Bellcore RSA 故障注入攻击使 apsd 的白盒 RSA 成功导出私钥。
有点抱歉的讲,iOS 平台构建测试环境过于复杂,本文是在 macOS 26.3 Intel x64 环境下做的测试。
macOS 26.3 apsd source version 1138.400.1
Bellcore 故障注入攻击原理
Bellcore 攻击(也称 Boneh-DeMillo-Lipton fault attack)利用 RSA-CRT 签名中的单次计算故障来分解 N。
标准 RSA-CRT 签名会分别计算 sp = m^dp mod p 和 sq = m^dq mod q,再用 CRT 合并。若在计算 sq 时注入故障,得到错误的 sq’,则合并后的错误签名 sig_faulty 满足:
sig_faulty ≡ m (mod p) (p 分支正确)
sig_faulty ≢ m (mod q) (q 分支被破坏)
此时 GCD(sig_faulty^e - m, N) = p,N 被分解,私钥可直接计算。
这个攻击只需要一次正确签名和一次故障签名,不需要知道明文私钥的任何信息。
攻击过程
1.构造一个 Mach-O 进程模拟器,加载 macOS apsd 二进制
2.apsd 的 RSASign 函数依赖的调用链是最纯最简单的,所以拿它做实验
3.需要定位 2 个关键函数:
imageBase+0x138460 — RSA 签名入口,调用方式:(derDigestInfoSHA1, 35, sigBuf, &sigLen, certBuf, &certLen). 其中 derDigestInfoSHA1 是 PKCS#1 v1.5 DigestInfo(SHA-1) imageBase+0x154270 — 是白盒 RSA 中 modular reduction 的关键步骤
4.正常调用签名函数,得到 sig_correct 和完整证书链
5.再次调用签名函数,当 modular reduction 被命中第 400 次时,将 RSP+0x448 处的 64 字节覆写为零,继续执行得到 sig_faulty
6.计算 GCD(sig_faulty^e - sig_correct^e mod N, N) = p,分解 N,求解私钥 d = e^(-1) mod φ(N)
一点思考
Apple apsd 的 RSASign 函数与设备推送认证相关,用 FairPlay 证书对 apple device activation 做应用层签名,告诉苹果服务器”这是自己人”。为了防止私钥被提取,苹果使用了 OLLVM 对代码做了各种混淆处理。他的 OLLVM 状态机挺复杂的,直接还原该代码难度特别高。RSA 算法的实现,苹果使用了 FairPlay 团队的 RSA White-Box。
RSA White-Box 比较朴素的理解就是:从 RSASign 函数进入到签名完成的任意时刻,搜索 heap 和 stack 都不会找到明文的 RSA 私钥参数(d、p、q 等)。密钥被编码进查找表中,运算通过查表完成,中间值也经过编码变换,内存中始终不出现可识别的密钥材料。
关于 White-Box 密码学的历史:
白盒密码学最早由 Stanley Chow 等人于 2002 年在 Cloakware 公司提出(WB-AES / WB-DES),核心思想是将密钥嵌入查找表使得即使攻击者完全可观察内存也无法提取密钥。Cloakware 后来被 Irdeto 收购。Apple 的 FairPlay DRM 中的白盒实现与这一学术/商业路线一脉相承 — FairPlay 本身也是收购而来的技术。然而 Bellcore 攻击绕过了白盒保护的核心假设:它不需要观察或提取密钥,只需要在正确的位置注入一个故障,通过比较正确输出和错误输出的数学关系就能分解 N。白盒保护了密钥的机密性,但没有保护计算过程的完整性。
信任链
subject=C=US, O=Apple Inc., OU=Apple FairPlay, CN=APN.3333AF100723AF0002AF000005
issuer=C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple FairPlay Certification Authority
notBefore=Jul 23 02:30:10 2010 GMT
notAfter=Jul 22 02:30:10 2015 GMT
serial=3333AF100723AF0002AF000005
结果
—–BEGIN RSA PRIVATE KEY—–
MIICXgIBAAKBgQDDzegvSBrw6I6SZsJBR2ppUpfup17LkfL6a13G8lDuoZ5T84lJ xKC9F5eMG/ZxHrCMbzVJhrfWwEWVSMWYwYIjfdsB4TKCJ10w6fzq/KFLA5PVQ2TS zGvcjuq5WLOU/QSnTO54xaH3Oi70ZTKenkAi8Ew6uhTFuYZh1VJUbAvsCQIDAQAB AoGBALTtuVSnXi2p1sQ1K97CLPPxm+6svY2B6XG4cEj7dAltUi3k5cFCbf0Mpb6T wB866ox53lV4pLtNo36UZfIHLUYbr3aFyhosISTOAe5EG/Gn4HnBNwuovMEzm7hy 3S5HU3t3fKs8CffmNJldVHgmKIrsZjr27RMUUUPHBIShm9cZAkEA7+RGJ/7muqaP