DOCSLIB.ORG

Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on Ios

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on Ios Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS Luke Deshotels Costin Carabas, Jordan Beichler North Carolina State University, University POLITEHNICA of Bucharest North Carolina State University Samsung Research America [email protected] [email protected] [email protected] Razvan˘ Deaconescu William Enck University POLITEHNICA of Bucharest North Carolina State University [email protected] [email protected] Abstract—Apple uses several access control mechanisms to posed to other applications. However, several features (e.g., prevent third party applications from directly accessing secu- dynamic dispatching for method calls) make data flow rity sensitive resources, including sandboxing and file access analysis less practical for iOS binaries. To the best of our control. However, third party applications may also indirectly access these resources using inter-process communication (IPC) knowledge, there exists no systematic enumeration of iOS with system daemons. If these daemons fail to properly enforce remote methods accessible to third party applications. The access control on IPC, confused deputy vulnerabilities may closest related work is existing IPC fuzzers for iOS [2], result. Identifying such vulnerabilities begins with an enumer- [22], [30] that probe for code flaws such as type confusion ation of all IPC services accessible to third party applications. or dereferencing vulnerabilities, which can be exploited However, the IPC interfaces and their corresponding access control policies are unknown and must be reverse engineered at to obtain arbitrary code execution. However, these fuzzers a large scale. In this paper, we present the Kobold framework do not attempt to enumerate remote methods or identify to study NSXPC-based system services using a combination confused deputy vulnerabilities. From a policy perspective, of static and dynamic analysis. Using Kobold, we discovered SandScout [10] and iOracle [9] detect access control policy multiple NSXPC services with confused deputy vulnerabilities flaws in iOS; however, they are limited to the file system. and daemon crashes. Our findings include the ability to activate the microphone, disable access to all websites, and leak private iOS system daemons frequently protect IPC using static data stored in iOS File Providers. capabilities called entitlements, which are immutable key- value pairs bound to an executable’s code signature at Keywords-access control, iOS, iPhone, inter-process commu- nication, fuzzer, attack surface, automation, policy analysis compile time. To enforce access control policy on IPC, system daemons often use hard-coded conditional checks based on a caller’s entitlements. Unfortunately, there is I. INTRODUCTION limited understanding of IPC on iOS, despite the growing Apple’s iOS App Store offers over 2 million applica- amount of literature on iOS application [4], [8], [12], [19], tions [26], and in 2017 was used by half a billion customers [25], [29] and platform security [9], [10]. iOS defines several per week [27]. To protect users, third party applications run IPC interface abstractions, many of which exist for legacy within the confines of a sandbox that limits the number of reasons. The state-of-the-art interface type is called XPC.1 directly accessible resources. However, applications can also This paper focuses on the object-oriented version of XPC indirectly access sensitive resources through inter-process called NSXPC (Next Step XPC). Specifically, we seek communication (IPC) with system daemons. For example, an to answer: Which security and privacy sensitive NSXPC application does not have direct access to a user’s calendar, methods are accessible to third party applications? The but can use services provided by a calendar managing answer represents an attack surface of remote methods that daemon to view and modify calendar events. If a system may be exploited by third party apps through IPC. daemon does not properly enforce access control, a third- To answer this question, we address three research chal- party application may be able to abuse the daemon as a lenges. First, the set of entitlements available to third party confused deputy [20] to perform some action that damages applications is unknown. We identify two sets of entitle- the system or violates the user’s privacy. ments available to third party applications: a public set IPC-based confused deputy vulnerabilities are not new. accessible to all developers, and a semi-private set that Apple Woodpecker [17] uses data-flow analysis on pre-loaded Android applications to enumerate dangerous services ex- 1To the best of our knowledge, Apple has not expanded this acronym provides only to select developers. For example, the Uber not restricted to a specific version of iOS and can be used application was found to possess a potentially dangerous en- to study new versions as they are released. titlement normally unavailable to third party applications [6]. The remainder of the paper proceeds as follows. Section II Second, the set of NSXPC services accessible to third party provides background on iOS IPC and access control. Sec- applications is unknown. The executables that provide these tion III overviews Kobold. Section IV details the implemen- services are closed source and there is no centralized policy tation of Kobold. Section V presents the results of the semi- mapping