the apple sandbox
play

The Apple Sandbox dion@securityevaluators.com Blackhat DC 2011 - PowerPoint PPT Presentation

Aug 04, 2023 •499 likes •1.21k views

Dionysus Blazakis The Apple Sandbox dion@securityevaluators.com Blackhat DC 2011 Wednesday, January 19, 2011 Where to find stuff https://github.com/dionthegod/XNUSandbox http://www.semantiscope.com/research/ BHDC2011/BHDC2011-Paper.pdf

  1. Dionysus Blazakis The Apple Sandbox dion@securityevaluators.com Blackhat DC 2011 Wednesday, January 19, 2011

  2. Where to find stuff https://github.com/dionthegod/XNUSandbox http://www.semantiscope.com/research/ BHDC2011/BHDC2011-Paper.pdf http://www.semantiscope.com/research/ BHDC2011/BHDC2011-Slides.pdf Wednesday, January 19, 2011

  3. I’m Dion I work for ISE as a reverser/ cracker/developer/exploiter. I’m not a security old salt (embedded developer by trade.) Wednesday, January 19, 2011

  4. Software is hard. I used to fuzz Adobe Reader all the time. It broke a lot. Later, I learned most software breaks a lot. Wednesday, January 19, 2011

  5. We should *totally* do something about this. static analysis tools large scale fuzz testing developer training change control (formal methods) Wednesday, January 19, 2011

  6. Suppose # bugs are going to zero How long will it take? What happens for the next 5 (50) years? Assume an attacker can, for the near future, always find a bug cheaply. Wednesday, January 19, 2011

  7. Got a bug, now what? OS exploit mitigations. Written by security people that are developers (!!!?!?) Mitigations make exploitation much more expensive, but still relatively cheap. Wednesday, January 19, 2011

  8. Client apps are behind Separating privileges is nothing new for server applications. Maybe it’s a good idea for client applications to be explicit about privileges. (i.e. your browser’s HTML parser doesn’t need to execute calc.exe) Wednesday, January 19, 2011

  9. A simile Exploitation is like a chase scene. You need to get to through an alley, but there is always that barbed-wire fence. Client apps (.NET or Flash or any info leaks) keep stacking cardboard boxes against the first fence (OS mitigations). Wednesday, January 19, 2011

  10. The sandboxes are coming! MS Internet Explorer and Office Protected View Google Chrome Adobe Reader X iOS AppStore Wednesday, January 19, 2011

  11. OS Support Fine-grained control via process syscall filtering: Linux: SELinux, AppArmor FreeBSD, XNU: TrustedBSD Wednesday, January 19, 2011

  12. This Talk A top-down walkthrough of the XNU Sandbox Wednesday, January 19, 2011

  13. Not this talk Some sandbox escape. If you were expecting me to give you one, feel free to be let down. Wednesday, January 19, 2011

  14. Why do you care? Wednesday, January 19, 2011

  15. Giant sandworms! Wednesday, January 19, 2011

  16. Giant sandworms! What’s under the sand hood? Before using it, how does it work? Wednesday, January 19, 2011

  17. XNU Sandbox Previously, codenamed “Seatbelt” For XNU systems, implemented as a TrustedBSD policy module Runtime configurable, per-process access control policy Used to contain AppStore application on iOS Wednesday, January 19, 2011

  18. Example: restricting network usage fluffy:tmp dion$ sandbox-exec -n no-internet /bin/sh sh-3.2$ file /etc/passwd /etc/passwd: ASCII English text sh-3.2$ ping www.eff.org PING eff.org (64.147.188.3): 56 data bytes ping: sendto: Operation not permitted ^C --- eff.org ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss sh-3.2$ exit Wednesday, January 19, 2011

  19. user_process sandboxd Regular Syscalls libSandbox libSystem Logging and sandbox_init Tracing TinyScheme mach messages system calls mach_kernel TrustedBSD MAC Logging and Tracing matchExec Sandbox.kext AppleMatch.kext matchUnpack Wednesday, January 19, 2011

  20. Public interface “Documented” interfaces: sandbox-exec(1) sandbox_init(3) Wednesday, January 19, 2011

  21. sandbox-exec NAME sandbox-exec -- execute within a sandbox SYNOPSIS sandbox-exec [-f profile-file] [-n profile-name] [-p profile-string] [-D key=value ...] command [arguments ...] DESCRIPTION The sandbox-exec command enters a sandbox using a profile specified by the -f, -n, or -p option and executes command with arguments. The options are as follows: -f profile-file Read the profile from the file named profile-file. -n profile-name Use the pre-defined profile profile-name. -p profile-string Specify the profile to be used on the command line. -D key=value Set the profile parameter key to value. Wednesday, January 19, 2011

