compromising the macos kernel
play

Compromising the macOS Kernel through Safari by Chaining Six - PowerPoint PPT Presentation

Jan 30, 2024 •271 likes •870 views

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim Georgia Institute of Technology #BHUSA @BLACKHATEVENTS One of the best information Who are we? security labs in

  1. Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim Georgia Institute of Technology #BHUSA @BLACKHATEVENTS

  2. One of the best information Who are we? security labs in the world! Insu Yun Taesoo Kim Yonghwi Jin Jungwon Lim Associate Professor Ph.D. Students at Georgia Tech at Georgia Tech SSLab@Gatech (https://gts3.org) DEFCON CTF 2018 Winner: DE DEFKOR00T = DEFKOR + r00timentary Our CTF team 2

  3. We won Pwn2Own 2020! The on only browser category submission in Pwn2Own 2020 The la larg rgest payout for a single target in Pwn2Own 2020 3

  4. Preparation for Pwn2Own 2020 • Period: a month • Method 1. Fuzzing: Found several bugs, but they are all unexploitable 2. CodeQL: Looks great, but we lack the time to learn 3. Manual analysis: Most of our findings come from ☺ • Strategy: Frequent yet quick meetings (twice a week) to share information among members to fully utilize the short preparation time 4

  5. Target selection: Why Safari? 1. Browser category: Challenging yet interesting target 2. *nix-like: More familiar platform for us than Windows 3. Previous experience: e.g., CVE-2019-8832 – Sandbox escape in Safari discovered by one of our team members 5

  6. Workflow User / No sandbox User / Sandbox WebProcess Root / No sandbox Broker (Renderer) cfprefsd Bug ① Bug ② JIT bug Logical bug Bug ⑤ Race condition Kextload Bug ③ Heap overflow Bug ④ Design issue Bug ⑥ Root / Sandbox Race condition Kern ernel / No No sandbox CVMServer 6

  7. Workflow User / No sandbox User / Sandbox WebProcess Root / No sandbox Broker (Renderer) cfprefsd Bug ① Bug ② JIT bug Logical bug Bug ⑤ Race condition Kextload Bug ③ Heap overflow Bug ④ Design issue Bug ⑥ Root / Sandbox Race condition Kern ernel / No No sandbox CVMServer 7

  8. Background: in operator 0 in arr; • Returns true if the specific property is in the specified object or its prototype chain (from MDN) • in operator is usually side-effect free • It only returns its checking result without modifying anything 8

  9. JIT optimization for side-effect free code function opt(arr1, arr2) { // Check if arr2’s type is ArrayWithDouble (whose elements are all double) arr2[1] = 6.6; let tmp = 0 in arr1; // Check if arr2’s type is still ArrayWithDouble return [arr2[0], tmp]; } • If in operator is modeled as side- effect free (i.e., cannot change arr2’s type), the following check is considered as redundant and will be eliminated for optimization • However, if a side-effect happens due to incorrect modeling, it can change arr2’s type and lead to type confusion 9

  10. WebKit missed to handle side effects from DOM events of in operator • WebKit uses PDFPlugin to support an embedded PDF file • For efficiency, the plugin is laz lazil ily initialized when using its internal data including in operator • This lazy initialization triggers a DOM event named DOMSu SubtreeModified • We can register handlers for DOM events to invoke arbitrary JavaScript code 10

  11. This bug is very interesting because it is JavaScript engine’s bug but comes from outside of the engine CodeAlchemist Fuzzilli jsfunfuzz Superion JavaScript Engine Q: How did we find this? PDF Plugin A: Manually ☺ 11

  12. How to trigger the bug arr.__proto__ = $$(‘embed’); document.addEventListener( 'DOMSubtreeModified’ , event => { print(“Hello World”); } ); <embed src =“ kim_thesis.pdf ”/> 2. Install an event handler that 1. Add any PDF file using HTML triggers side effects 0 in arr; 3. in operator will be considered as side-effect free during JIT compilation even though it has side effects (e.g., printing “Hello World”) 12

  13. Let’s abuse this bug to make addrof / fakeobj primitives for exploitation • addrof: Get an address of an object function opt(arr1, arr2) { arr2[1] = 6.6; // Type check: ArrayWithDouble (i.e., all elements are double) let tmp = 0 in arr1; // Side-effect free (INCORRECT) // NOTE: arr2’s type check is eliminated because it is considered as redundant // Returns arr2[0] as double (i.e. objToLeak’s address) return [arr2[0], tmp]; } document.addEventListener( 'DOMSubtreeModified’ , event => { // arr2 is converted into ArrayWithContiguous // (i.e., elements are objects) arr2[0] = objToLeak; } ); Ref: Samuel Groß, "New Trends in Browser Exploitation: Attacking Client- Side JIT Compilers”, BLACKHAT USA 2018 13

