lecture 9
play

Lecture 9 PSiOS: Bring Your Own Privacy & Security to iOS - PowerPoint PPT Presentation

Jan 25, 2024 •114 likes •477 views

Lecture 9 PSiOS: Bring Your Own Privacy & Security to iOS Devices Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi and Thorsten Holz Operating Systems Practical December 3, 2014 OSP Lecture 9, PSiOS 1/35 Introduction iOS

  1. Lecture 9 PSiOS: Bring Your Own Privacy & Security to iOS Devices Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi and Thorsten Holz Operating Systems Practical December 3, 2014 OSP Lecture 9, PSiOS 1/35

  2. Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 2/35

  3. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 3/35

  4. General Idea ◮ large number of mobile devices and mobile apps ◮ privacy is important, attacks are frequent ◮ need for privacy framework for iOS ◮ PSiOS: detects and prevents alterations of control-flow graph ◮ Privacy and Security for iOS ◮ define profiles and enabled fine-grained policy ◮ use static analysis to generate control-flow graph ◮ hook into the Objective-C runtime of iOS OSP Lecture 9, PSiOS 4/35

  5. Smartphone and iOS Market ◮ large number of applications ◮ app stores (Google Play, Apple AppStore) ◮ Android (open) and iOS (closed) OSP Lecture 9, PSiOS 5/35

  6. iOS Security ◮ assign a generic profile to every third party application ◮ guidelines for developpers ◮ vetting process in the AppStore ◮ several apps have been able to abuse privileges OSP Lecture 9, PSiOS 6/35

  7. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 7/35

  8. iOS Architecture OSP Lecture 9, PSiOS 8/35

  9. Application Sandboxing ◮ only happening at kernel-level, not within the Objective-C runtime ◮ course-grained sandboxing, cannot enforce fine-grained control within the Objective-C runtime ◮ iOS provides entitlements for additional rules; but they are defined by the developer and can not be subsequently changed by the user OSP Lecture 9, PSiOS 9/35

  10. Objective-C Runtime ◮ applications written in Objective-C ◮ main system libraries written in Objective-C ◮ decisions deferred from compile-time to runtime ◮ iOS objective C libraries included in frameworks: a directory with a shared library and its resources OSP Lecture 9, PSiOS 10/35

  11. Public and Private Frameworks ◮ public frameworks are accessible to apps ◮ private frameworks are only accessible to system applications ◮ “interesting” functionality is located inside private frameworks OSP Lecture 9, PSiOS 11/35

  12. The Problem ◮ generic application sandboxing profile assigned to every third-party application ◮ enforced by the kernel ◮ attacks have been reported that abuse privileges ◮ no enforcing within the Objective-C runtime OSP Lecture 9, PSiOS 12/35

  13. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 13/35

  14. High-Level Idea OSP Lecture 9, PSiOS 14/35

  15. High-Level Idea ◮ policy enforcement component checks profile rules defined by the user ◮ hooks into all Objective-C runtime calls ◮ enforces Control Flow Integrity (CFI); validates control-flow graph and prevents control-flow attacks OSP Lecture 9, PSiOS 15/35

  16. Static Analysis ◮ iOS apps are encrypted by default ◮ uses process dumping to create application memory snapshot ◮ sues improved static Objective-C analyzer to extract the control-flow graph and Objective-C information OSP Lecture 9, PSiOS 16/35

  17. Load-Time Binary Rewriting ◮ binary rewriting performed after loader (to preserve application signature) ◮ patches all indirect branches with a control flow check ◮ inserts checkpoints into calls to Objective-C runtime ◮ whenever a checkpoint is reached, the CFG is checked/validated OSP Lecture 9, PSiOS 17/35

  18. Architecture OSP Lecture 9, PSiOS 18/35

  19. Runtime Enforcing ◮ employed by the policy enforcement component ◮ three types of enforcing: Log , Exit and Replace ◮ Replace replaces return information with shadow data to prohibit access to sensitive information ◮ it is possible to create a central instance of to deploy policies (to centralize them in a given organization) OSP Lecture 9, PSiOS 19/35

  20. Sandboxing Profile Format 1 < rule type="objc" class="NSUserDefaults" 2 selector="valueForKey:" mode="exit" > < argnumber ="1" type="string" operator="=" 3 value="SBFormattedPhoneNumber" / > 4 5 < /rule > OSP Lecture 9, PSiOS 20/35

  21. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 21/35

  22. Tools of the Trade ◮ support for iOS 4.3.2, 4.3.3, 5.0.1, 5.1.1 ◮ Python module in IDA Pro 6.x for the static Objective-C analyzer ◮ MoCFI framework for CFI ◮ extended MoCFI to introduce the policy enformence component OSP Lecture 9, PSiOS 22/35

  23. Deploying PSiOS ◮ as a shared library ◮ shared library is injected into every application, through setting a variable similar to LD_PRELOAD on Linux ◮ requires jailbreak OSP Lecture 9, PSiOS 23/35

