Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS

2020 IEEE Symposium on Security and Privacy (SP) Pub Date : 2020-05-01 DOI:10.1109/SP40000.2020.00023

Luke Deshotels, Costin Carabas, Jordan Beichler, Răzvan Deaconescu, W. Enck

{"title":"Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS","authors":"Luke Deshotels, Costin Carabas, Jordan Beichler, Răzvan Deaconescu, W. Enck","doi":"10.1109/SP40000.2020.00023","DOIUrl":null,"url":null,"abstract":"Apple uses several access control mechanisms to prevent third party applications from directly accessing security sensitive resources, including sandboxing and file access control. However, third party applications may also indirectly access these resources using inter-process communication (IPC) with system daemons. If these daemons fail to properly enforce access control on IPC, confused deputy vulnerabilities may result. Identifying such vulnerabilities begins with an enumeration of all IPC services accessible to third party applications. However, the IPC interfaces and their corresponding access control policies are unknown and must be reverse engineered at a large scale. In this paper, we present the Kobold framework to study NSXPC-based system services using a combination of static and dynamic analysis. Using Kobold, we discovered multiple NSXPC services with confused deputy vulnerabilities and daemon crashes. Our findings include the ability to activate the microphone, disable access to all websites, and leak private data stored in iOS File Providers.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"17 1","pages":"1056-1070"},"PeriodicalIF":0.0000,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40000.2020.00023","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

Apple uses several access control mechanisms to prevent third party applications from directly accessing security sensitive resources, including sandboxing and file access control. However, third party applications may also indirectly access these resources using inter-process communication (IPC) with system daemons. If these daemons fail to properly enforce access control on IPC, confused deputy vulnerabilities may result. Identifying such vulnerabilities begins with an enumeration of all IPC services accessible to third party applications. However, the IPC interfaces and their corresponding access control policies are unknown and must be reverse engineered at a large scale. In this paper, we present the Kobold framework to study NSXPC-based system services using a combination of static and dynamic analysis. Using Kobold, we discovered multiple NSXPC services with confused deputy vulnerabilities and daemon crashes. Our findings include the ability to activate the microphone, disable access to all websites, and leak private data stored in iOS File Providers.

查看原文本刊更多论文

评估iOS上远程NSXPC方法的分散访问控制

苹果使用了几种访问控制机制来防止第三方应用程序直接访问安全敏感资源，包括沙箱和文件访问控制。但是，第三方应用程序也可以使用进程间通信(IPC)与系统守护进程间接访问这些资源。如果这些守护进程不能正确地在IPC上执行访问控制，可能会导致混乱的代理漏洞。识别此类漏洞首先要列举第三方应用程序可访问的所有IPC服务。然而，IPC接口及其相应的访问控制策略是未知的，必须大规模地进行反向工程。本文提出了基于静态和动态分析相结合的Kobold框架来研究基于nsxpc的系统服务。在使用Kobold时，我们发现了多个NSXPC服务，这些服务具有混乱的代理漏洞和守护程序崩溃。我们的发现包括激活麦克风的能力，禁止访问所有网站，以及泄露存储在iOS文件提供程序中的私人数据。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量