  14. Let’s abuse this bug to make addrof / fakeobj primitives for exploitation • fakeobj: Make arbitrary address into an object function opt(arr1, arr2, addr) { arr2[1] = 6.6; // Type check: ArrayWithDouble (i.e., all elements are double) let tmp = 0 in arr1; // Side-effect free (INCORRECT) // NOTE: arr2’s type check is eliminated because it is considered as redundant // Set arr2[0] as the double value ‘ addr ’, which will be considered as an object arr2[0] = addr; } document.addEventListener( 'DOMSubtreeModified’ , event => { // arr2 is converted into ArrayWithContiguous // (i.e., elements are objects) arr2[0] = {}; } ); Ref: Samuel Groß, "New Trends in Browser Exploitation: Attacking Client- Side JIT Compilers”, BLACKHAT USA 2018 14

  15. We reuse existing techniques to achieve arbitrary code execution 1. Bypass randomized structure ID to make a valid object • Use Wang’s technique to leak the structure ID • Ref: Yong Wang, “Thinking Outside the JIT Compiler: Understanding and Bypassing StructureID Randomization with Generic and Old- School Methods”, BLACKHAT EU 2019 2. Achieve arbitrary read/write • Abuse butterfly structure in JSC • Ref: https://github.com/niklasb/sploits 3. Write a JIT region (RWX) to execute shellcode 15

  16. Patch (CVE-2020-9850) • Commit ID be8a463 • WebKit starts to consider that in operator has side-effects if an object’s prototype is modified 16

  17. Workflow User / No sandbox User / Sandbox WebProcess Root / No sandbox Broker (Renderer) cfprefsd Bug ① Bug ② JIT bug Logical bug Bug ⑤ Race condition Kextload Bug ③ Heap overflow Bug ④ Design issue Bug ⑥ Root / Sandbox Race condition Kern ernel / No No sandbox CVMServer 17

  18. file:/// in a browser • Chrome: Open a directory in a • Safari: Pop up Finder?! browser Q: How does it happen? 18

  19. Safari uses selectFile() to launch Finder @implementation BrowserNavigationDelegate - decidePolicyForNavigationResponse(WKNavigationResponse *response) { ... NSURL URL = response._request.URL.strip("file://"); [[NSWorkspace sharedWorkspace] selectFile:URL inFileViewerRootedAtPath:nil]; } @end • In the past, Safari just opens a file (CVE-2011-3230) • Now it opens a directory containing the file • Where else selectFile() is being used? 19

  20. Safari’s different use of selectFile() allows us to launch an arbitrary app @implementation NSWorkspace - safari_revealFile:(NSURL)URL { … if ( [self isFilePackageAtPath:URL] ) // <- checks whether a URL points to an app [self selectFile:URL inFileViewerRootedAtPath:nil] // <- same as before else If we send the IPC after making a symbolic link [self selectFile:nil inFileViewerRootedAtPath:URL] // <- ? for an arbitrary app, we can launch the app! } @end • After a quick experiment, we discovered that 1. isFilePackageAtPath() checks that a path is a a di direc rectory ry who hose na name end ends wit ith “.app” (i.e., symbolic link can bypass this check) 2. If selectFile ()’s second argument ( inFileViewerRootedAtPath) points an app, selectFile() will launch the app even if if it it is is sym ymbolic lic lin link 3. The renderer (i.e., WebProcess) can make a broker to call this function using Safari IPC - FailProvisionalNavigation 20

  21. Two problems still exist to launch the arbitrary app 1. WebProcess cannot create a symbolic link because of its sandbox ; com.apple.WebProcess.sb (if (defined? 'vnode-type) (deny file-write-create (vnode-type SYMLINK))) • To resolve this, we use the bug ③ - arbitrary code execution in CVMServer 2. macOS has first-time app protection • Waits a user’s confirmation • We use the bug ④ to bypass this 21

  22. Patch (CVE-2020-9801) @implementation NSWorkspace - safari_revealFile:(NSURL)URL { … if ( [self isFilePackageAtPath:URL] ) // <- checks whether a URL points to an app [self selectFile:URL inFileViewerRootedAtPath:nil] // <- same as before else [self selectFile:nil inFileViewerRootedAtPath:URL] // <- ? } @end • They removed the application-launching path 22

  23. Workflow User / No sandbox User / Sandbox WebProcess Root / No sandbox Broker (Renderer) cfprefsd Bug ① Bug ② JIT bug Logical bug Bug ⑤ Race condition Kextload Bug ③ Heap overflow Bug ④ Design issue Bug ⑥ Root / Sandbox Race condition Kern ernel / No No sandbox CVMServer 23