  24. Static Objective-C Analyzer ◮ parses Mach-O file and locate code and data sections ◮ identifies Objective-C classes and selectors ◮ record call to the objc_msgSend dispatcher function ◮ resolve calls to public frameworks by inspecting the symbol section ( __lazy_symbol ) OSP Lecture 9, PSiOS 24/35

  25. Objective-C Runtime Analyzer ◮ starts operating after application is loaded ◮ retrieve runtime address of selectors ◮ retrieve runtime adress of classes ◮ uses sections in the executable image in memory ( __objc_selrefs and __objc_classrefs ) OSP Lecture 9, PSiOS 25/35

  26. Policy Enforcement ◮ enforces control on each Objective-C message ◮ use analyzers to extract the runtime address ◮ parse the sandboxing profile ◮ MoCFI validates control-flow integrity ◮ applies policy, if policy is defined for class/selector ◮ for the Replace rule, a new implementation of the method is used (already prepared, returns empty data) OSP Lecture 9, PSiOS 26/35

  27. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 27/35

  28. SpyPhone ◮ open source app, capable of retrieving infomrmation ◮ may retrieve e-mail information, phone data, location, address book entries ◮ successfully applied rules to prevent SpyPhone from accessing address book entries OSP Lecture 9, PSiOS 28/35

  29. PSiOS to iOS Apps ◮ tested on Facebook, WhatsApp, Flashlight, Instagram etc. ◮ successfully used PSiOS to prevent access to the address book, personal photos, short UUID OSP Lecture 9, PSiOS 29/35

  30. Performance Overhead using Gensystek App OSP Lecture 9, PSiOS 30/35

  31. Runtime Performance Using Different Apps OSP Lecture 9, PSiOS 31/35

  32. Jailbreaking ◮ PSiOS is injected as a shared library ◮ this requires a jailbroken devices ◮ this is only required when setting up the environment, by setting a library similar to LD_PRELOAD on Linux ◮ if PSiOS were to be used by Apple, it could be implemented as a static rewriter to be used before the app is signed by Apple OSP Lecture 9, PSiOS 32/35

  33. Conclusion ◮ novel policy enforcement framework: PSiOS ◮ provides fine-grained application sandboxing ◮ effective in preventing privay breaches (SpyPhone and popular iOS apps) ◮ reasonable overhead ◮ future work in providing PSiOS as a static rewriter OSP Lecture 9, PSiOS 33/35

  34. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 34/35

  35. Keywords ◮ mobile apps ◮ control flow graph ◮ iOS ◮ PSiOS ◮ sandboxing ◮ policy enforcement ◮ Objective C ◮ CFI ◮ fine-grained sandboxing ◮ static analysis ◮ static analysis ◮ jailbreak OSP Lecture 9, PSiOS 35/35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then reviewed the final point of lecture #3: Hennigs logical approach to tree inference is valid as logic, but we have a hard time using it because our data

660 views • 7 slides
Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

TU/e Algorithms (2IL15) Lecture 13 Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13 Part I of the course: Optimization Problems we want to find valid solution minimizing cost (or maximizing

904 views • 20 slides
In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken

In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken

In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken Birman LEAVE NO TRACE BEHIND Spring, 2020 HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2020SP 1 THE PRIVACY PUZZLE FOR I O T We have sensors

1.04k views • 65 slides
Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface

Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface

Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface Removal Sort polygons in depth. Use the farthest vertex in each polygon as the sorting key. Efficient Painter - binary space partition (BSP)

563 views • 6 slides
Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 -

Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 -

Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 - Resource-sensitive algebraic theories Lecture 3 - Interacting Hopf monoids and graphical linear algebra Lecture 4 - Signal Flow Graphs and recurrence

1.2k views • 61 slides
Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A Threatens Privacy Threatens Try to achieve Lecture 2B: Network threats Lecture 3A: Attacks on Lecture 6A: Security Protocols Web servers, malware

381 views • 25 slides
Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

ISDS &amp; Digital Business Skills Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture actually do? What happens before a lecture? What happens during a lecture? What does the button do?

