Lecture 9 - PSiOS: Bring Your Own Privacy & Security to ...elf.cs.pub.ro › soa › res ›...
35
Lecture 9 PSiOS: Bring Your Own Privacy & Security to iOS Devices Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi and Thorsten Holz Operating Systems Practical December 3, 2014 OSP Lecture 9, PSiOS 1/35
Transcript of Lecture 9 - PSiOS: Bring Your Own Privacy & Security to ...elf.cs.pub.ro › soa › res ›...
-
Lecture 9PSiOS: Bring Your Own Privacy & Security to iOS Devices
Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghiand Thorsten Holz
Operating Systems Practical
December 3, 2014
OSP Lecture 9, PSiOS 1/35
-
Introduction
iOS Internals
PSiOS Design
Implementation
Evaluation
Keywords
OSP Lecture 9, PSiOS 2/35
-
Outline
Introduction
iOS Internals
PSiOS Design
Implementation
Evaluation
Keywords
OSP Lecture 9, PSiOS 3/35
-
General Idea
I large number of mobile devices and mobile apps
I privacy is important, attacks are frequent
I need for privacy framework for iOSI PSiOS: detects and prevents alterations of control-flow graph
I Privacy and Security for iOS
I define profiles and enabled fine-grained policy
I use static analysis to generate control-flow graph
I hook into the Objective-C runtime of iOS
OSP Lecture 9, PSiOS 4/35
-
Smartphone and iOS Market
I large number of applications
I app stores (Google Play, Apple AppStore)
I Android (open) and iOS (closed)
OSP Lecture 9, PSiOS 5/35
-
iOS Security
I assign a generic profile to every third party application
I guidelines for developpers
I vetting process in the AppStore
I several apps have been able to abuse privileges
OSP Lecture 9, PSiOS 6/35
-
Outline
Introduction
iOS Internals
PSiOS Design
Implementation
Evaluation
Keywords
OSP Lecture 9, PSiOS 7/35
-
iOS Architecture
OSP Lecture 9, PSiOS 8/35
-
Application Sandboxing
I only happening at kernel-level, not within the Objective-Cruntime
I course-grained sandboxing, cannot enforce fine-grained controlwithin the Objective-C runtime
I iOS provides entitlements for additional rules; but they aredefined by the developer and can not be subsequently changedby the user
OSP Lecture 9, PSiOS 9/35
-
Objective-C Runtime
I applications written in Objective-C
I main system libraries written in Objective-C
I decisions deferred from compile-time to runtime
I iOS objective C libraries included in frameworks: a directorywith a shared library and its resources
OSP Lecture 9, PSiOS 10/35
-
Public and Private Frameworks
I public frameworks are accessible to apps
I private frameworks are only accessible to system applications
I “interesting” functionality is located inside private frameworks
OSP Lecture 9, PSiOS 11/35
-
The Problem
I generic application sandboxing profile assigned to everythird-party application
I enforced by the kernel
I attacks have been reported that abuse privileges
I no enforcing within the Objective-C runtime
OSP Lecture 9, PSiOS 12/35
-
Outline
Introduction
iOS Internals
PSiOS Design
Implementation
Evaluation
Keywords
OSP Lecture 9, PSiOS 13/35
-
High-Level Idea
OSP Lecture 9, PSiOS 14/35
-
High-Level Idea
I policy enforcement component checks profile rules defined bythe user
I hooks into all Objective-C runtime calls
I enforces Control Flow Integrity (CFI); validates control-flowgraph and prevents control-flow attacks
OSP Lecture 9, PSiOS 15/35
-
Static Analysis
I iOS apps are encrypted by default
I uses process dumping to create application memory snapshot
I sues improved static Objective-C analyzer to extract thecontrol-flow graph and Objective-C information
OSP Lecture 9, PSiOS 16/35
-
Load-Time Binary Rewriting
I binary rewriting performed after loader (to preserveapplication signature)
I patches all indirect branches with a control flow check
I inserts checkpoints into calls to Objective-C runtime
