> The way he managed to beat a trillion dollar corporation was through the kind of simple but tedious and boring work that Apple sucks at: regression testing.
> Because, you see: this has happened before. On iOS 12, SockPuppet was one of the big exploits used by jailbreaks. It was found and reported to Apple by Ned Williamson from Project Zero, patched by Apple in iOS 12.3, and subsequently unrestricted on the Project Zero bug tracker. But against all odds, it then resurfaced on iOS 12.4, as if it had never been patched. I can only speculate that this was because Apple likely forked XNU to a separate branch for that version and had failed to apply the patch there, but this made it evident that they had no regression tests for this kind of stuff. A gap that was both easy and potentially very rewarding to fill. And indeed, after implementing regression tests for just a few known 1days, Pwn got a hit.
And now I wonder how many other projects are doing this. Is anyone running a CI farm running historical vulnerabilities on new versions of Linux/FreeBSD/OpenWRT/OpenSSH/...? It would require that someone wrote up each vulnerability in automated form (a low bar, I think), have the CI resources to throw at it (higher bar, though you could save by running a random selection on each new version), care (hopefully easy), and think of it (surprisingly hard).
jdwithit · 3h ago
Yes, regression testing--making sure bugs you've fixed don't return--is a standard part of QA. I did volunteer QA for Mozilla in college a good 20 years ago (god that number is horrifying) and they had an ever-growing suite of regression tests. Mostly for rendering/layout or JavaScript engine bugs, since part of reproducing and proving you'd fixed those was creating a minimal test case. Which you could then easily throw into the build pipeline.
Bugs are a fact of life, but burning time and money to fix them only to have them return is the worst case scenario. Organizations that care about quality are definitely investing in regression testing. Unfortunately a whole lot of orgs give QA zero respect and offshore it to the lowest bidder, if they do it at all. It's absolutely insane to me that Apple wouldn't have regression tests for jail breaks, some of the most high profile bugs in history.
You can fairly criticize Mozilla for a number of things these days. But they had a very robust QA and CI/CD setup in the early 2000s with tools like Tinderbox and Bugzilla. When DevOps came around and popularized it I was like wait, people weren't already doing this stuff??? Turned out I had been living in a bubble and that was not the norm at all.
edoceo · 2h ago
There is a FOSS project I've seen but cannot remember the name of currently (beer) but I do recall their test case directory, one for each issue of merit. Thousand of them, easy. Might of been Sqlite. Something to look up to. I guess if you're not back porting fixes you'd likely not back port the tests either.
bcoates · 4h ago
I think the underlying problem is that lots of orgs have siloed out security stuff into its own workflow and its own class of bugs.
It's basically Conway's law applied to the security/feature development split.
So even if they have a build/release procedure with a mature regression test suite it probably wouldn't have "security" issues like this in it just as a matter of internal organization
KennyBlanken · 7h ago
> And now I wonder how many other projects are doing this.
If by 'projects' you mean intelligence agencies, then I would say it's safe to assume at least the G10 intelligence agencies are doing this along with Russia, China, NK - and likely a huge number of private groups.
weinzierl · 8h ago
I've heard Apple pays a million for Jailbreaks now. That's the lower bound for the price on the free market.
That's cool, Apple's bug bounty didn't exist ten years ago. Apple's bug bounty does max out at $1 million (although you can get bonus multipliers up to $2mil). Just read the content before throwing down the gotcha.
ThinkBeat · 5h ago
Is there a way to contact Apple to apply for millions of dollars
if one has a jailbreak?
X: Hi AppLE I haz jailb8?
Or is it via one of the intermediaries?
Or is there an email or some such that is published?
(That will not to straight to 1st level support and forgotten about)
Bear in mind: different buyers and different price structured. You can get more selling a vulnerability to CNE shops (say: every intelligence organization in Germany), but you'll be accepting more risk --- the payments are effectively tranched (or, equivalently, back-loaded on "maintenance" fees), and if the vulnerability dies you're S.O.L. Apple also won't make you build all the reliable exploitation enablement tooling a CNE buyer will. So: they pay less.
ivanjermakov · 8h ago
If this is the case Apple employed an amazing strategy. By locking all ways to possibly root their devices they patch vulnerabilities discovered for free by jailbreak devs.
ejpir · 8h ago
but they haven't, the article says the "private" community still has exploits and apple patches them. The public, like the dev, for some reason, don't anymore.
tptacek · 8h ago
They're exclusive to private communities because they're very expensive, and getting more expensive over time; in other words, Apple's strategy has driven the cost of exploiting iOS up.
Anything public is dead, which is what you want to see.
bri3d · 7h ago
I’m not sure I agree with the premise here, although I agree with the conclusion w.r.t Apple specifically.
I’m 100% positive from experience doing VR in several non-iOS spaces that increased exploit value leads to fewer published public exploits, but! This is not a sign that there are fewer available exploits or that the platform is more difficult to exploit, just a sign that multiple (and sometimes large numbers) of competing factions are hoarding exploits privately that might otherwise be released and subsequently fixed.
As a complementary axiom, I believe that exploit value follows target value more closely than it does exploit difficulty, because the supply of competent vulnerability researchers is more constrained than the number of available targets. That is to say, someone will buy a simple exploit that pops a high value target (hello, shitty Android phones) for much more money than a complex exploit that pops a low value target. There are plenty of devices with high exploit value and low exploit publication rate that also have garbage security.
