DOCSLIB.ORG

Automated Evaluation of Access Control in the Iphone Operating System

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Automated Evaluation of Access Control in the Iphone Operating System ABSTRACT DESHOTELS, LUKE ALEC. Automated Evaluation of Access Control in the iPhone Operating System. (Under the direction of William Enck). A decade long arms race between Apple and jailbreakers has forged iPhone OS (iOS) into a hardened, but complex operating system. As a modern operating system, iOS treats applications as security principals, which allows for fine-grained access control policies that prevent applications from having the same authority as the device owner. However, iOS and other modern operating systems use inter-dependent access control mechanisms (e.g., Unix permissions and sandboxing), and the policies on iOS may be closed-source, proprietary, or decentralized. This practice makes it difficult to model the actual privileges of an iOS process which is subject to various undocumented access control policies. Confusion regarding these privileges hides flaws in misconfigured iOS access control policies that attackers can exploit in order to invade user privacy or damage the system. This dissertation demonstrates that the access control mechanisms in iOS are inter-dependent and their analysis should consider the composite protection system as a whole. We analyze three access control systems in iOS, the Apple Sandbox, Unix Permissions, and Inter-Process Communi- cation (IPC). First, we present the SandScout framework which converts iOS Apple Sandbox policies from their compiled proprietary state into queriable Prolog facts. SandScout’s utility is demonstrated by detecting seven types of novel vulnerabilities allowing third party apps to steal private data or damage the system, which resulted in six Common Vulnerability and Exposure (CVE) acknowl- edgements from Apple. Second, we introduce iOracle, a logical framework for extracting multiple access control policies (i.e., the Apple Sandbox and Unix Permissions) as well as runtime context from iOS and unifying this policy and contextual data into a composite model. iOracle is evaluated through detection of previously known exploits as well as detection of unknown policy flaws. Finally, we propose Kobold, a framework for enumerating and evaluating IPC remote methods accessible by third party applications. Access to these remote methods is regulated by the Apple Sandbox and static capabilities called entitlements. Therefore, Kobold also automates the collection and extraction of third party application entitlements. During this analysis Kobold discovers third party applications with undocumented, semi-private entitlements. Kobold identifies over one hundred accessible methods and detects previously unknown access control flaws and daemon crashes. © Copyright 2018 by Luke Alec Deshotels All Rights Reserved Automated Evaluation of Access Control in the iPhone Operating System by Luke Alec Deshotels A dissertation submitted to the Graduate Faculty of North Carolina State University in partial fulfillment of the requirements for the Degree of Doctor of Philosophy Computer Science Raleigh, North Carolina 2018 APPROVED BY: Bradley Reaves Alexandros Kapravelos Matthias Stallmann William Enck Chair of Advisory Committee DEDICATION This dissertation is dedicated to my parents for their unwavering love and support. ii BIOGRAPHY Luke received his Bachelor’s and Master’s from the University of Louisiana at Lafayette where he studied computer vision and malware analysis. He started the PhD program at NCSU in order to study Android malware with Dr. Xuxian Jiang. However, through a serendipitous series of events involving significant help from Dr. Purush Iyer, ultrasonic sound-waves, and an extra-credit report on OS verification, Luke started studying the iOS sandbox with Dr. William Enck. It’s a long story that won’t be told here, but Luke has no regrets with the way things turned out. iii ACKNOWLEDGEMENTS I could have never made it this far on my own. In my darkest moments of paper rejections, technical setbacks, and bureaucratic nightmares, I was never alone. Along my journey there was always help in the forms of loving support, writing advice, and technical contributions. In addition to my committee members, Bradley Reaves, Alexandros Kapravelos, and Matthias Stallmann, I must thank my advisor, co-authors, labmates, and friends who have given so much and asked nothing in return. First, I must thank my advisor, William Enck. I have been Will’s teaching assistant, student, and apprentice. As Will’s teaching assistant, he demonstrated his fairness and professionalism as we handled issues of academic integrity together. As his student, I learned exactly the information I would need to win and thrive in computer security internships. As an apprentice, I learned to write, design