  22. sandbox-exec NAME sandbox-exec -- execute within a sandbox SYNOPSIS sandbox-exec [-f profile-file] [-n profile-name] [-p profile-string] [-D key=value ...] command [arguments ...] DESCRIPTION The sandbox-exec command enters a sandbox using a profile specified by the -f, -n, or -p option and executes command with arguments. The options are as follows: sample files? -f profile-file Read the profile from the file named profile-file. where? what are these -n profile-name Use the pre-defined profile profile-name. names?? -p profile-string Specify the profile to be used on the command line. -D key=value Set the profile parameter key to value. Wednesday, January 19, 2011

  23. Example: restricting network usage fluffy:tmp dion$ sandbox-exec -n no-internet /bin/sh sh-3.2$ file /etc/passwd /etc/passwd: ASCII English text sh-3.2$ ping www.eff.org PING eff.org (64.147.188.3): 56 data bytes ping: sendto: Operation not permitted ^C --- eff.org ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss sh-3.2$ exit Wednesday, January 19, 2011

  24. sandbox_init NAME sandbox_init -- set process sandbox SYNOPSIS #include <sandbox.h> int sandbox_init(const char *profile, uint64_t flags, char **errorbuf); DESCRIPTION sandbox_init() places the current process into a sandbox(7). The NUL-terminated string profile specifies the profile to be used to config- ure the sandbox. The flags specified are formed by or'ing the following values: SANDBOX_NAMED The profile argument specifies a sandbox profile named by one of the constants given in the AVAILABLE PROFILES section below. Wednesday, January 19, 2011

  25. sandbox_init (cont.) AVAILABLE PROFILES The following are brief descriptions of each available profile. Keep in mind that sandbox(7) restrictions are typically enforced at resource acquisition time. kSBXProfileNoInternet TCP/IP networking is prohibited. kSBXProfileNoNetwork All sockets-based networking is pro- hibited. kSBXProfileNoWrite File system writes are prohibited. kSBXProfileNoWriteExceptTemporary File system writes are restricted to the temporary folder /var/tmp and the folder specified by the confstr(3) configuration variable _CS_DAR- WIN_USER_TEMP_DIR. kSBXProfilePureComputation All operating system services are pro- hibited. Wednesday, January 19, 2011

  26. /usr/include/sandbox.h /* * Available Sandbox profiles. */ /* TCP/IP networking is prohibited. */ extern const char kSBXProfileNoInternet[]; /* All sockets-based networking is prohibited. */ extern const char kSBXProfileNoNetwork[]; /* File system writes are prohibited. */ extern const char kSBXProfileNoWrite[]; /* File system writes are restricted to temporary folders /var/tmp and * confstr(_CS_DARWIN_USER_DIR, ...). */ extern const char kSBXProfileNoWriteExceptTemporary[]; /* All operating system services are prohibited. */ extern const char kSBXProfilePureComputation[]; Wednesday, January 19, 2011

  27. Too lazy for IDA fluffy:tmp dion$ cat /tmp/dump.c #include <stdio.h> #include <sandbox.h> main() { printf("%s\n", kSBXProfileNoInternet ); } fluffy:tmp dion$ gcc -o /tmp/dump /tmp/dump.c fluffy:tmp dion$ /tmp/dump no-internet Wednesday, January 19, 2011

  28. /usr/include/sandbox.h #ifdef __APPLE_API_PRIVATE /* The following flags are reserved for Mac OS X. Developers should not * depend on their availability. */ /* * @define SANDBOX_NAMED_BUILTIN The `profile' argument specifies the * name of a builtin profile that is statically compiled into the * system. */ #define SANDBOX_NAMED_BUILTIN 0x0002 /* * @define SANDBOX_NAMED_EXTERNAL The `profile' argument specifies the * pathname of a Sandbox profile. The pathname may be abbreviated: If * the name does not start with a `/' it is treated as relative to * /usr/share/sandbox and a `.sb' suffix is appended. */ #define SANDBOX_NAMED_EXTERNAL 0x0003 Wednesday, January 19, 2011

