lecture 9
play

Lecture 9 PSiOS: Bring Your Own Privacy & Security to iOS - PowerPoint PPT Presentation

Jan 25, 2024 •114 likes •477 views

Lecture 9 PSiOS: Bring Your Own Privacy & Security to iOS Devices Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi and Thorsten Holz Operating Systems Practical December 3, 2014 OSP Lecture 9, PSiOS 1/35 Introduction iOS

  1. Lecture 9 PSiOS: Bring Your Own Privacy & Security to iOS Devices Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi and Thorsten Holz Operating Systems Practical December 3, 2014 OSP Lecture 9, PSiOS 1/35

  2. Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 2/35

  3. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 3/35

  4. General Idea ◮ large number of mobile devices and mobile apps ◮ privacy is important, attacks are frequent ◮ need for privacy framework for iOS ◮ PSiOS: detects and prevents alterations of control-flow graph ◮ Privacy and Security for iOS ◮ define profiles and enabled fine-grained policy ◮ use static analysis to generate control-flow graph ◮ hook into the Objective-C runtime of iOS OSP Lecture 9, PSiOS 4/35

  5. Smartphone and iOS Market ◮ large number of applications ◮ app stores (Google Play, Apple AppStore) ◮ Android (open) and iOS (closed) OSP Lecture 9, PSiOS 5/35

  6. iOS Security ◮ assign a generic profile to every third party application ◮ guidelines for developpers ◮ vetting process in the AppStore ◮ several apps have been able to abuse privileges OSP Lecture 9, PSiOS 6/35

  7. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 7/35

  8. iOS Architecture OSP Lecture 9, PSiOS 8/35

  9. Application Sandboxing ◮ only happening at kernel-level, not within the Objective-C runtime ◮ course-grained sandboxing, cannot enforce fine-grained control within the Objective-C runtime ◮ iOS provides entitlements for additional rules; but they are defined by the developer and can not be subsequently changed by the user OSP Lecture 9, PSiOS 9/35

  10. Objective-C Runtime ◮ applications written in Objective-C ◮ main system libraries written in Objective-C ◮ decisions deferred from compile-time to runtime ◮ iOS objective C libraries included in frameworks: a directory with a shared library and its resources OSP Lecture 9, PSiOS 10/35

  11. Public and Private Frameworks ◮ public frameworks are accessible to apps ◮ private frameworks are only accessible to system applications ◮ “interesting” functionality is located inside private frameworks OSP Lecture 9, PSiOS 11/35

  12. The Problem ◮ generic application sandboxing profile assigned to every third-party application ◮ enforced by the kernel ◮ attacks have been reported that abuse privileges ◮ no enforcing within the Objective-C runtime OSP Lecture 9, PSiOS 12/35

  13. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 13/35

  14. High-Level Idea OSP Lecture 9, PSiOS 14/35

  15. High-Level Idea ◮ policy enforcement component checks profile rules defined by the user ◮ hooks into all Objective-C runtime calls ◮ enforces Control Flow Integrity (CFI); validates control-flow graph and prevents control-flow attacks OSP Lecture 9, PSiOS 15/35

  16. Static Analysis ◮ iOS apps are encrypted by default ◮ uses process dumping to create application memory snapshot ◮ sues improved static Objective-C analyzer to extract the control-flow graph and Objective-C information OSP Lecture 9, PSiOS 16/35

  17. Load-Time Binary Rewriting ◮ binary rewriting performed after loader (to preserve application signature) ◮ patches all indirect branches with a control flow check ◮ inserts checkpoints into calls to Objective-C runtime ◮ whenever a checkpoint is reached, the CFG is checked/validated OSP Lecture 9, PSiOS 17/35

  18. Architecture OSP Lecture 9, PSiOS 18/35

  19. Runtime Enforcing ◮ employed by the policy enforcement component ◮ three types of enforcing: Log , Exit and Replace ◮ Replace replaces return information with shadow data to prohibit access to sensitive information ◮ it is possible to create a central instance of to deploy policies (to centralize them in a given organization) OSP Lecture 9, PSiOS 19/35

  20. Sandboxing Profile Format 1 < rule type="objc" class="NSUserDefaults" 2 selector="valueForKey:" mode="exit" > < argnumber ="1" type="string" operator="=" 3 value="SBFormattedPhoneNumber" / > 4 5 < /rule > OSP Lecture 9, PSiOS 20/35

  21. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 21/35

  22. Tools of the Trade ◮ support for iOS 4.3.2, 4.3.3, 5.0.1, 5.1.1 ◮ Python module in IDA Pro 6.x for the static Objective-C analyzer ◮ MoCFI framework for CFI ◮ extended MoCFI to introduce the policy enformence component OSP Lecture 9, PSiOS 22/35