experiments, analyze results, present research, and collaborate with other universities. Will has been generous with his knowledge, time, and introductions, and at every stage of my academic career, Will has acted as my role model. Second, I owe much to my co-authors, especially Razvan Deaconescu who has given so much more time and brilliance than I deserved. Razvan Deaconescu reversed the Apple sandbox, and made many other technical contributions. It was Razvan that found our first vulnerability and inspired the team to keep pursuing iOS access control. Mihai Chiroiu hosted me at Politehnica University of Bucharest and helped us keep an eye on the bigger picture beyond just iOS. Costin Carabas was instrumental to discovering the correct syntax to invoke NSXPC methods on iOS, and he contributed in many other ways to iOracle and Kobold. Iulia Manda contributed to our knowledge of mach-ports and sandbox extensions and was kind enough to find me during my brief visit to Romania. Lucas-Davi contributed his expertise of iOS and writing skill to SandScout. Ahmad-Reza Sadeghi hosted me at TU Darmstadt and provided significant insight and style to our papers. It was Ahmad that put our team together and introduced me to Razvan, Mihai, and Lucas. Finally, Ninghui-Li contributed his expertise of access control analysis to iOracle. Third, I would like to acknowledge my labmates for their support and advice throughout my time in the WSPR lab. Micah Bushouse has been my greatest critic, but he has also been a true friend and a source of wisdom and encouragement. Isaac Polinsky has been a friend and one of the most entertaining people in the lab. Ben Andow started his PhD program in the same year as me, and has given me many insights into low level sytem’s research. Ben and I often joked that our research topics should have been reversed. Sigmund "Al" Gorski shared his relevant knowledge of Android access control analysis, and he was a great roommate during our Qualcomm internship. Adwait Nadkarni was a great verbal sparring partner and lead graduate student. I look forward to working at Samsung with Akash Verma, Michael Grace, and Kunal Patel. Jason Gionta inspired me to ask many questions. I enjoyed exercising and discussing shared hobbies with Russell Meredith. Sarah iv Elder provided wisdom and news from outside the lab. Sanghyun went to great lengths to make me feel at home during my trip to Korea. Kyle Martin gave me insights into fuzzing, crashes, and memory exploitation. I would like to thank the other current and past members of the WSPR lab for their company, advice, and hard work. Finally, I am honored to list many friends that helped me throughout my PhD. Rusty Gibson contributed his time and expertise to a very fun side project on steganography in video games. Sean Mealin, Peipei Wang, Sheldon Abrams, Barry Peddicord, and Aurora Peddicord provided advice as students themselves, and they were excellent gaming partners. Feifei Wang was very kind to me and introduced me to many more friends. David Fiala helped recruit me to NCSU and encouraged me to persist through hard times. Most of all, I would like to thank Xiaoting "Sisi" Fu, for her patience and love throughout the ups and downs of my final year as a PhD student. Lastly, I thank Noodle, the cat, for listening to explanations of iOS access control policies when I needed an audience. v TABLE OF CONTENTS LIST OF TABLES ......................................................... ix LIST OF FIGURES ........................................................ x Chapter 1 INTRODUCTION .............................................. 1 1.1 Thesis Statement.................................................. 2 1.2 Contributions .................................................... 5 1.3 Thesis Organization................................................ 6 Chapter 2 Background .................................................. 9 2.1 Introduction ..................................................... 9 2.2 iOS Basics ....................................................... 11 2.3 Entitlements ..................................................... 12 2.3.1 Policy..................................................... 12 2.3.2 Enforcement ............................................... 13 2.4 Sandboxing...................................................... 14 2.4.1 Policy..................................................... 14 2.4.2 Enforcement ............................................... 16 2.5 Privacy Settings................................................... 17 2.5.1 Policy..................................................... 19 2.5.2 Enforcement ............................................... 20 2.6 Conclusions...................................................... 21 Chapter 3 Related Work ................................................. 22 3.1 Access Control Policy Design ........................................
