If I'm reading the last few slides correctly, the tl;dr is something like:
- They haven't found any actual attacks.
- Because the secure enclave runs so little code, there's very little attack surface in software, and much of what there is (mainly message passing between the secure and normal environments) seems solid. The only likely possibility is the wrapper code around IMG4.
- However, if there is an exploit in IMG4, there aren't many mitigation techniques (stack canaries, ASLR) built in, so it would be likely to succeed (again, conditional on there actually being an exploit)
- Attacking hardware might be possible, but mainly on older devices, because the >= A8 chips have extensive protection against side-channel and power analysis attacks.
- One "game over" possibility would be blocking the "fuse signal" that tells the CPU that the secure enclave has been compromised. This would allow for replay attacks. However, this would require extremely capable hardware for both analyzing the chip lines and actually performing the attack. If it's possible at all, it would definitely be restricted to NSA-like scenarios.
They do conclude that the iPhone security features seem "light-years ahead of competitors" (their words), and coming from a Blackhat presentation, that actually means something.
Not just a Black Hat presentation, but from Azimuth, who are among the coolest of the cool kids. This is Mark Dowd and John McDonald's company. The people giving this talk are... not the "B" team.
- They haven't found any actual attacks.
- Because the secure enclave runs so little code, there's very little attack surface in software, and much of what there is (mainly message passing between the secure and normal environments) seems solid. The only likely possibility is the wrapper code around IMG4.
- However, if there is an exploit in IMG4, there aren't many mitigation techniques (stack canaries, ASLR) built in, so it would be likely to succeed (again, conditional on there actually being an exploit)
- Attacking hardware might be possible, but mainly on older devices, because the >= A8 chips have extensive protection against side-channel and power analysis attacks.
- One "game over" possibility would be blocking the "fuse signal" that tells the CPU that the secure enclave has been compromised. This would allow for replay attacks. However, this would require extremely capable hardware for both analyzing the chip lines and actually performing the attack. If it's possible at all, it would definitely be restricted to NSA-like scenarios.
They do conclude that the iPhone security features seem "light-years ahead of competitors" (their words), and coming from a Blackhat presentation, that actually means something.