With that said, Apple specifically are a special (and perhaps the only) case where they are “winning” and people are genuinely giving up on research because the results aren’t worth the value. I just don’t think this follows across the industry.
maldev · 1h ago
IOS requires so many exploits in the chain since they effectively sign system calls, and capabilities by each app at two steps. So you may be able to interact with another process, but only whitelisted processes. The kernel is also Immutable so persistence is impossible. They do a level of boundary checks that only Apple can do, and also have special telemetry flags on critical processes that either mean they're looking to end of life a pathway.
No other OS can restrict on this level and it makes it so not only do you need an exploit for say the Javascript engine, you also need an exploit for like 10 other pathways. The reason for this is since the kernel is immutable and checked out the wazoo, you get "Jailbreaks" by modifying different services and system processes and getting a capability from those apps. Which is where the exploit is required for them or an approved peer. But apple also has telemtry for what each app is doing with eachother.
tptacek · 4h ago
I don't think I reach the deeper questions here, and pretty much just get back to "if it was cheap, Apple would have killed it already"; in that set of circumstances there can't be viable public exploits (or broad workable bug classes to fish from) to work with.
Sucks if you're part of a public jailbreaking community, but, of course, good if you're a user.
numpad0 · 6h ago
Jailbreaks need an itch to scratch. There isn't one for Ubuntu Desktop.
hsbauauvhabzb · 7h ago
Is this actually true? Jailbreaks are more or less the same exploits used by things like Pegasus, the exploits are probably worth more to the individuals that discover them than the ability to give their friends access to side loaded apps
burnt-resistor · 4h ago
That's the rub of relative integrity. It's variably easier for some to rationalize taking the cash, even if that giant pile of coin is likely to lead to the imprisonment, deaths, and/or torturing of others for better or for worse.
hsbauauvhabzb · 4h ago
My question wasn’t about ethics and I’d rather keep it that way.
> Because, you see: this has happened before. On iOS 12, SockPuppet was one of the big exploits used by jailbreaks. It was found and reported to Apple by Ned Williamson from Project Zero, patched by Apple in iOS 12.3, and subsequently unrestricted on the Project Zero bug tracker. But against all odds, it then resurfaced on iOS 12.4, as if it had never been patched. I can only speculate that this was because Apple likely forked XNU to a separate branch for that version and had failed to apply the patch there, but this made it evident that they had no regression tests for this kind of stuff. A gap that was both easy and potentially very rewarding to fill. And indeed, after implementing regression tests for just a few known 1days, Pwn got a hit.
And now I wonder how many other projects are doing this. Is anyone running a CI farm running historical vulnerabilities on new versions of Linux/FreeBSD/OpenWRT/OpenSSH/...? It would require that someone wrote up each vulnerability in automated form (a low bar, I think), have the CI resources to throw at it (higher bar, though you could save by running a random selection on each new version), care (hopefully easy), and think of it (surprisingly hard).
Bugs are a fact of life, but burning time and money to fix them only to have them return is the worst case scenario. Organizations that care about quality are definitely investing in regression testing. Unfortunately a whole lot of orgs give QA zero respect and offshore it to the lowest bidder, if they do it at all. It's absolutely insane to me that Apple wouldn't have regression tests for jail breaks, some of the most high profile bugs in history.
You can fairly criticize Mozilla for a number of things these days. But they had a very robust QA and CI/CD setup in the early 2000s with tools like Tinderbox and Bugzilla. When DevOps came around and popularized it I was like wait, people weren't already doing this stuff??? Turned out I had been living in a bubble and that was not the norm at all.
It's basically Conway's law applied to the security/feature development split.
So even if they have a build/release procedure with a mature regression test suite it probably wouldn't have "security" issues like this in it just as a matter of internal organization
If by 'projects' you mean intelligence agencies, then I would say it's safe to assume at least the G10 intelligence agencies are doing this along with Russia, China, NK - and likely a huge number of private groups.
That boundary was broken in 2015, about a decade ago: https://www.dailymail.co.uk/sciencetech/article-3301691/New-...
X: Hi AppLE I haz jailb8?
Or is it via one of the intermediaries?
Or is there an email or some such that is published? (That will not to straight to 1st level support and forgotten about)
Anything public is dead, which is what you want to see.
I’m 100% positive from experience doing VR in several non-iOS spaces that increased exploit value leads to fewer published public exploits, but! This is not a sign that there are fewer available exploits or that the platform is more difficult to exploit, just a sign that multiple (and sometimes large numbers) of competing factions are hoarding exploits privately that might otherwise be released and subsequently fixed.
As a complementary axiom, I believe that exploit value follows target value more closely than it does exploit difficulty, because the supply of competent vulnerability researchers is more constrained than the number of available targets. That is to say, someone will buy a simple exploit that pops a high value target (hello, shitty Android phones) for much more money than a complex exploit that pops a low value target. There are plenty of devices with high exploit value and low exploit publication rate that also have garbage security.
With that said, Apple specifically are a special (and perhaps the only) case where they are “winning” and people are genuinely giving up on research because the results aren’t worth the value. I just don’t think this follows across the industry.
No other OS can restrict on this level and it makes it so not only do you need an exploit for say the Javascript engine, you also need an exploit for like 10 other pathways. The reason for this is since the kernel is immutable and checked out the wazoo, you get "Jailbreaks" by modifying different services and system processes and getting a capability from those apps. Which is where the exploit is required for them or an approved peer. But apple also has telemtry for what each app is doing with eachother.
Sucks if you're part of a public jailbreaking community, but, of course, good if you're a user.