I whenever a checkpoint is reached, the CFG ischecked/validated
OSP Lecture 9, PSiOS 17/35
-
Architecture
OSP Lecture 9, PSiOS 18/35
-
Runtime Enforcing
I employed by the policy enforcement component
I three types of enforcing: Log, Exit and Replace
I Replace replaces return information with shadow data toprohibit access to sensitive information
I it is possible to create a central instance of to deploy policies(to centralize them in a given organization)
OSP Lecture 9, PSiOS 19/35
-
Sandboxing Profile Format
1 3 5
OSP Lecture 9, PSiOS 20/35
-
Outline
Introduction
iOS Internals
PSiOS Design
Implementation
Evaluation
Keywords
OSP Lecture 9, PSiOS 21/35
-
Tools of the Trade
I support for iOS 4.3.2, 4.3.3, 5.0.1, 5.1.1
I Python module in IDA Pro 6.x for the static Objective-Canalyzer
I MoCFI framework for CFI
I extended MoCFI to introduce the policy enformencecomponent
OSP Lecture 9, PSiOS 22/35
-
Deploying PSiOS
I as a shared library
I shared library is injected into every application, throughsetting a variable similar to LD_PRELOAD on Linux
I requires jailbreak
OSP Lecture 9, PSiOS 23/35
-
Static Objective-C Analyzer
I parses Mach-O file and locate code and data sections
I identifies Objective-C classes and selectors
I record call to the objc_msgSend dispatcher function
I resolve calls to public frameworks by inspecting the symbolsection (__lazy_symbol)
OSP Lecture 9, PSiOS 24/35
-
Objective-C Runtime Analyzer
I starts operating after application is loaded
I retrieve runtime address of selectors
I retrieve runtime adress of classes
I uses sections in the executable image in memory(__objc_selrefs and __objc_classrefs)
OSP Lecture 9, PSiOS 25/35
-
Policy Enforcement
I enforces control on each Objective-C message
I use analyzers to extract the runtime address
I parse the sandboxing profile
I MoCFI validates control-flow integrity
I applies policy, if policy is defined for class/selector
I for the Replace rule, a new implementation of the method isused (already prepared, returns empty data)
OSP Lecture 9, PSiOS 26/35
-
Outline
Introduction
iOS Internals
PSiOS Design
Implementation
Evaluation
Keywords
OSP Lecture 9, PSiOS 27/35
-
SpyPhone
I open source app, capable of retrieving infomrmation
I may retrieve e-mail information, phone data, location, addressbook entries
I successfully applied rules to prevent SpyPhone from accessingaddress book entries
OSP Lecture 9, PSiOS 28/35
-
PSiOS to iOS Apps
I tested on Facebook, WhatsApp, Flashlight, Instagram etc.
I successfully used PSiOS to prevent access to the addressbook, personal photos, short UUID
OSP Lecture 9, PSiOS 29/35
-
Performance Overhead using Gensystek App
OSP Lecture 9, PSiOS 30/35
-
Runtime Performance Using Different Apps
OSP Lecture 9, PSiOS 31/35
-
Jailbreaking
I PSiOS is injected as a shared library
I this requires a jailbroken devices
I this is only required when setting up the environment, bysetting a library similar to LD_PRELOAD on Linux
I if PSiOS were to be used by Apple, it could be implemented asa static rewriter to be used before the app is signed by Apple
OSP Lecture 9, PSiOS 32/35
-
Conclusion
I novel policy enforcement framework: PSiOS
I provides fine-grained application sandboxing
I effective in preventing privay breaches (SpyPhone and populariOS apps)
I reasonable overhead
I future work in providing PSiOS as a static rewriter
OSP Lecture 9, PSiOS 33/35
-
Outline
Introduction
iOS Internals
PSiOS Design
Implementation
Evaluation
Keywords
OSP Lecture 9, PSiOS 34/35
-
Keywords
I mobile apps
I iOS
I sandboxing
I Objective C
I fine-grained sandboxing
I static analysis
I control flow graph
I PSiOS
I policy enforcement
I CFI
I static analysis
I jailbreak
OSP Lecture 9, PSiOS 35/35
IntroductioniOS InternalsPSiOS DesignImplementationEvaluationKeywords
