Lecture 9 PSiOS: Bring Your Own Privacy & Security to iOS - - PowerPoint PPT Presentation

▶

Jan 25, 2024 114 likes •481 views

Lecture 9 PSiOS: Bring Your Own Privacy & Security to iOS Devices Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi and Thorsten Holz Operating Systems Practical December 3, 2014 OSP Lecture 9, PSiOS 1/35 Introduction iOS

SLIDE 1

Lecture 9

PSiOS: Bring Your Own Privacy & Security to iOS Devices Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi and Thorsten Holz

Operating Systems Practical

December 3, 2014

OSP Lecture 9, PSiOS 1/35

SLIDE 2

Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords

OSP Lecture 9, PSiOS 2/35

SLIDE 3

Outline

Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords

OSP Lecture 9, PSiOS 3/35

SLIDE 4

General Idea

◮ large number of mobile devices and mobile apps ◮ privacy is important, attacks are frequent ◮ need for privacy framework for iOS ◮ PSiOS: detects and prevents alterations of control-flow graph

◮ Privacy and Security for iOS

◮ define profiles and enabled fine-grained policy ◮ use static analysis to generate control-flow graph ◮ hook into the Objective-C runtime of iOS

OSP Lecture 9, PSiOS 4/35

SLIDE 5

Smartphone and iOS Market

◮ large number of applications ◮ app stores (Google Play, Apple AppStore) ◮ Android (open) and iOS (closed)

OSP Lecture 9, PSiOS 5/35

SLIDE 6

iOS Security

◮ assign a generic profile to every third party application ◮ guidelines for developpers ◮ vetting process in the AppStore ◮ several apps have been able to abuse privileges

OSP Lecture 9, PSiOS 6/35

SLIDE 7

Outline

Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords

OSP Lecture 9, PSiOS 7/35

SLIDE 8

iOS Architecture

OSP Lecture 9, PSiOS 8/35

SLIDE 9

Application Sandboxing

◮ only happening at kernel-level, not within the Objective-C

runtime

◮ course-grained sandboxing, cannot enforce fine-grained control

within the Objective-C runtime

◮ iOS provides entitlements for additional rules; but they are

defined by the developer and can not be subsequently changed by the user

OSP Lecture 9, PSiOS 9/35

SLIDE 10

Objective-C Runtime

◮ applications written in Objective-C ◮ main system libraries written in Objective-C ◮ decisions deferred from compile-time to runtime ◮ iOS objective C libraries included in frameworks: a directory

with a shared library and its resources

OSP Lecture 9, PSiOS 10/35

SLIDE 11

Public and Private Frameworks

◮ public frameworks are accessible to apps ◮ private frameworks are only accessible to system applications ◮ “interesting” functionality is located inside private frameworks

OSP Lecture 9, PSiOS 11/35

SLIDE 12

The Problem

◮ generic application sandboxing profile assigned to every

third-party application

◮ enforced by the kernel ◮ attacks have been reported that abuse privileges ◮ no enforcing within the Objective-C runtime

OSP Lecture 9, PSiOS 12/35

SLIDE 13

Outline

Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords

OSP Lecture 9, PSiOS 13/35

SLIDE 14

High-Level Idea

OSP Lecture 9, PSiOS 14/35

SLIDE 15

High-Level Idea

◮ policy enforcement component checks profile rules defined by

the user

◮ hooks into all Objective-C runtime calls ◮ enforces Control Flow Integrity (CFI); validates control-flow

graph and prevents control-flow attacks

OSP Lecture 9, PSiOS 15/35

SLIDE 16

Static Analysis

◮ iOS apps are encrypted by default ◮ uses process dumping to create application memory snapshot ◮ sues improved static Objective-C analyzer to extract the

control-flow graph and Objective-C information

OSP Lecture 9, PSiOS 16/35

SLIDE 17

Load-Time Binary Rewriting

◮ binary rewriting performed after loader (to preserve

application signature)

◮ patches all indirect branches with a control flow check ◮ inserts checkpoints into calls to Objective-C runtime ◮ whenever a checkpoint is reached, the CFG is

checked/validated

OSP Lecture 9, PSiOS 17/35

SLIDE 18

Architecture

OSP Lecture 9, PSiOS 18/35

SLIDE 19

Runtime Enforcing

◮ employed by the policy enforcement component ◮ three types of enforcing: Log, Exit and Replace ◮ Replace replaces return information with shadow data to

prohibit access to sensitive information

◮ it is possible to create a central instance of to deploy policies

(to centralize them in a given organization)