services to their entitlement requirements. Third, private entitlement survey. Section VI quantifies the ports, which NSXPC services are security or privacy sensitive is methods, arguments, and entitlement requirements enumer- unknown. The semantics of these services are not publicly ated by Kobold. Section VII demonstrates Kobold’s ability documented, and data flow analysis in iOS is nontrivial. to detect previously unknown policy flaws and crashes. In this paper, we present the Kobold2 framework for Section VIII discusses limitations. Section IX overviews studying NSXPC services in iOS. Kobold leverages two related work. Section X concludes. key insights. First, the standardized IPC interfaces (e.g., NSXPC) contain predictable patterns in compiled code that II. BACKGROUND are identifiable via static analysis. Second, error messages iOS is Apple’s operating system for mobile devices (i.e., returned by unauthorized attempts to access IPC services can iPhone, iPad, iPod). It is very similar to macOS, watchOS, provide a model of the iOS IPC access control policy. Using and tvOS, which are all based on the XNU (X is Not Unix) these insights, Kobold provides a pattern-based, static binary kernel. XNU is a hybrid kernel that combines the Mach program analysis to enumerate NSXPC interfaces and then microkernel, FreeBSD, and a driver framework called I/O dynamically uses systematic probing to extract an approxi- Kit. Mach provides much of the Inter-Process Communica- mation of the access control policy encoded by conditional tion (IPC) functionality through mach-messages. FreeBSD checks within a given service. We used Kobold to study provides the file system and the TrustedBSD Mandatory iOS 9, 10 and 11 and found multiple NSXPC services with Access Control (MAC) Framework, which allows Apple confused deputy vulnerabilities and daemon crashes. The to hook system calls and implement sandboxing. Finally, discovered vulnerabilities allow third-party applications to as interfaces between user space and kernel space, I/O activate the microphone, disable access to all websites, and Kit drivers are often the target of fuzzing. The remainder leak private data stored in iOS File Providers. All issues of this section will explain Mach IPC and access control have been reported to Apple. At the time of writing, Apple mechanisms that regulate IPC on iOS. has provided two CVEs in response to our disclosure and is working to resolve remaining issues. After fixes are made, A. Mach IPC we plan to publicly release Kobold as open source code. This paper makes the following contributions: IPC on iOS is built upon the Mach microkernel. The • We present Kobold, the first framework for evaluating primitive components of Mach IPC are mach-messages NSXPC access control policies implemented in iOS and mach-ports. A service-providing process can host re- system code. Kobold enumerates the NSXPC services mote methods by registering a name for a mach-port, and accessible to third party applications and uses heuristics clients can send messages to that port in order to call to determine which services are likely to be exploited. the remote methods. The mach-port name registration is • We perform the first measurement of semi-private enti- facilitated by launchd, which also assists clients in con- tlements. We analyze approximately six thousand popu- necting to mach-ports. For example, the location daemon, lar third party applications and 100 thousand randomly locationd, offers remote methods on the mach-port named selected third party applications to determine which “com.apple.locationd.registration”. A client process can ac- semi-private entitlements Apple distributes to an undis- cess these methods by asking launchd to connect it to the closed subset of third party developers. “com.apple.locationd.registration” mach-port. If the connec- • We identify previously unknown security issues includ- tion is successful, the client can then send messages to the ing three categories of confused deputy vulnerabilities server via the mach-port. If the messages are well formed, and fourteen daemon crashes. Our findings include and the
Load more

Recommended publications
  • Joseph Migga Kizza Fourth Edition
    Computer Communications and Networks Joseph Migga Kizza Guide to Computer Network Security Fourth Edition Computer Communications and Networks Series editor A.J. Sammes Centre for Forensic Computing Cranfield University, Shrivenham Campus Swindon, UK The Computer Communications and Networks series is a range of textbooks, monographs and handbooks. It sets out to provide students, researchers, and nonspecialists alike with a sure grounding in current knowledge, together with comprehensible access to the latest developments in computer communications and networking. Emphasis is placed on clear and explanatory styles that support a tutorial approach, so that even the most complex of topics is presented in a lucid and intelligible manner. More information about this series at http://www.springer.com/series/4198 Joseph Migga Kizza Guide to Computer Network Security Fourth Edition Joseph Migga Kizza University of Tennessee Chattanooga, TN, USA ISSN 1617-7975 ISSN 2197-8433 (electronic) Computer Communications and Networks ISBN 978-3-319-55605-5 ISBN 978-3-319-55606-2 (eBook) DOI 10.1007/978-3-319-55606-2 Library of Congress Control Number: 2017939601 # Springer-Verlag London 2009, 2013, 2015 # Springer International Publishing AG 2017 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc.
