With its rapid evolvement, Apple has deployed many mechanisms in iOS to defend against potential threats and risks. Among system components, filesystem is considered to be the last line of defense against attackers' attempts to steal and tamper users' private data, as well as preventing permanent damage such as installation of backdoors or malicious applications.
In consideration of both security and performance, Apple recently proposed and deployed a new filesystem, called Apple File System (APFS), on iOS and macOS. Especially on iOS, as required by the system's rigorous security policies, APFS has adopted several protection mechanisms to prevent critical files and directories from being tampered even in face of attackers with kernel privileges. But, in our study, we found that these mechanisms are not as secure as they are supposed to be, and we successfully discovered ways to exploit or bypass them.
In this talk, we will first introduce the architecture of filesystem on Apple systems as well as the basic structure of APFS. Then we will explain previous attacks on APFS, and elaborate APFS's new mitigation through several experiments. Most importantly, our talk will propose a new attack to bypass the APFS's mitigation, which allows an attacker to tamper any file or directory on the system.
The knowledge of APFS architecture, its weak points, and our new attack elaborated in this talk is indispensable to iOS hackers and jailbreakers, which has not been thoroughly presented in any previous talks. We believe that our talk will inspire the design of a securer filesystem on Apple systems.