Load more

Recommended publications
  • Joseph Migga Kizza Fourth Edition
    Computer Communications and Networks Joseph Migga Kizza Guide to Computer Network Security Fourth Edition Computer Communications and Networks Series editor A.J. Sammes Centre for Forensic Computing Cranfield University, Shrivenham Campus Swindon, UK The Computer Communications and Networks series is a range of textbooks, monographs and handbooks. It sets out to provide students, researchers, and nonspecialists alike with a sure grounding in current knowledge, together with comprehensible access to the latest developments in computer communications and networking. Emphasis is placed on clear and explanatory styles that support a tutorial approach, so that even the most complex of topics is presented in a lucid and intelligible manner. More information about this series at http://www.springer.com/series/4198 Joseph Migga Kizza Guide to Computer Network Security Fourth Edition Joseph Migga Kizza University of Tennessee Chattanooga, TN, USA ISSN 1617-7975 ISSN 2197-8433 (electronic) Computer Communications and Networks ISBN 978-3-319-55605-5 ISBN 978-3-319-55606-2 (eBook) DOI 10.1007/978-3-319-55606-2 Library of Congress Control Number: 2017939601 # Springer-Verlag London 2009, 2013, 2015 # Springer International Publishing AG 2017 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc.
    [Show full text]
  • Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on Ios
    Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS Luke Deshotels Costin Carabas, Jordan Beichler North Carolina State University, University POLITEHNICA of Bucharest North Carolina State University Samsung Research America [email protected] [email protected] [email protected] Razvan˘ Deaconescu William Enck University POLITEHNICA of Bucharest North Carolina State University [email protected] [email protected] Abstract—Apple uses several access control mechanisms to posed to other applications. However, several features (e.g., prevent third party applications from directly accessing secu- dynamic dispatching for method calls) make data flow rity sensitive resources, including sandboxing and file access analysis less practical for iOS binaries. To the best of our control. However, third party applications may also indirectly access these resources using inter-process communication (IPC) knowledge, there exists no systematic enumeration of iOS with system daemons. If these daemons fail to properly enforce remote methods accessible to third party applications. The access control on IPC, confused deputy vulnerabilities may closest related work is existing IPC fuzzers for iOS [2], result. Identifying such vulnerabilities begins with an enumer- [22], [30] that probe for code flaws such as type confusion ation of all IPC services accessible to third party applications. or dereferencing vulnerabilities, which can be exploited However, the IPC interfaces and their corresponding access control policies are unknown and must be reverse engineered at to obtain arbitrary code execution. However, these fuzzers a large scale. In this paper, we present the Kobold framework do not attempt to enumerate remote methods or identify to study NSXPC-based system services using a combination confused deputy vulnerabilities.
    [Show full text]
  • University of Piraeus – Department of Informatics Master Program in «Informatics»
    MSc Thesis Konstantinos Vlachos University of Piraeus – Department of Informatics Master Program in «Informatics» Postgraduate Thesis Thesis Title (iOS application Security Analysis) Student First and Last Name Konstantinos Vlachos Father’s Name Georgios Registration Number MPSP15011 Supervisor Konstantinos Patsakis, Assistant Professor Delivery Date November 20, 2017 iOS Application security analysis 1 MSc Thesis Konstantinos Vlachos Three-member Examination Board (signature) (signature) (signature) Constantinos Patsakis Efthimios Alepis Panagiotis Kotzanikolaou Assistant Professor Assistant Professor Assistant Professor iOS Application security analysis 2 MSc Thesis Konstantinos Vlachos TABLE OF CONTENTS Abstract page 5 1. Introduction page 6 2. Prerequisites page 9 2.1 Install Xcode _______ page 9 2.2 iOS Simulator ______ page 11 3. Run-Load an application into Xcode page 14 4. Decompiling an iOS application page 15 4.1 otool page 15 4.2 class-dump page 17 4.3 Clutch (decrypt device binaries) page 18 4.4 Dumpdecrypted (Running app decryption) page 19 5. Static Code Analysis page 23 5.1 Xcode Analyzer page 23 5.2 iNalyzer (Static analysis) page 26 6. Dynamic Analysis page 28 6.1 Instruments page 28 6.2 iNalyzer (dynamic) page 30 6.3 Dtrace page 30 6.4 GDB (Runtime analysis) page 31 6.5 FLEX page 34 6.6 InspectiveC page 41 6.7 Cycript (runtime analysis) page 42 7. Data Protection page 48 7.1 Keyboard cache page 48 7.2 Snapshots page 49 7.3 UIPasteBoard page 49 7.4 SQLite Database page 50 8. Technical Terms page 51 8.1 .ipa files page 51 8.2 tweak page 52 iOS Application security analysis 3 MSc Thesis Konstantinos Vlachos 8.3 MobileSubstrate page 53 8.4 jailbroken device page 53 8.5 Nsobjects page 54 8.6 obj_Msg page 54 8.7 Cydia page 54 8.8 Theos page 54 9.
    [Show full text]
  • Spotify++ I Spotify Plus HOME, HOW TO
    4/6/2018 Exhibit: Spotify++ I Spotify Plus HOME, HOW TO -Music streaming is one of the top activities for mobile device users and Spotify has to be the most used streaming service of all. Boasting over 140 million users every month, more than half of these use the free version of the service but suffer from popup ads and limited features. The rest pay out almost $10 every month for the privilege of not having the ads and for getting better features. Not everyone has pockets deep enough to Justify this expense every month but, luckily, we now have Spotify++. This is a modified app with no connection to the stock app, containing all the premium features without the need to pay a subscription. We're going to be showing you how to download Spotify++ but first, here are some of the features you get. Image: Spotify pPlus Download Tutorial Download Tutorial Spotify++ © Download ~ AdCholces Spotify++ Features : (:::::====='"=sta=II====:::::) As well as the features of the free version, you also get: ( Download Cydia ) • None of the irritating ads hltpa://www.cydiaios7.com/apotlfy-plua.html 1/9 4/6/2018 SpoUfy++ I SpoUfy Plus • Unlimited track skips • Unlimited track scrubbing •-• • Top-quality sound streaming • Free to download • Free to use forever How to Download Spotlfy++ : Now we can look at how to download Spotlfy++. You are going to need Cydia for this so, for those of you who can install Cydia, here's how to get Spotify++: 1. Follow the tutorial at the link to download Cydia on your I Phone or iPad hltps://www.cydialos7.com/spolify-plus.html 2/9 4/8/2018 Spotlfy++ I Spotlfy Plus ..----· .
    [Show full text]
  • Pangu V1.2.1 Ios 7.1.2 Download Pangu V1.2.1
    pangu v1.2.1 ios 7.1.2 download Pangu v1.2.1. Pangu is a free tool to jailbreak iPad, iPad Air, iPad Mini, iPhone 4 to iPhone 5s and iPod touch that runs on iOS 7.1 to iOS 7.1.2. NOTES Warning! The Pangu Team has tested Pangu on most models and did not cause any problems, but we can not make any guarantees. Please be fully aware of this and use pangu at your own risk. Please backup your device before jailbreak. Requirements 1. A computer running Windows (minimum Windows XP) 2. iTunes should be installed. 3. iDevice running iOS 7.1.x (you may find the information in Setting/ General /About -> Version) Screenshots: Other editions: HTML code for linking to this page: Keywords: pangu jailbreak ios 7.1.2 ipad ipad air ipad mini iphone. 1 License and operating system information is based on latest version of the software. Downloading Pangu v1.2.1. Your download is about start shortly. If the file fails to download, please try again. If the download still fails to begin, please contact us and let us know what happened. Tell your Facebook friends about this software. You might also like. SoftEther VPN Client (Freeware) With SoftEther VPN Client with VPN Gate Client Plug-in you can make a VPN connection easily, comfortably and quickly. uTorrent (64-bit) �Torrent (aka uTorrent) is an efficient and feature rich BitTorrent client for Windows. Format Factory. Format Factory is a multifunctional media converter. Sandboxie (32-bit & 64-bit) (Freeware) Sandboxie creates a transient storage between your programs and your hard drive.
    [Show full text]
  • Ios Penetration Testing
    iOS Penetration Testing A Definitive Guide to iOS Security — First Edition — Kunal Relan iOS Penetration Testing A Definitive Guide to iOS Security First Edition Kunal Relan iOS Penetration Testing: A Definitive Guide to iOS Security Kunal Relan Noida, Uttar Pradesh India ISBN-13 (pbk): 978-1-4842-2354-3 ISBN-13 (electronic): 978-1-4842-2355-0 DOI 10.1007/978-1-4842-2355-0 Library of Congress Control Number: 2016960329 Copyright © 2016 by Kunal Relan This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made.