    [Show full text]
  • University of Piraeus – Department of Informatics Master Program in «Informatics»
    MSc Thesis Konstantinos Vlachos University of Piraeus – Department of Informatics Master Program in «Informatics» Postgraduate Thesis Thesis Title (iOS application Security Analysis) Student First and Last Name Konstantinos Vlachos Father’s Name Georgios Registration Number MPSP15011 Supervisor Konstantinos Patsakis, Assistant Professor Delivery Date November 20, 2017 iOS Application security analysis 1 MSc Thesis Konstantinos Vlachos Three-member Examination Board (signature) (signature) (signature) Constantinos Patsakis Efthimios Alepis Panagiotis Kotzanikolaou Assistant Professor Assistant Professor Assistant Professor iOS Application security analysis 2 MSc Thesis Konstantinos Vlachos TABLE OF CONTENTS Abstract page 5 1. Introduction page 6 2. Prerequisites page 9 2.1 Install Xcode _______ page 9 2.2 iOS Simulator ______ page 11 3. Run-Load an application into Xcode page 14 4. Decompiling an iOS application page 15 4.1 otool page 15 4.2 class-dump page 17 4.3 Clutch (decrypt device binaries) page 18 4.4 Dumpdecrypted (Running app decryption) page 19 5. Static Code Analysis page 23 5.1 Xcode Analyzer page 23 5.2 iNalyzer (Static analysis) page 26 6. Dynamic Analysis page 28 6.1 Instruments page 28 6.2 iNalyzer (dynamic) page 30 6.3 Dtrace page 30 6.4 GDB (Runtime analysis) page 31 6.5 FLEX page 34 6.6 InspectiveC page 41 6.7 Cycript (runtime analysis) page 42 7. Data Protection page 48 7.1 Keyboard cache page 48 7.2 Snapshots page 49 7.3 UIPasteBoard page 49 7.4 SQLite Database page 50 8. Technical Terms page 51 8.1 .ipa files page 51 8.2 tweak page 52 iOS Application security analysis 3 MSc Thesis Konstantinos Vlachos 8.3 MobileSubstrate page 53 8.4 jailbroken device page 53 8.5 Nsobjects page 54 8.6 obj_Msg page 54 8.7 Cydia page 54 8.8 Theos page 54 9.
    [Show full text]
  • Spotify++ I Spotify Plus HOME, HOW TO
    4/6/2018 Exhibit: Spotify++ I Spotify Plus HOME, HOW TO -Music streaming is one of the top activities for mobile device users and Spotify has to be the most used streaming service of all. Boasting over 140 million users every month, more than half of these use the free version of the service but suffer from popup ads and limited features. The rest pay out almost $10 every month for the privilege of not having the ads and for getting better features. Not everyone has pockets deep enough to Justify this expense every month but, luckily, we now have Spotify++. This is a modified app with no connection to the stock app, containing all the premium features without the need to pay a subscription. We're going to be showing you how to download Spotify++ but first, here are some of the features you get. Image: Spotify pPlus Download Tutorial Download Tutorial Spotify++ © Download ~ AdCholces Spotify++ Features : (:::::====='"=sta=II====:::::) As well as the features of the free version, you also get: ( Download Cydia ) • None of the irritating ads hltpa://www.cydiaios7.com/apotlfy-plua.html 1/9 4/6/2018 SpoUfy++ I SpoUfy Plus • Unlimited track skips • Unlimited track scrubbing •-• • Top-quality sound streaming • Free to download • Free to use forever How to Download Spotlfy++ : Now we can look at how to download Spotlfy++. You are going to need Cydia for this so, for those of you who can install Cydia, here's how to get Spotify++: 1. Follow the tutorial at the link to download Cydia on your I Phone or iPad hltps://www.cydialos7.com/spolify-plus.html 2/9 4/8/2018 Spotlfy++ I Spotlfy Plus ..----· .
