Wireless chips and interfaces expose a substantial remote attack surface. As of today, most cellular baseband security research is performed on the Android ecosystem, leaving a huge gap on Apple devices. With iOS jailbreaks, last-generation wireless chips become fairly accessible for performance and security research. Yet, iPhones were never intended to be used as a research platform, and chips and interfaces are undocumented. One protocol to interface with such chips is Apple Remote Invocation (ARI), which interacts with the central phone component CommCenter and multiple user-space daemons, thereby posing a Remote Code Execution (RCE) attack surface. We are the first to reverse-engineer and fuzz-test the ARI interface on iOS. Our Ghidra scripts automatically generate a Wireshark dissector, called ARIstoteles, by parsing closed-source iOS libraries for this undocumented protocol. Moreover, we compare the quality of the dissector to fully-automated approaches based on static trace analysis. Finally, we fuzz the ARI interface based on our reverse-engineering results. The fuzzing results indicate that ARI does not only lack public security research but also has not been well-tested by Apple. By releasing ARIstoteles open-source, we also aim to facilitate similar research in the future.

翻译：无线芯片及接口暴露了庞大的远程攻击面。截至目前，绝大多数蜂窝基带安全研究均在安卓生态中进行，在苹果设备领域存在巨大空白。借助iOS越狱技术，上一代无线芯片已能较为便捷地用于性能与安全研究。然而，iPhone从未被设计为研究平台，其芯片与接口也缺乏文档说明。苹果远程调用（ARI）协议是用于与这类芯片交互的协议之一，该协议与手机核心组件CommCenter及多个用户空间守护进程进行通信，从而构成了远程代码执行（RCE）攻击面。我们首次对iOS上的ARI接口进行了逆向工程与模糊测试。通过解析该未文档化协议的闭源iOS库，我们的Ghidra脚本自动生成了一个名为ARIstoteles的Wireshark解析器。此外，我们还将该解析器的质量与基于静态跟踪分析的自动化方法进行了对比。最终，我们依据逆向工程结果对ARI接口进行了模糊测试。测试结果表明，ARI不仅缺乏公开的安全研究，也未经苹果充分测试。通过开源ARIstoteles，我们旨在为未来类似研究提供助力。