527 views • 18 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

1.74k views • 60 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

850 views • 46 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

839 views • 58 slides
Usability of Programming Languages Lecture 4 - directed by your research interests Lecture

Usability of Programming Languages Lecture 4 - directed by your research interests Lecture

Overview Practical experimental course lectures are only introductory Lecture 1 - theoretical principles classic approaches l h current trends in leading research. Lecture 2 - candidate research methods advantages and

499 views • 15 slides
Introduction to AI &amp; Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture

Introduction to AI &amp; Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture

Introduction to AI &amp; Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture Chapter 3.1 to 3.4 (Please read lecture topic material before and after each lecture on that topic) What is Artificial Intelligence? Thought

636 views • 31 slides
Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is

Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is

Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is More Than Half Done! If you have comments they are very welcome y y Lectures Lecture notes Weekly Homework Midterm

795 views • 42 slides
Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma

Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma

Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma chine e Lea earn rning Paradigm Observe set of examples: training data Infer something about process that generated that data Use

847 views • 36 slides
Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4

Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4

Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4 Basics of Feedback Control Robert Babu ska Today: Steady-state response. Delft Center for Systems and Control Faculty of Mechanical

388 views • 7 slides
Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students

Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students

Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students will be able to: Discuss the different stages in the history of psycholinguistics Identify the scholars in the field of psycholinguistics

589 views • 28 slides
Time Series Bhiksha Raj Class 22. 14 Nov 2013 14 Nov 2013 11-755/18797 1 Administrivia

Time Series Bhiksha Raj Class 22. 14 Nov 2013 14 Nov 2013 11-755/18797 1 Administrivia

Machine Learning for Signal Processing Predicting and Estimation from Time Series Bhiksha Raj Class 22. 14 Nov 2013 14 Nov 2013 11-755/18797 1 Administrivia No class on Tuesday.. Project Demos: 5 th December (Thursday). Before

1.11k views • 73 slides
Geometry of Supermagnets Geometry of Supermagnets Vo Volk lker er Sc Schomerus homerus

Geometry of Supermagnets Geometry of Supermagnets Vo Volk lker er Sc Schomerus homerus

Geometry of Supermagnets Geometry of Supermagnets Vo Volk lker er Sc Schomerus homerus Edinburgh, Jan 2011 based on work with C. Candu, T. Creutzig, V. Mitev, T. Quella, H. Saleur; Y. Aisaka, N. Berkovits, T. Brown Motivation: AdS/CFT

883 views • 21 slides
Undergraduate Research Working Group MAY 14, 2019 agenda 1. Welcome: Vice Provost Daniel

Undergraduate Research Working Group MAY 14, 2019 agenda 1. Welcome: Vice Provost Daniel

Undergraduate Research Working Group MAY 14, 2019 agenda 1. Welcome: Vice Provost Daniel Grassian 2. Recap of Activities to Date 3. RF/RESP Restructure and Support Opportunities 4. Models of Undergraduate Research Programs in the CSU 5.

322 views • 10 slides
Learning to select for a predefined ranking Aleksei Ustimenko Alexander Vorobev Gleb Gusev

Learning to select for a predefined ranking Aleksei Ustimenko Alexander Vorobev Gleb Gusev

Learning to select for a predefined ranking Aleksei Ustimenko Alexander Vorobev Gleb Gusev Pavel Serdyukov From ranking to sorting Search engines typically order the items by some relevance score obtained from a ranker before presenting

311 views • 10 slides
FouryearsofNOAA-10 retrieved C02concentrations. ApplicationtoAIRSsimulations

FouryearsofNOAA-10 retrieved C02concentrations. ApplicationtoAIRSsimulations

FouryearsofNOAA-10 retrieved C02concentrations. ApplicationtoAIRSsimulations AlainChedin AIRSscienceteammeetingSept.2002 FIRSTGLOBALMEASUREMENTOFMID- TROPOSPHERICCO 2

339 views • 17 slides
High-Performance Adaptive MPI Derived Datatype Communication for Modern Multi- GPU Systems

High-Performance Adaptive MPI Derived Datatype Communication for Modern Multi- GPU Systems

High-Performance Adaptive MPI Derived Datatype Communication for Modern Multi- GPU Systems Ching-Hsiang Chu, Jahanzeb Maqbool Hashmi, Kawthar Shafie Khorassani, Hari Subramoni, Dhabaleswar K. (DK) Panda The Ohio State University {chu.368,

458 views • 25 slides
BIMODULES OVER SIMPLE FINITE-DIMENSIONAL JORDAN SUPERALGEBRAS Consuelo Mart nez L opez

BIMODULES OVER SIMPLE FINITE-DIMENSIONAL JORDAN SUPERALGEBRAS Consuelo Mart nez L opez

BIMODULES OVER SIMPLE FINITE-DIMENSIONAL JORDAN SUPERALGEBRAS Consuelo Mart nez L opez Workshop on Nonassociative Algebras Toronto, 12-14 May 2005 SUPERALGEBRA : A = A 0 + A 1 , A i A j A i + j a Z/ 2 Z -graded

528 views • 22 slides
Support for Demonstration Ombudsman Programs Serving Beneficiaries of Financial Alignment Models

Support for Demonstration Ombudsman Programs Serving Beneficiaries of Financial Alignment Models

Support for Demonstration Ombudsman Programs Serving Beneficiaries of Financial Alignment Models for Medicare-Medicaid Enrollees Funding Opportunity Announcement (FOA) Number: CMS-1J1-13-001 CFDA: 93.634 November 21, 2013 Presentation

662 views • 41 slides

More recommend