    [Show full text]
  • Pangu V1.2.1 Ios 7.1.2 Download Pangu V1.2.1
    pangu v1.2.1 ios 7.1.2 download Pangu v1.2.1. Pangu is a free tool to jailbreak iPad, iPad Air, iPad Mini, iPhone 4 to iPhone 5s and iPod touch that runs on iOS 7.1 to iOS 7.1.2. NOTES Warning! The Pangu Team has tested Pangu on most models and did not cause any problems, but we can not make any guarantees. Please be fully aware of this and use pangu at your own risk. Please backup your device before jailbreak. Requirements 1. A computer running Windows (minimum Windows XP) 2. iTunes should be installed. 3. iDevice running iOS 7.1.x (you may find the information in Setting/ General /About -> Version) Screenshots: Other editions: HTML code for linking to this page: Keywords: pangu jailbreak ios 7.1.2 ipad ipad air ipad mini iphone. 1 License and operating system information is based on latest version of the software. Downloading Pangu v1.2.1. Your download is about start shortly. If the file fails to download, please try again. If the download still fails to begin, please contact us and let us know what happened. Tell your Facebook friends about this software. You might also like. SoftEther VPN Client (Freeware) With SoftEther VPN Client with VPN Gate Client Plug-in you can make a VPN connection easily, comfortably and quickly. uTorrent (64-bit) �Torrent (aka uTorrent) is an efficient and feature rich BitTorrent client for Windows. Format Factory. Format Factory is a multifunctional media converter. Sandboxie (32-bit & 64-bit) (Freeware) Sandboxie creates a transient storage between your programs and your hard drive.
    [Show full text]
  • Automated Evaluation of Access Control in the Iphone Operating System
    ABSTRACT DESHOTELS, LUKE ALEC. Automated Evaluation of Access Control in the iPhone Operating System. (Under the direction of William Enck). A decade long arms race between Apple and jailbreakers has forged iPhone OS (iOS) into a hardened, but complex operating system. As a modern operating system, iOS treats applications as security principals, which allows for fine-grained access control policies that prevent applications from having the same authority as the device owner. However, iOS and other modern operating systems use inter-dependent access control mechanisms (e.g., Unix permissions and sandboxing), and the policies on iOS may be closed-source, proprietary, or decentralized. This practice makes it difficult to model the actual privileges of an iOS process which is subject to various undocumented access control policies. Confusion regarding these privileges hides flaws in misconfigured iOS access control policies that attackers can exploit in order to invade user privacy or damage the system. This dissertation demonstrates that the access control mechanisms in iOS are inter-dependent and their analysis should consider the composite protection system as a whole. We analyze three access control systems in iOS, the Apple Sandbox, Unix Permissions, and Inter-Process Communi- cation (IPC). First, we present the SandScout framework which converts iOS Apple Sandbox policies from their compiled proprietary state into queriable Prolog facts. SandScout’s utility is demonstrated by detecting seven types of novel vulnerabilities allowing third party apps to steal private data or damage the system, which resulted in six Common Vulnerability and Exposure (CVE) acknowl- edgements from Apple. Second, we introduce iOracle, a logical framework for extracting multiple access control policies (i.e., the Apple Sandbox and Unix Permissions) as well as runtime context from iOS and unifying this policy and contextual data into a composite model.
    [Show full text]
  • Ios Penetration Testing
    iOS Penetration Testing A Definitive Guide to iOS Security — First Edition — Kunal Relan iOS Penetration Testing A Definitive Guide to iOS Security First Edition Kunal Relan iOS Penetration Testing: A Definitive Guide to iOS Security Kunal Relan Noida, Uttar Pradesh India ISBN-13 (pbk): 978-1-4842-2354-3 ISBN-13 (electronic): 978-1-4842-2355-0 DOI 10.1007/978-1-4842-2355-0 Library of Congress Control Number: 2016960329 Copyright © 2016 by Kunal Relan This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made.