  23. Deploying PSiOS ◮ as a shared library ◮ shared library is injected into every application, through setting a variable similar to LD_PRELOAD on Linux ◮ requires jailbreak OSP Lecture 9, PSiOS 23/35

  24. Static Objective-C Analyzer ◮ parses Mach-O file and locate code and data sections ◮ identifies Objective-C classes and selectors ◮ record call to the objc_msgSend dispatcher function ◮ resolve calls to public frameworks by inspecting the symbol section ( __lazy_symbol ) OSP Lecture 9, PSiOS 24/35

  25. Objective-C Runtime Analyzer ◮ starts operating after application is loaded ◮ retrieve runtime address of selectors ◮ retrieve runtime adress of classes ◮ uses sections in the executable image in memory ( __objc_selrefs and __objc_classrefs ) OSP Lecture 9, PSiOS 25/35

  26. Policy Enforcement ◮ enforces control on each Objective-C message ◮ use analyzers to extract the runtime address ◮ parse the sandboxing profile ◮ MoCFI validates control-flow integrity ◮ applies policy, if policy is defined for class/selector ◮ for the Replace rule, a new implementation of the method is used (already prepared, returns empty data) OSP Lecture 9, PSiOS 26/35

  27. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 27/35

  28. SpyPhone ◮ open source app, capable of retrieving infomrmation ◮ may retrieve e-mail information, phone data, location, address book entries ◮ successfully applied rules to prevent SpyPhone from accessing address book entries OSP Lecture 9, PSiOS 28/35

  29. PSiOS to iOS Apps ◮ tested on Facebook, WhatsApp, Flashlight, Instagram etc. ◮ successfully used PSiOS to prevent access to the address book, personal photos, short UUID OSP Lecture 9, PSiOS 29/35

  30. Performance Overhead using Gensystek App OSP Lecture 9, PSiOS 30/35

  31. Runtime Performance Using Different Apps OSP Lecture 9, PSiOS 31/35

  32. Jailbreaking ◮ PSiOS is injected as a shared library ◮ this requires a jailbroken devices ◮ this is only required when setting up the environment, by setting a library similar to LD_PRELOAD on Linux ◮ if PSiOS were to be used by Apple, it could be implemented as a static rewriter to be used before the app is signed by Apple OSP Lecture 9, PSiOS 32/35

  33. Conclusion ◮ novel policy enforcement framework: PSiOS ◮ provides fine-grained application sandboxing ◮ effective in preventing privay breaches (SpyPhone and popular iOS apps) ◮ reasonable overhead ◮ future work in providing PSiOS as a static rewriter OSP Lecture 9, PSiOS 33/35

  34. Outline Introduction iOS Internals PSiOS Design Implementation Evaluation Keywords OSP Lecture 9, PSiOS 34/35

  35. Keywords ◮ mobile apps ◮ control flow graph ◮ iOS ◮ PSiOS ◮ sandboxing ◮ policy enforcement ◮ Objective C ◮ CFI ◮ fine-grained sandboxing ◮ static analysis ◮ static analysis ◮ jailbreak OSP Lecture 9, PSiOS 35/35

Recommend

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then reviewed the final point of lecture #3: Hennigs logical approach to tree inference is valid as logic, but we have a hard time using it because our data

660 views • 7 slides
Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

TU/e Algorithms (2IL15) Lecture 13 Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13 Part I of the course: Optimization Problems we want to find valid solution minimizing cost (or maximizing

904 views • 20 slides
In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken

In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken

In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken Birman LEAVE NO TRACE BEHIND Spring, 2020 HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2020SP 1 THE PRIVACY PUZZLE FOR I O T We have sensors

1.04k views • 65 slides
Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface

Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface

Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface Removal Sort polygons in depth. Use the farthest vertex in each polygon as the sorting key. Efficient Painter - binary space partition (BSP)

563 views • 6 slides
Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 -

Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 -

Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 - Resource-sensitive algebraic theories Lecture 3 - Interacting Hopf monoids and graphical linear algebra Lecture 4 - Signal Flow Graphs and recurrence

1.2k views • 61 slides
Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A Threatens Privacy Threatens Try to achieve Lecture 2B: Network threats Lecture 3A: Attacks on Lecture 6A: Security Protocols Web servers, malware

381 views • 25 slides
Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

ISDS &amp; Digital Business Skills Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture actually do? What happens before a lecture? What happens during a lecture? What does the button do?

527 views • 18 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

1.74k views • 60 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

850 views • 46 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

839 views • 58 slides
Usability of Programming Languages Lecture 4 - directed by your research interests Lecture

Usability of Programming Languages Lecture 4 - directed by your research interests Lecture

Overview Practical experimental course lectures are only introductory Lecture 1 - theoretical principles classic approaches l h current trends in leading research. Lecture 2 - candidate research methods advantages and

499 views • 15 slides
Introduction to AI &amp; Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture

Introduction to AI &amp; Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture

Introduction to AI &amp; Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture Chapter 3.1 to 3.4 (Please read lecture topic material before and after each lecture on that topic) What is Artificial Intelligence? Thought

636 views • 31 slides
Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is

Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is

Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is More Than Half Done! If you have comments they are very welcome y y Lectures Lecture notes Weekly Homework Midterm

795 views • 42 slides
Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma

Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma

Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma chine e Lea earn rning Paradigm Observe set of examples: training data Infer something about process that generated that data Use

847 views • 36 slides
Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4

Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4

Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4 Basics of Feedback Control Robert Babu ska Today: Steady-state response. Delft Center for Systems and Control Faculty of Mechanical

388 views • 7 slides
Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students

Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students

Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students will be able to: Discuss the different stages in the history of psycholinguistics Identify the scholars in the field of psycholinguistics

589 views • 28 slides
Methodology for Lecture Methodology for Lecture Computer Graphics (Spring 2008) Computer

Methodology for Lecture Methodology for Lecture Computer Graphics (Spring 2008) Computer

Methodology for Lecture Methodology for Lecture Computer Graphics (Spring 2008) Computer Graphics (Spring 2008) Lecture deals with lighting (teapot shaded as in HW1) Some Nate Robbins tutor demos in lecture COMS 4160, Lecture 14: OpenGL

535 views • 5 slides
Lecture Outline Regeltechniek Previous lecture: Nyquist plot and stability criterion. Lecture 11

Lecture Outline Regeltechniek Previous lecture: Nyquist plot and stability criterion. Lecture 11

Lecture Outline Regeltechniek Previous lecture: Nyquist plot and stability criterion. Lecture 11 State-space models and state feedback control (We are finished with frequency domain methods.) Robert Babu ska Today: Delft Center for

452 views • 6 slides
CSE Fall 2014 311 Lecture 1 Lecture 1 Lecture 1: Propositional Logic Lecture 1 Foundations

CSE Fall 2014 311 Lecture 1 Lecture 1 Lecture 1: Propositional Logic Lecture 1 Foundations

CSE 311: Foundations of Computing I CSE Fall 2014 311 Lecture 1 Lecture 1 Lecture 1: Propositional Logic Lecture 1 Foundations of Computing I Fall 2014 Some Perspective About the Course We will study the theory needed for CSE: Computer

242 views • 7 slides
Proteomics Steven Meinhardt Lectures Lecture 1 Introduction review of proteins

Proteomics Steven Meinhardt Lectures Lecture 1 Introduction review of proteins

11/29/2012 Proteomics Steven Meinhardt Lectures Lecture 1 Introduction review of proteins Lecture 2 Gel Electrophoresis Lecture 3 Mass Spectrometry Lecture 4 Programs for MS analysis Lecture 5 MIAPE (Minimum

900 views • 8 slides
Multiphase Modelling in Cancer Helen Byrne Wolfson Centre for Mathematical Biology Mathematical

Multiphase Modelling in Cancer Helen Byrne Wolfson Centre for Mathematical Biology Mathematical

Lecture 1 Lecture 2 Lecture 3 Lecture 4 Multiphase Modelling in Cancer Helen Byrne Wolfson Centre for Mathematical Biology Mathematical Institute University of Oxford CRM, Barcelona, April 2018 Lecture 1 Lecture 2 Lecture 3 Lecture 4

1.79k views • 141 slides
Lecture 1: Neurons Lecture 2: Coding with spikes Lecture 3: Tuning curves and receptive fields

Lecture 1: Neurons Lecture 2: Coding with spikes Lecture 3: Tuning curves and receptive fields

Lecture 1: Neurons Lecture 2: Coding with spikes Lecture 3: Tuning curves and receptive fields Lecture 4: Population vectors To gain a basic understanding of how population vectors are constructed 4 credit students: First assignment is

584 views • 31 slides
Algorithms (2IL15) Lecture 10 NP-Completeness, II 1 TU/e Algorithms (2IL15) Lecture 10

Algorithms (2IL15) Lecture 10 NP-Completeness, II 1 TU/e Algorithms (2IL15) Lecture 10

TU/e Algorithms (2IL15) Lecture 10 Algorithms (2IL15) Lecture 10 NP-Completeness, II 1 TU/e Algorithms (2IL15) Lecture 10 Summary of previous lecture P: class of decision problems that can be solved in polynomial time NP:

496 views • 34 slides
Lecture 1: Bioinformatic Algorithms In this lecture Logistics of the course

Lecture 1: Bioinformatic Algorithms In this lecture Logistics of the course

Lecture 1: Bioinformatic Algorithms In this lecture Logistics of the course Introduction to basic biology which will continue in the following lecture Logistics of the Course Logistics About the Course Christina Boucher: (email)

546 views • 40 slides

More recommend