  24. What is CVMServer (com.apple.cvmsServ)? • An accessible XPC service from WebProcess ; com.apple.WebProcess.sb (define (system-graphics) (allow mach-lookup (global-name "com.apple.cvmsServ")) ... ) (system-graphics) • It is used to support OpenGL rendering • Root privilege and sandboxed, but it has more capabilities than WebProcess • e.g., create symlink (for the bug ② ) and send signals (for the bug ④ ) 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MacOS &amp; iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our

MacOS &amp; iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our

MacOS &amp; iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our example for all your iDevices including iPhones, iPod touches, and iPods) TOP TEN Your iPad is fragile Battery life is exhaustible TIPS

330 views • 15 slides
iOS/macOS 0-day^w48-hours from sandbox to kernel Prsent 31/05/2018 Pour BeeRumP Par Eloi

iOS/macOS 0-day^w48-hours from sandbox to kernel Prsent 31/05/2018 Pour BeeRumP Par Eloi

iOS/macOS 0-day^w48-hours from sandbox to kernel Prsent 31/05/2018 Pour BeeRumP Par Eloi Vanderbeken Who? Eloi Vanderbeken @elvanderb Synacktiv Coordinateur du ple reverse de Synacktiv dveloppement bas niveau

593 views • 20 slides
Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark

Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark

Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark www.jeremybytes.com @jeremybytes What is .NET Core? Cross-Platform .NET Runs on macOS, Linux, and Windows Can be compiled to machine code based on

1.17k views • 15 slides
Security limits for compromising emanations Markus G. Kuhn Computer Laboratory

Security limits for compromising emanations Markus G. Kuhn Computer Laboratory

Security limits for compromising emanations Markus G. Kuhn Computer Laboratory http://www.cl.cam.ac.uk/ mgk25/ CHES 2005, Edinburgh Compromising emanations 1914: German army valve amplifiers for eavesdropping ground return signals of

732 views • 29 slides
Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead @ VMRay M. Sc. IT-Security Released first preview version of macOS sandbox in March @c1truz_ 2 Structure of this Talk =&gt; =&gt; Why?

706 views • 36 slides
MANAGING MACOS AND IOS DEVICES WITH JAMF AND APPLE DEP UBCO IT, MEDIA &amp; CLASSROOM SERVICES

MANAGING MACOS AND IOS DEVICES WITH JAMF AND APPLE DEP UBCO IT, MEDIA &amp; CLASSROOM SERVICES

MANAGING MACOS AND IOS DEVICES WITH JAMF AND APPLE DEP UBCO IT, MEDIA &amp; CLASSROOM SERVICES P A U L L E V I N S E N , R Y A N P A N N E L L , &amp; A A R O N H E C K Demonstration PROVISIONING IOS AND MACOS USING APPLE DEP SOLUTION

103 views • 7 slides
macOS Sierra What's new About this Mac - Storage tab, besides the available connected drives

macOS Sierra What's new About this Mac - Storage tab, besides the available connected drives

macOS Sierra What's new About this Mac - Storage tab, besides the available connected drives (including optical drives), and you can hover over each colored segment to get a MB size, there is the Manage... button which brings up new options

378 views • 4 slides
COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX SECURITY09 Martin VUAGNOUX and Sylvain PASINI MODERN KEYBOARDS RADIATE COMPROMISING ELECTROMAGNETIC EMANATIONS THESE EMISSIONS LED TO A FULL OR A

861 views • 75 slides
Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by:

Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by:

Pedagogy in Virtual Classrooms Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by: Jayems Dhingra SIM University, Singapore Pedagogy in Virtual Classrooms Without Compromising the Quality of the

593 views • 15 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
1 What Is Substance Dependence? Physical dependence Body has adjusted to substance and

1 What Is Substance Dependence? Physical dependence Body has adjusted to substance and

Health Psychology, 6 th edition Shelley E. Taylor Chapter Five: Health-Compromising Behaviors Characteristics of Health-Compromising Behavior Many of these behaviors share a window of vulnerability in adolescence Drinking to excess

419 views • 15 slides
1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

240 views • 5 slides
When does macOS Catalina create APFS checkpoints and which data could be retrieved from them?

When does macOS Catalina create APFS checkpoints and which data could be retrieved from them?