OSP Lecture 9, PSiOS 19/35

SLIDE 20

Sandboxing Profile Format

1 <rule type="objc" class="NSUserDefaults" 2 selector="valueForKey:" mode="exit"> 3 <argnumber="1" type="string" operator="=" 4 value="SBFormattedPhoneNumber"/> 5 </rule>

OSP Lecture 9, PSiOS 20/35

SLIDE 21

Outline

Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords

OSP Lecture 9, PSiOS 21/35

SLIDE 22

Tools of the Trade

◮ support for iOS 4.3.2, 4.3.3, 5.0.1, 5.1.1 ◮ Python module in IDA Pro 6.x for the static Objective-C

analyzer

◮ MoCFI framework for CFI ◮ extended MoCFI to introduce the policy enformence

component

OSP Lecture 9, PSiOS 22/35

SLIDE 23

Deploying PSiOS

◮ as a shared library ◮ shared library is injected into every application, through

setting a variable similar to LD_PRELOAD on Linux

◮ requires jailbreak

OSP Lecture 9, PSiOS 23/35

SLIDE 24

Static Objective-C Analyzer

◮ parses Mach-O file and locate code and data sections ◮ identifies Objective-C classes and selectors ◮ record call to the objc_msgSend dispatcher function ◮ resolve calls to public frameworks by inspecting the symbol

section (__lazy_symbol)

OSP Lecture 9, PSiOS 24/35

SLIDE 25

Objective-C Runtime Analyzer

◮ starts operating after application is loaded ◮ retrieve runtime address of selectors ◮ retrieve runtime adress of classes ◮ uses sections in the executable image in memory

(__objc_selrefs and __objc_classrefs)

OSP Lecture 9, PSiOS 25/35

SLIDE 26

Policy Enforcement

◮ enforces control on each Objective-C message ◮ use analyzers to extract the runtime address ◮ parse the sandboxing profile ◮ MoCFI validates control-flow integrity ◮ applies policy, if policy is defined for class/selector ◮ for the Replace rule, a new implementation of the method is

used (already prepared, returns empty data)

OSP Lecture 9, PSiOS 26/35

SLIDE 27

Outline

Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords

OSP Lecture 9, PSiOS 27/35

SLIDE 28

SpyPhone

◮ open source app, capable of retrieving infomrmation ◮ may retrieve e-mail information, phone data, location, address

book entries

◮ successfully applied rules to prevent SpyPhone from accessing

address book entries

OSP Lecture 9, PSiOS 28/35

SLIDE 29

PSiOS to iOS Apps

◮ tested on Facebook, WhatsApp, Flashlight, Instagram etc. ◮ successfully used PSiOS to prevent access to the address

book, personal photos, short UUID

OSP Lecture 9, PSiOS 29/35

SLIDE 30

Performance Overhead using Gensystek App

OSP Lecture 9, PSiOS 30/35

SLIDE 31

Runtime Performance Using Different Apps

OSP Lecture 9, PSiOS 31/35

SLIDE 32

Jailbreaking

◮ PSiOS is injected as a shared library ◮ this requires a jailbroken devices ◮ this is only required when setting up the environment, by

setting a library similar to LD_PRELOAD on Linux

◮ if PSiOS were to be used by Apple, it could be implemented as

a static rewriter to be used before the app is signed by Apple

OSP Lecture 9, PSiOS 32/35

SLIDE 33

Conclusion

◮ novel policy enforcement framework: PSiOS ◮ provides fine-grained application sandboxing ◮ effective in preventing privay breaches (SpyPhone and popular

iOS apps)

◮ reasonable overhead ◮ future work in providing PSiOS as a static rewriter

OSP Lecture 9, PSiOS 33/35

SLIDE 34

Outline

Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords

OSP Lecture 9, PSiOS 34/35

SLIDE 35

Keywords

◮ mobile apps ◮ iOS ◮ sandboxing ◮ Objective C ◮ fine-grained sandboxing ◮ static analysis ◮ control flow graph ◮ PSiOS ◮ policy enforcement ◮ CFI ◮ static analysis ◮ jailbreak

OSP Lecture 9, PSiOS 35/35