Why on earth would you have a heap in a zero-stage-burned-into-chip bootloader, not to mention a USB stack. It's just self-inflicted harm at this point.
Also DFU is not the world's best protocol, I am surprised Apple didn't just roll their own. It isn't exactly hard to replace DFU with something simpler that gets the job done.
> Either all the senior engineers and PhDs working for Apple are idiots, or it’s harder than you think.
I was part of a team that rolled our own firmware update mechanism at Microsoft . (I didn't work on the replacement myself, the engineer sitting next to me did.)
And deeply embedded USB stacks w/o a heap aren't exactly uncommon, considering malloc is forbidden in a large % of firmware.
I'm sure the choice was made by a small team back when iPhone was still a carefully guarded secret inside the company, and it's stuck around since then.
It's entirely possible that it was a "good enough for now" decision, and that the next bootrom will include additional hardening based on this attack.
As has been well documented, while Apple the organization may have practically unlimited resources, specific teams within Apple do not, so a lot of stuff is sort of "if it ain't broke" mode until the CADT model kicks in and they do a total rewrite and close all the old bugs.
One slide says for some roms:
No crash is triggered whatsoever as the ROM is deterministic enough that the buffer is reallocated in the same place every time upon USB stack initialization.
We aren't looking at the code, but "deterministic reallocation" or just static storage class? Seems like dynamic memory allocation was introduced recently into this rom. And why is a good question.