When does macOS Catalina create APFS checkpoints and which data could be retrieved from them? Research Project 1 Maarten van der Slik Default since High Sierra (10.13), iOS 13, tvOS 10.2, watchOS 3.2 &quot;Copy-on-write&quot; New features

609 views • 14 slides
Taken Out of Context: Security Risks with Security Code AutoFill in iOS &amp; macOS Andreas

Taken Out of Context: Security Risks with Security Code AutoFill in iOS &amp; macOS Andreas

Cambridge Innovation Centre Taken Out of Context: Security Risks with Security Code AutoFill in iOS &amp; macOS Andreas Gutmann, Steven J. Mudoch, WAY19 | @kryptoandi PLEASE RAISE YOUR HAND Have you ever received a security code via SMS

289 views • 24 slides
Over 1,000,000 hydraulic fracturing stimulations within the USA without compromising fresh

Over 1,000,000 hydraulic fracturing stimulations within the USA without compromising fresh

Over 1,000,000 hydraulic fracturing stimulations within the USA without compromising fresh groundwater: True or False? Terry Engelder Department of Geosciences The Pennsylvania State University University Park, PA 16802 The answer is true in

992 views • 66 slides
DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is

DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is

The ITI Program @ SC&amp;I Presents DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is not supported on Catalina. Sign-in for a loaner laptop. Please Pick up handouts Find a seat

325 views • 19 slides
Collaborative Technology in Science &amp; Health: From CFAR-SSA to Coronavirus Larry William

Collaborative Technology in Science &amp; Health: From CFAR-SSA to Coronavirus Larry William

Social Media and Collaborative Technology in Science &amp; Health: From CFAR-SSA to Coronavirus Larry William Chang, MD, MPH Associate Professor of Medicine, Epidemiology, and International Health Johns Hopkins School of Medicine and Bloomberg

709 views • 33 slides
How can the Texas Workforce Commission Assist YOU? Programs and Tools to Aid Small Businesses

How can the Texas Workforce Commission Assist YOU? Programs and Tools to Aid Small Businesses

Texas Workforce Commission Office of Employer Initiatives How can the Texas Workforce Commission Assist YOU? Programs and Tools to Aid Small Businesses Child Care Programs and their Employees during the Current Turbulent Period Texas

187 views • 17 slides
Back to School and COVID-19 Lorrie Ramsey, MSM, BSN, RN Chief Nurse Consultant July 24, 2020

Back to School and COVID-19 Lorrie Ramsey, MSM, BSN, RN Chief Nurse Consultant July 24, 2020

Back to School and COVID-19 Lorrie Ramsey, MSM, BSN, RN Chief Nurse Consultant July 24, 2020 Welcome and Introductions Pam Pontones, MA Deputy State Health Commissioner State Epidemiologist Lindsay Weaver, MD, FACEP Chief Medical Officer

350 views • 23 slides
The worst place in the world to fall ill Our friend &amp; community leader, Prince, with his

The worst place in the world to fall ill Our friend &amp; community leader, Prince, with his

Our friends &amp; the Nehemiah School Ebola hotspot The worst place in the world to fall ill Our friend &amp; community leader, Prince, with his team. They are taking action in the Ebola hotspot. Kuntorloh is the very community

372 views • 7 slides
Increasing TCPs Initial Window draft-hkchu-tcpm-initcwnd-00.txt H.K. Jerry Chu -

Increasing TCPs Initial Window draft-hkchu-tcpm-initcwnd-00.txt H.K. Jerry Chu -

Increasing TCPs Initial Window draft-hkchu-tcpm-initcwnd-00.txt H.K. Jerry Chu - hkchu@google.com Nandita Dukkipati - nanditad@google.com March 23, 2010 77th IETF, Anaheim 1 Topics Motivation &amp; Justification Related Efforts

890 views • 26 slides
IDENTIFYING CHALLENGES AND COLLABORATION AREAS IN HUMANITARIAN LOGISTICS: A SOUTHERN AFRICAN

IDENTIFYING CHALLENGES AND COLLABORATION AREAS IN HUMANITARIAN LOGISTICS: A SOUTHERN AFRICAN

IDENTIFYING CHALLENGES AND COLLABORATION AREAS IN HUMANITARIAN LOGISTICS: A SOUTHERN AFRICAN PERSPECTIVE. CHARLES MBOHWA Department of Quality and Operations Management, University of Johannesburg, Auckland Park Bunting Road Campus, P. O. Box

537 views • 12 slides
Personal Privacy in Ubiquitous Computing Marc Langheinrich ETH Zurich

Personal Privacy in Ubiquitous Computing Marc Langheinrich ETH Zurich

Personal Privacy in Ubiquitous Computing Marc Langheinrich ETH Zurich http://www.inf.ethz.ch/~langhein/ UK-Ubinet Summer School Privacy Excuses UK-Ubinet Summer School Optimists: All you need is really good firewalls.

1.32k views • 75 slides
Pharmacodynamics Dr. Shabbits jennifer.shabbits@ubc.ca September 10, 2013 or any

Pharmacodynamics Dr. Shabbits jennifer.shabbits@ubc.ca September 10, 2013 or any

Resources OPTIONAL textbooks PCTH 325 Pharmacodynamics Dr. Shabbits jennifer.shabbits@ubc.ca September 10, 2013 or any introductory pharmacology textbook Resources course website Important points from last class

371 views • 12 slides

More recommend