kCLIxvmtZ9KwD9B4CA7rzdepIro6VxAx4QfzI1fhPDRvoZP56fTXxzL+ItfTPadi dxUzJF26twJBANDzxfTwnLnH6owE6cy0owupDzZMbTuoPQFx1x9IfmasJpPH3uMj 7hohciWtlcVG1VlEw6IEhT5CnEcdKgwHzz8CQQDIX77t528n1roxpaxY7vIVt5kS DIpGCNiTniCLfkv+rutK0I4ZJm1fEVlw+B4WeknF/GTkC6xJYkfPueh25sdvAkBZ FnZiNmw78XaY+EdOlf2mLRBlUDSKaPKJuSXFGr15vRA9lcv8AAe2cGgglF/02nyA MQdP/qlooDHNSCvzMSk1AkEAoF7ufUn8ihbPDoiLtaG8SaZiAYUZ7nXpKALw8T3z MwtOWQtkSojOonjT2INrlzgtPJLx/t6dhOJyDsb5Mg0v2g==
—–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
MIICwTCCAiqgAwIBAgINMzOvEAcjrwACrwAABTANBgkqhkiG9w0BAQUFADB7MQsw CQYDVQQGEwJVUzETMBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUg Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkxLzAtBgNVBAMTJkFwcGxlIEZhaXJQbGF5 IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEwMDcyMzAyMzAxMFoXDTE1MDcy MjAyMzAxMFowZDELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xFzAV BgNVBAsTDkFwcGxlIEZhaXJQbGF5MScwJQYDVQQDEx5BUE4uMzMzM0FGMTAwNzIz QUYwMDAyQUYwMDAwMDUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPN6C9I GvDojpJmwkFHamlSl+6nXsuR8vprXcbyUO6hnlPziUnEoL0Xl4wb9nEesIxvNUmG t9bARZVIxZjBgiN92wHhMoInXTDp/Or8oUsDk9VDZNLMa9yO6rlYs5T9BKdM7njF ofc6LvRlMp6eQCLwTDq6FMW5hmHVUlRsC+wJAgMBAAGjYDBeMA4GA1UdDwEB/wQE AwIDuDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRkPZaj52h5PzHnzvJX5JMxIEx5 hzAfBgNVHSMEGDAWgBT6DdQRkRvmsk4eBkmUEd1jYgdZZDANBgkqhkiG9w0BAQUF AAOBgQBd2WQMFdMZBknOecC/xfFQh9Z9bLlu9+2jP/rbVTiYUXS8ofajz4luRybi rzIs7x68AKErKvbWzGOBF3+31UxKyoWe8Hy0ICWXXwHAyta9SnFUq8otgDHLjNvi ys9SppIPvtCeMXQBu3fsCu3j9NQ8TIszHR4FsFHWSBGimDcQKA==
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—– MIIDcTCCAlmgAwIBAgIBETANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzET MBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlv biBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwHhcNMDcwMjE0MTky MDQxWhcNMTIwMjE0MTkyMDQxWjB7MQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBw bGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx LzAtBgNVBAMTJkFwcGxlIEZhaXJQbGF5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyZzxdKueP8nfP7zG80QT96p/Q himQCqP/ZErvafQKue/ExGPKOi0hPVKMI4kpqtsX3MsoxGnNciTCEMH0eB0xFsXm 6hkdKjO+gKvcEUgGKh8OYYHNeZpdEvSEkMh89nibUvj68YhuEHL4XcuI7LZVFJek TQvBTydnmaaks9farQIDAQABo4GcMIGZMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMB Af8EBTADAQH/MB0GA1UdDgQWBBT6DdQRkRvmsk4eBkmUEd1jYgdZZDAfBgNVHSME GDAWgBQr0GlHlHYJ/vRrjS5ApvdHTX8IXjA2BgNVHR8ELzAtMCugKaAnhiVodHRw Oi8vd3d3LmFwcGxlLmNvbS9hcHBsZWNhL3Jvb3QuY3JsMA0GCSqGSIb3DQEBBQUA A4IBAQDAoHP4Heoc0c3FhnWku+tAxWotDP5b/G7BW9dIfUCpYS1LN3A47waRS68R wh+V7ogzb19y6vbVdrVXWHHwPhDD1S67L6Y6c8IyZQpWBBYZmE0LeG3Qo3RkmFT0 p9cdov8qw3kAspnn57vVBqLrSTNpZ0EBma1osNN69JXg/SSIKhDno2j/rXv62brx pX/Kk6LOAzcDZoWTBRsx9nWCky/T8No5Nz1f/rrNmnDABosi7qnOBG4kaTsWUqXA 8sCuQ3CEuyGRQ8u7t+pbupPgt3eJ701WBDNdzlxZMafXO0VWEc2uy5sOoM/ck6jK xVh4AAXZmavWXofqknM0VKOTGKSD
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—– MIIEuzCCA6OgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzET MBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlv biBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwHhcNMDYwNDI1MjE0 MDM2WhcNMzUwMjA5MjE0MDM2WjBiMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBw bGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx FjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDkkakJH5HbHkdQ6wXtXnmELes2oldMVeyLGYne+Uts9QerIjAC6Bg+ +FAJ039BqJj50cpmnCRrEdCju+QbKsMflZ56DKRHi1vUFjczy8QPTc4UadHJGXL1 XQ7Vf1+b8iUDulWPTV0N8WQ1IxVLFVkds5T39pyez1C6wVhQZ48ItCD3y6wsIG9w tj8BMIy3Q88PnT3zK0koGsj+zrW5DtleHNbLPbU6rfQPDgCSC7EhFi501TwN22IW q6NxkkdTVcGvL0Gz+PvjcM3mo0xFfh9Ma1CWQYnEdGILEINBhzOKgbEwWOxaBDKM aLOPHd5lc/9nXmW8Sdh2nzMUZaF3lMktAgMBAAGjggF6MIIBdjAOBgNVHQ8BAf8E BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUK9BpR5R2Cf70a40uQKb3 R01/CF4wHwYDVR0jBBgwFoAUK9BpR5R2Cf70a40uQKb3R01/CF4wggERBgNVHSAE ggEIMIIBBDCCAQAGCSqGSIb3Y2QFATCB8jAqBggrBgEFBQcCARYeaHR0cHM6Ly93 d3cuYXBwbGUuY29tL2FwcGxlY2EvMIHDBggrBgEFBQcCAjCBthqBs1JlbGlhbmNl IG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0 YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBj b25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBjZXJ0aWZp Y2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMA0GCSqGSIb3DQEBBQUAA4IBAQBc NplMLXi37Yyb3PN3m/J20ncwT8EfhYOFG5k9RzfyqZtAjizUsZAS2L70c5vu0mQP y3lPNNiiPvl4/2vIB+x9OYOLUyDTOMSxv5pPCmv/K/xZpwUJfBdAVhEedNO3iyM7 R6PVbyTi69G3cN8PReEnyvFteO3ntRcXqNx+IjXKJdXZD9Zr1KIkIxH3oayPc4Fg xhtbCS+SsvhESPBgOJ4V9T0mZyCKM2r3DYLP3uujL/lTaltkwGMzd/c6ByxW69oP IQ7aunMZT7XZNn/Bh1XZp5m5MkL72NVxnn6hUrcbvZNCJBIqxw8dtk2cXmPIS4AX UKqK1drk/NAJBzewdXUh
—–END CERTIFICATE—–
[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
最后于 21小时前
被ppbb编辑
,原因:
