no apology required
play

No Apology Required Deconstructing BB10 CanSecWest 2014 - PowerPoint PPT Presentation

Jun 12, 2023 •48 likes •838 views

No Apology Required Deconstructing BB10 CanSecWest 2014 Introduction Presentation is exploratory Research is on-going Body Level One Focused mostly on methodology, less on Body Level Two findings Body Level Three

  1. No Apology Required Deconstructing BB10 CanSecWest 2014

  2. Introduction • Presentation is exploratory • Research is on-going • Body Level One • Focused mostly on methodology, less on • Body Level Two findings • Body Level Three • Feel free to chat after • Body Level Four (since we may run out of time) • Body Level • Title is because stereotypical Canadians apologize for everything

  3. Introduction • Presentation is exploratory • Research is on-going • Body Level One • Focused mostly on methodology, less on • Body Level Two findings • Body Level Three • Feel free to chat after • Body Level Four (since we may run out of time) • Body Level • Title is because stereotypical Canadians apologize for everything

  4. Introduction Presentation foul: 
 <--- mixing memes ---> Zach Lanier 
 Ben Nell 
 quine 
 bNull 
 Sr. Security Researcher 
 Sr. Security Consultant 
 Duo Security Accuvant Labs

  5. Why this matters

  6. Why this matters

  7. Why this matters You’re an appsec consultant and your customer asks you if BlackBerry Balance solves BYOD

  8. Agenda • Previous Research • Platform Overview • Methodology • Attack Surface • Future Work

  9. Previous Research

  10. Our PlayBook stuff Targeted predecessor of BB10 • — TabletOS on BB PlayBook Discovered AuthZ token • disclosure for Bridge/Balance (steal all the corporate data) RE’d firmware • Mirrored all of AppWorld (steal • all the premium apps) And more... •

  11. Our PlayBook stuff (cont’d) Discovered that native apps • can exec*() / spawn*() and open AF_INET sockets unfettered (no perm’s req’d) Still true in BB10, but (even • detached) child procs killed when app/parent ends “Headless Apps” allow for • background services, but special perms required Granting of perms is • contingent upon approval from RIM/BB signing service

  12. Others • Julio Cesar Fort’s QNX research • SEC Consult BB10 paper • RPW’s BB10 preso (BH USA ’13) • Tim Brown’s various QNX/TabletOS/BB10 works

  13. Platform Overview

  14. Overview ARM-based SoCs (Z10, Q10, and Z30 • all Snapdragon S4 SoC) BB10 (based on QNX Neutrino RTOS • 8.0.0) Major components (as of 10.2.1.1925): • WebKit (537.10 / 10.2.1.66) • Adobe Flash (11.1.121.199) • Adobe AIR (3.1.0.230) • BlackBerry Balance (isolated, • corporate PIM)

  15. QNX • Microkernel, only truly trusted component • Userspace kernel and process manager - procnto • Separation of network, 
 I/O, HMI, etc. into separate components • Messaging layer provides IPC (QNX message passing + POSIX IPC abstraction) • Prev. public bugs disclosed by Ilja van Sprundel, Tim Brown, Julio Cesar Fort, cenobite, and others

  16. Security Controls / Mitigations • OpenBSD NetBSD pf • POSIX (filesystem) ACLs • Compiler & linker protections for native apps • Usual suspects: XN, ASLR, ProPolice, PIE + full RELRO

  17. QDE/Momentics default build options

  18. Security Features • Blackberry Balance • Encrypted, FACL’d “container” • a.k.a. “perimeter” • BES policy enforcements • DISA STIGs guide these

  19. authman & permissions • authman service - maps app permissions to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together

  20. authman & permissions • /dev/authman: resource manager “dispatch” path (QNX IPC endpoint) • /etc/authman: configs • Pair of files (".res" & ".acl"), named for profile type

  21. authman & permissions • Controls access to app permissions (allow, prompt, deny) • Sets FACLs on filesystem objects based on app permission requested • Also sets process capabilities for certain permission types (e.g. “Headless apps”)

  22. authman & pf • authman handles setting up (app) GID:rule mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2

  23. output from sloginfo (tool to print system log) Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000 sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet post_notification gain_oma_fl_group access_oma_fl_write_personal acce ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native permanent access_perimeter_personal' Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow execute Dec 06 01:53:04 5 41 0 authman: Applying execute pf rule(s) Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000 Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared “Capabilities” based Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group on permissions Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited ACLs based on Dec 06 01:53:04 5 41 0 authman: req:Allow run_native Dec 06 01:53:04 5 41 0 authman: req:Allow permanent Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal permissions Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control Dec 06 01:53:04 5 41 0 authman: Applying access_location_services Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control

  24. PPS • “Persistent Publish / Subscribe” • Implemented by pps manager process • Simple interface for sharing data, notifications/eventing via filesystem objects

  25. IPC IPC is key in QNX • “Message passing” & signals implemented • in microkernel Other IPC (POSIX-compatible) mechanisms • implemented by manager processes Typed memory Shared memory Pipes FIFOs Kernel Events Message copying Simple messages Channels (pulses, signals, Kernel Signals unblocks) Message passing External process/manager

  26. Application Model Native • C/C++ WebWorks / Cordova • HTML/JS Adobe AIR Flash/AS/ • HTML/JS Android • Java/DEX 20 app perms documented 340 unique app & sys perms observed

  27. Application Model App processes run with same UIDs, but separate • GIDs (incl. supplemental GIDs) � � Apps have separate data stores/”sandboxes” • With Balance/corporate separation, additional data • stores Production apps are signed by BB/RIM signing server •

  28. Our Approach to the Platform ( ) meth · od · ol · o · gy / ˌ meTH əӚˈ däl əӚ j ē /

  29. Testing Limitations

  30. Testing Limitations • General lack of enthusiasm for BB10 as a target • General lack of public information about the system • Effective security controls • We’re left looking at a black box

  31. OSINT Just ask the internet!

  32. OSINT Existing previous work • Our PlayBook work • SEC Consult paper • Works by RPW, Tim Brown, Julio Cesar Fort, etc. • Not a ton of stuff out there https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf

  33. OSINT QNX Foundry • Man pages for QNXisms • Downloads • Forums • Wiki • Google dorks are golden…

Recommend

Starting a State or Regional Alliance to Support a Communication, Apology, and Resolution

Starting a State or Regional Alliance to Support a Communication, Apology, and Resolution

Starting a State or Regional Alliance to Support a Communication, Apology, and Resolution Initiative Communication, Apology, and Resolution (CARe) is an alternative approach to handling adverse events that emphasizes transparency, apology,

243 views • 7 slides
Nicholas G. J. Healey www.draylaw.com Wyoming s Medical Apology Law (W.S. 1-1-130(a))

Nicholas G. J. Healey www.draylaw.com Wyoming s Medical Apology Law (W.S. 1-1-130(a))

1 Wyoming s Medical Apology Statute: I m sorry, but for what? Nicholas G. J. Healey www.draylaw.com Wyoming s Medical Apology Law (W.S. 1-1-130(a)) May come as a surprise. Not everyone knows that Wyoming has

383 views • 26 slides
Welcome to FMCAD 2013 6 Apology from Barbara I am very sorry I am not at FMCAD 2013 in

Welcome to FMCAD 2013 6 Apology from Barbara I am very sorry I am not at FMCAD 2013 in

Welcome to FMCAD 2013 6 Apology from Barbara I am very sorry I am not at FMCAD 2013 in person. You can guess the reason from the picture . I hope to see many of you next year at FMCAD 2014 in Lausanne. 7 Conference Setup

192 views • 8 slides
Institutional theory IN520 Lecture Johan Ivar Sb 04.09.2017 First, an apology This

Institutional theory IN520 Lecture Johan Ivar Sb 04.09.2017 First, an apology This

Institutional theory IN520 Lecture Johan Ivar Sb 04.09.2017 First, an apology This session is an introduction to a very large field, that spans multiple disciplines The chapter by Currie is long, covers some history, and brings

1.28k views • 47 slides
Automorphic forms and Number Theory International Center, Goa August 2010 Apology I will not

Automorphic forms and Number Theory International Center, Goa August 2010 Apology I will not

Automorphic forms and Number Theory International Center, Goa August 2010 Apology I will not talk about p -adic weak harmonic Maass forms, as I had advertised... The Birch and Swinnerton-Dyer conjecture for Q -curves and Odas period

964 views • 85 slides
Software Testing for Sysadmin Programs http:/ / menlo.com/ lisa-2015/s7/ apology &amp;

Software Testing for Sysadmin Programs http:/ / menlo.com/ lisa-2015/s7/ apology &amp;

Software Testing for Sysadmin Programs http:/ / menlo.com/ lisa-2015/s7/ apology &amp; explanation This is a new class and I'm trying to incorporate the current best practice of active learning; that is, rather than stand up and tell you

465 views • 43 slides
Software Testing for Sysadmin Programs http:/ / menlo.com/ lisa-2015/s7/ apology &amp;

Software Testing for Sysadmin Programs http:/ / menlo.com/ lisa-2015/s7/ apology &amp;

Software Testing for Sysadmin Programs http:/ / menlo.com/ lisa-2015/s7/ apology &amp; explanation This is a new class and I'm trying to incorporate the current best practice of active learning; that is, rather than stand up and tell you

543 views • 22 slides
Introduction to SecDec Stephen Jones With SecDec collaboration: S. Borowka, G. Heinrich, S. Jahn,

Introduction to SecDec Stephen Jones With SecDec collaboration: S. Borowka, G. Heinrich, S. Jahn,

9 February 2016 HiggsTools Journal Club XI Introduction to SecDec Stephen Jones With SecDec collaboration: S. Borowka, G. Heinrich, S. Jahn, M. Kerner, J. Schlenk, T. Zirke An Apology (First Half) Apology to Theorists: Talk will be slow, basic

825 views • 45 slides
Apology Office Hours Yesterday Decision Properties of Regular Languages Last weeks

Apology Office Hours Yesterday Decision Properties of Regular Languages Last weeks

Apology Office Hours Yesterday Decision Properties of Regular Languages Last weeks homework The Pumping Lemma Announcement Announcement RIT Career Fair CS Student Meeting Thursday, Oct 3 rd 1pm 7pm Wednesday,

355 views • 7 slides
Information Session Agenda 4.00pm David Croft, Chairman, Amuri Irrigation (AIC) Apology: Andrew

Information Session Agenda 4.00pm David Croft, Chairman, Amuri Irrigation (AIC) Apology: Andrew

Hurunui Scheme Information Session Agenda 4.00pm David Croft, Chairman, Amuri Irrigation (AIC) Apology: Andrew Barton 4:15pm Mike Satterthwaite, Sheep and Beef farmer and AIC director 4:30pm Hamish Gilpin, Field Agronomist at South Pacific

265 views • 13 slides
Metadata Working Group Report ILDG15, December 4th T. Yoshie for MDWG Update of QCDml Apology

Metadata Working Group Report ILDG15, December 4th T. Yoshie for MDWG Update of QCDml Apology

Metadata Working Group Report ILDG15, December 4th T. Yoshie for MDWG Update of QCDml Apology for Propagator Sharing 1 Update of QCDml received a request from BGR (Bern-Graz- Regensburg) Collab. to markup their chirally improved fermion

266 views • 7 slides
LFB00004014_0001 A B C 4 5 TREW, PAUL Required Attendee Declined 4 6 WAKEFIELD, BARRY

LFB00004014_0001 A B C 4 5 TREW, PAUL Required Attendee Declined 4 6 WAKEFIELD, BARRY

A B C 1 Name Attendance Response 2 SUTCLIFF, SPENCER Meeting Organizer None 3 ALDEN-SMITH, SPENCER Required Attendee Declined 4 BAILEY, IAN Required Attendee Accepted 5 BARKER, JOHN Required Attendee Declined 6

378 views • 6 slides
Code of Conduct: Additional Required CMS Training The following slides are required by the

Code of Conduct: Additional Required CMS Training The following slides are required by the

Code of Conduct: Additional Required CMS Training The following slides are required by the Centers for Medicare and Medicaid Services. We were not permitted to edit or annotate the slides in any way. Please read each slide &amp; sign

943 views • 34 slides
Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs

Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs

ST 516 Experimental Statistics for Engineers II Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs under homogeneous conditions; e.g. raw material comes in limited batches; we want to carry out runs

487 views • 23 slides
Required Notice Automation DOUG ROOPE LMAC FEBRUARY 2020 Required Notice Reporting

Required Notice Automation DOUG ROOPE LMAC FEBRUARY 2020 Required Notice Reporting

Required Notice Automation DOUG ROOPE LMAC FEBRUARY 2020 Required Notice Reporting Department historical has received 1200 to 1500 notices per month Denials 39-71-606 - Insurer to accept or deny claim within 30 days of receipt

306 views • 20 slides
FC Encapsulation for IETF ips WG Ralph Weber Brocade Communications 21 March 2001 Elements of

FC Encapsulation for IETF ips WG Ralph Weber Brocade Communications 21 March 2001 Elements of

FC Encapsulation for IETF ips WG Ralph Weber Brocade Communications 21 March 2001 Elements of Encapsulation Delimiters (required) Header (required) SOF (required) f r F FC frame (required) a content C m e EOF (required) FC

448 views • 9 slides
Required Review of Principle Required Review of Principle Based Valuation Opinions Based

Required Review of Principle Required Review of Principle Based Valuation Opinions Based

Required Review of Principle Required Review of Principle Based Valuation Opinions Based Valuation Opinions LHATF SVL II Update Salt Lake City March 10, 2005 Dave Sandberg FSA, MAAA Chairperson American Academy Life Financial Soundness /

535 views • 14 slides
IDEAs Equitable Services Set -Aside Aside Required Required Feder ederal F al Fundi unding

IDEAs Equitable Services Set -Aside Aside Required Required Feder ederal F al Fundi unding

IDEAs Equitable Services Set -Aside Aside Required Required Feder ederal F al Fundi unding ng for for Parentally arentally Placed Placed Private School Private School Stud Students ents wi with th Disabili Disabilities ties 34

787 views • 43 slides
Convenience: All required software has been installed. ROS is a pain to install on non-

Convenience: All required software has been installed. ROS is a pain to install on non-

Convenience: All required software has been installed. ROS is a pain to install on non- Linux OSs. Concealment: Much of the required code can be treated as a black box. Allows novice users to focus on basics. The

278 views • 8 slides
Policy Options: Replacement Plantings -When Replacement is Required -Required Size &amp; Species

Policy Options: Replacement Plantings -When Replacement is Required -Required Size &amp; Species

S t e e r i n g C o m m i t t e e M e e t i n g May 25, 2017 Policy Options: Replacement Plantings -When Replacement is Required -Required Size &amp; Species of Replacement Trees -On-site vs. Off-site Mitigation Prepared by: Joe LaClair,

247 views • 21 slides
Can Electricity Markets Be Transformed? Walter Gerardi Outline What is required?

Can Electricity Markets Be Transformed? Walter Gerardi Outline What is required?

Can Electricity Markets Be Transformed? Walter Gerardi Outline What is required? Current cost comparisons Key trends What do we need to do get there? Policy framework What is required? Emissions, Mt CO2e 100 150

516 views • 28 slides
Elgin ISD July 29, 2010 SCOPE Required of any secondary students (6- 12) involved in any

Elgin ISD July 29, 2010 SCOPE Required of any secondary students (6- 12) involved in any

Elgin ISD July 29, 2010 SCOPE Required of any secondary students (6- 12) involved in any school-sponsored extra-curricular activity Required of any student who applies for and holds a permit to park a vehicle on campus. RSDT

279 views • 17 slides
Dealing with Required Minimum Distributions How to Make the Most Out of RMDs Leonard J.

Dealing with Required Minimum Distributions How to Make the Most Out of RMDs Leonard J.

11/19/2014 Dealing with Required Minimum Distributions How to Make the Most Out of RMDs Leonard J. Witman, Esq. Witman Stadtmauer, P.A. 26 Columbia Turnpike, Suite 100 Florham Park, NJ 07932 (973) 822-0220 REQUIRED BEGINNING DATE (RBD)

280 views • 25 slides
Bachelors Program Bachelors Program Course 101 Required Required Courses: Current

Bachelors Program Bachelors Program Course 101 Required Required Courses: Current

Bachelors Program Bachelors Program Course 101 Required Required Courses: Current Electives (at least 5) 101 Lions History 121 Club President 102 Lions Club Structure 122 Club Secretary 103 Club Success 123 Club

421 views • 6 slides

More recommend