    [Show full text]
  • Ioracle: Automated Evaluation of Access Control Policies in Ios
    iOracle: Automated Evaluation of Access Control Policies in iOS Luke Deshotels Răzvan Deaconescu Costin Carabas, North Carolina State University University POLITEHNICA University POLITEHNICA [email protected] of Bucharest of Bucharest [email protected] [email protected] Iulia Mandă William Enck Mihai Chiroiu University POLITEHNICA North Carolina State University University POLITEHNICA of Bucharest [email protected] of Bucharest [email protected] [email protected] Ninghui Li Ahmad-Reza Sadeghi Purdue University Technische Universität Darmstadt [email protected] ahmad.sadeghi@ trust.tu-darmstadt.de ABSTRACT 4–8, 2018, Incheon, Republic of Korea. ACM, New York, NY, USA, 15 pages. Modern operating systems, such as iOS, use multiple access con- https://doi.org/10.1145/3196494.3196527 trol policies to define an overall protection system. However, the complexity of these policies and their interactions can hide pol- 1 INTRODUCTION icy flaws that compromise the security of the protection system. iOS (iPhone Operating System) supports Apple’s mobile devices We propose iOracle, a framework that logically models the iOS including iPods, iPads, and iPhones. With a billion iPhones sold and protection system such that queries can be made to automatically a decade of hardening, iOS has become ubiquitous, and uses several detect policy flaws. iOracle models policies and runtime context advanced security features. Therefore, the impact and scarcity of extracted from iOS firmware images, developer resources, and jail- iOS exploits has led to the creation of sophisticated attacks. For broken devices, and iOracle significantly reduces the complexity of example, exploit brokers like Zerodium pay million dollar bounties1 queries by modeling policy semantics.
    [Show full text]
  • Ios 11Application Download Free Cydia Download for Free with Cydia Cloud
    ios 11application download free Cydia Download for Free with Cydia Cloud. If you're a newbie to the iDevice family, we frequently heard the terms like Cydia download, jailbreaking and much more unfamiliar words. Among all these facts, iOS jailbreak and Cydia installer are the most famous ones, as they provide users many services that we cannot even imagine. Simply, jailbreaking is familiar to Android rooting but there is a huge difference between these two platforms. In here, we cydiacloud.com will guide iDevice users who are confusing about the term of Cydia download, what can we do with this amazing application. ULTIMATE DESIGN. cydia cloud based on the official Cydia download application so, the users can feel the real awesomeness of Cydia app store. LIFETIME MEMBERSHIP. Once you purchased for the cydiacloud membership, users will receive the lifetime membership of Cydia. AMAZING FEATURE. Users can download thousands of apps, games, tweaks and more stuff on your iDevice for free. What Really is Cydia Download? Cydia installer was created by American software engineer Jay Freeman also known as Saurik. Since after the release of Cydia for the iDevice community, it has begun to make a revolution in Apple device history. The truth is you're unable to do all the works with your iDevice as Android users do. This because of the restrictions imposed by Apple. Installing Cydia opens the gate for a specific path to customize any iPhone, iPad or iPod touch device in an incredible way. Basically, Cydia is a third-party application installer which is similar to the App Store and developed for the jailbroken iOS iDevices.
    [Show full text]
  • Announcement
    Announcement 40 articles, 2016-07-25 18:01 1 Verizon acquires Yahoo for $4.83 billion After speculation and rumors, the deal has been done. Verizon has stumped up $4.83 billion in cash for Yahoo's operating business, (1.05/2) including search, advertising and content. After speculation and rumors, the deal has been done. Verizon has stumped up ... 2016-07-25 11:55 1KB feeds.betanews.com 2 'Pokemon Go' players stumble on hidden history Historical markers have long dotted the landscape, often barely (1.03/2) noticed by passers-by—until they became treasure-filled stops this month on the "Pokemon Go" trail. 2016-07-25 15:23 5KB phys.org 3 Niantic Confirms New Pokemon for Pokemon Go, PokeStops Tweaks No date when they could be released, though 2016-07-25 09:53 2KB (1.03/2) news.softpedia.com 4 Cancelled 8.3-inch Lumia 2020 Windows RT tablet makes a rare appearance on camera The Lumia 2020 is one of many Nokia and Microsoft devices that (1.02/2) appeared in a photo today. The 2020 was an 8.3-inch Windows RT tablet with a Snapdragon 800 and PureView camera, due to launch in 2014. 2016-07-25 11:24 3KB feedproxy.google.com 5 Ford will bring Android Auto and Apple CarPlay to all of its 2017 models Ford wants to make all of its new cars a bit more attractive by (1.02/2) integrating Android Auto and Apple CarPlay into most of its vehicles. The two infotainment systems will be inside all 2017 models.
    [Show full text]