ What do you think the biggest infosec challenges for the next 5 years are/will be? And what should be done about them? The harder problem in the short to medium future is to protect our privacy. On one hand, governments are pressuring for backdooring crypto and on the other hand, dubious entities are trying to break it. I have no idea how will this pan out, but I'm not very optimistic about it. Governments will eventually have their way, babbling something about the Greater Good or something along that vein. The other guys will have their way by trying to own the endpoints, but that is not likely to happen en masse. Speaking of the endpoint security, I believe the web browsers and their ever-increasing complexity will be the bane of our existence for years to come. The browsers wield way too much expressive power on the client-side which can be used to bypass all sorts of mitigations. Another issue that plagued us for the past several years, vaguely related to the above, is the multitude of breaches that happened left and right, exposing troves of user data from big corps' supposedly secure databases. The easiest way to prevent such disasters is to avoid storing said data, but I'm afraid that will never happen, because it conflicts with their mercantile interests. |=---=[ Open question. Anything more you would like to say to Phrack readers? I would like to thank the Phrack staff for this honour, I am both flattered and humbled for being prophiled. That said, I'm pretty sure there are at least several dozens of hackers who are ten times better than me, or have lived much more interesting lives. Kudos to all of you, you know who you are! |=[ EOF ]=---------------------------------------------------------------=|