    [Show full text]
  • Ioracle: Automated Evaluation of Access Control Policies in Ios
    iOracle: Automated Evaluation of Access Control Policies in iOS Luke Deshotels Răzvan Deaconescu Costin Carabas, North Carolina State University University POLITEHNICA University POLITEHNICA [email protected] of Bucharest of Bucharest [email protected] [email protected] Iulia Mandă William Enck Mihai Chiroiu University POLITEHNICA North Carolina State University University POLITEHNICA of Bucharest [email protected] of Bucharest [email protected] [email protected] Ninghui Li Ahmad-Reza Sadeghi Purdue University Technische Universität Darmstadt [email protected] ahmad.sadeghi@ trust.tu-darmstadt.de ABSTRACT 4–8, 2018, Incheon, Republic of Korea. ACM, New York, NY, USA, 15 pages. Modern operating systems, such as iOS, use multiple access con- https://doi.org/10.1145/3196494.3196527 trol policies to define an overall protection system. However, the complexity of these policies and their interactions can hide pol- 1 INTRODUCTION icy flaws that compromise the security of the protection system. iOS (iPhone Operating System) supports Apple’s mobile devices We propose iOracle, a framework that logically models the iOS including iPods, iPads, and iPhones. With a billion iPhones sold and protection system such that queries can be made to automatically a decade of hardening, iOS has become ubiquitous, and uses several detect policy flaws. iOracle models policies and runtime context advanced security features. Therefore, the impact and scarcity of extracted from iOS firmware images, developer resources, and jail- iOS exploits has led to the creation of sophisticated attacks. For broken devices, and iOracle significantly reduces the complexity of example, exploit brokers like Zerodium pay million dollar bounties1 queries by modeling policy semantics.
    [Show full text]
  • Ios 11Application Download Free Cydia Download for Free with Cydia Cloud
    ios 11application download free Cydia Download for Free with Cydia Cloud. If you're a newbie to the iDevice family, we frequently heard the terms like Cydia download, jailbreaking and much more unfamiliar words. Among all these facts, iOS jailbreak and Cydia installer are the most famous ones, as they provide users many services that we cannot even imagine. Simply, jailbreaking is familiar to Android rooting but there is a huge difference between these two platforms. In here, we cydiacloud.com will guide iDevice users who are confusing about the term of Cydia download, what can we do with this amazing application. ULTIMATE DESIGN. cydia cloud based on the official Cydia download application so, the users can feel the real awesomeness of Cydia app store. LIFETIME MEMBERSHIP. Once you purchased for the cydiacloud membership, users will receive the lifetime membership of Cydia. AMAZING FEATURE. Users can download thousands of apps, games, tweaks and more stuff on your iDevice for free. What Really is Cydia Download? Cydia installer was created by American software engineer Jay Freeman also known as Saurik. Since after the release of Cydia for the iDevice community, it has begun to make a revolution in Apple device history. The truth is you're unable to do all the works with your iDevice as Android users do. This because of the restrictions imposed by Apple. Installing Cydia opens the gate for a specific path to customize any iPhone, iPad or iPod touch device in an incredible way. Basically, Cydia is a third-party application installer which is similar to the App Store and developed for the jailbroken iOS iDevices.
    [Show full text]
  • Announcement
    Announcement 40 articles, 2016-07-25 18:01 1 Verizon acquires Yahoo for $4.83 billion After speculation and rumors, the deal has been done. Verizon has stumped up $4.83 billion in cash for Yahoo's operating business, (1.05/2) including search, advertising and content. After speculation and rumors, the deal has been done. Verizon has stumped up ... 2016-07-25 11:55 1KB feeds.betanews.com 2 'Pokemon Go' players stumble on hidden history Historical markers have long dotted the landscape, often barely (1.03/2) noticed by passers-by—until they became treasure-filled stops this month on the "Pokemon Go" trail. 2016-07-25 15:23 5KB phys.org 3 Niantic Confirms New Pokemon for Pokemon Go, PokeStops Tweaks No date when they could be released, though 2016-07-25 09:53 2KB (1.03/2) news.softpedia.com 4 Cancelled 8.3-inch Lumia 2020 Windows RT tablet makes a rare appearance on camera The Lumia 2020 is one of many Nokia and Microsoft devices that (1.02/2) appeared in a photo today. The 2020 was an 8.3-inch Windows RT tablet with a Snapdragon 800 and PureView camera, due to launch in 2014. 2016-07-25 11:24 3KB feedproxy.google.com 5 Ford will bring Android Auto and Apple CarPlay to all of its 2017 models Ford wants to make all of its new cars a bit more attractive by (1.02/2) integrating Android Auto and Apple CarPlay into most of its vehicles. The two infotainment systems will be inside all 2017 models.
    [Show full text]