  29. Existing profiles fluffy:tmp dion$ ls /usr/share/sandbox/ awacsd.sb ntpd.sb bsd.sb portmap.sb cvmsCompAgent.sb quicklookd-job-creation.sb cvmsServer.sb quicklookd.sb fontmover.sb sshd.sb kadmind.sb syslogd.sb krb5kdc.sb xgridagentd.sb mDNSResponder.sb xgridagentd_task_nobody.sb mds.sb xgridagentd_task_somebody.sb mdworker.sb xgridcontrollerd.sb named.sb Wednesday, January 19, 2011

  30. Existing profiles fluffy:tmp dion$ cat /usr/share/sandbox/named.sb ... (deny default) (allow process*) (deny signal) (allow sysctl-read) (allow network*) ;; Allow named-specific files (allow file-write* file-read-data file-read-metadata (regex "^(/private)?/var/run/named\\.pid$" "^/Library/Logs/named\\.log$")) (allow file-read-data file-read-metadata (regex "^(/private)?/etc/rndc\\.key$" "^(/private)?/etc/resolv\\.conf$" "^(/private)?/etc/named\\.conf$" "^(/private)?/var/named/")) Wednesday, January 19, 2011

Recommend

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a box filled with white sand a projector mounted over the sand a Kinect depth-sensing camera mounted over the sand a computer that runs

491 views • 11 slides
Ronald Wayne, The Third Founder of Apple Drew first Apple logo Wrote the Apple I manual

Ronald Wayne, The Third Founder of Apple Drew first Apple logo Wrote the Apple I manual

Ronald Wayne, The Third Founder of Apple Drew first Apple logo Wrote the Apple I manual Sold 10% of Apple for $2300 because of concern over a legal risk that could easily have been resolved Sells stamps from his home

702 views • 20 slides
Marketing Strategy of Apple Published by : www.studymarketing.org 1 Introducing Apple Steve

Marketing Strategy of Apple Published by : www.studymarketing.org 1 Introducing Apple Steve

Marketing Strategy of Apple Published by : www.studymarketing.org 1 Introducing Apple Steve Jobs is the brain behind the very famous and very Popular Apple Company. Apple creates and designs desktop computers, Mac laptops, iTunes, iPods, the

833 views • 48 slides
Apple LLVM GPU Compiler: Embedded Dragons Charu Chandrasekaran, Apple Marcello Maggioni, Apple

Apple LLVM GPU Compiler: Embedded Dragons Charu Chandrasekaran, Apple Marcello Maggioni, Apple

Apple LLVM GPU Compiler: Embedded Dragons Charu Chandrasekaran, Apple Marcello Maggioni, Apple 1 Agenda How Apple uses LLVM to build a GPU Compiler Factors that affect GPU performance The Apple GPU compiler Pipeline passes

1.1k views • 71 slides
SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined environment. Allow filtering tools to read untrusted content. Vulnerability in a filtering tools can allow content to cause the application to do bad

501 views • 13 slides
Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of Amsterdam), Freelance Security Researcher June 22, 2013 June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 1 /

1.15k views • 79 slides
APPLE TV FOR THE CLASSROOM Leslie Markley UNM Language Learning Center WHAT IS AN APPLE TV?

APPLE TV FOR THE CLASSROOM Leslie Markley UNM Language Learning Center WHAT IS AN APPLE TV?

APPLE TV FOR THE CLASSROOM Leslie Markley UNM Language Learning Center WHAT IS AN APPLE TV? Small, portable box that can be connected to the instructor station. Used to project any Apple device: phone, laptop, iPad, etc. HOW DO YOU

495 views • 11 slides
B L A S T B L A S T - A spontaneous event finder MySQL Apple Core Location framework Apple

B L A S T B L A S T - A spontaneous event finder MySQL Apple Core Location framework Apple

GRACE QIU (GRACEQIU) CARSON GULLEDGE (CGULL) B L A S T B L A S T - A spontaneous event finder MySQL Apple Core Location framework Apple Maps API Apple Push Notification Service Facebook SDK

477 views • 3 slides
Apple on Health I believe, if you zoom out into the future, and you look back, and you ask the

Apple on Health I believe, if you zoom out into the future, and you look back, and you ask the

Apple on Health I believe, if you zoom out into the future, and you look back, and you ask the question, 'What was Apple's greatest contribution to mankind?', it will be about health. --Tim Cook (Apple CEO) Every day I come into Apple,

501 views • 30 slides
Apple@30 1976-Apple in the Garage At the VCF 9.0 Brought to you by the DigiBarn Computer

Apple@30 1976-Apple in the Garage At the VCF 9.0 Brought to you by the DigiBarn Computer

Apple@30 1976-Apple in the Garage At the VCF 9.0 Brought to you by the DigiBarn Computer Museum the Vintage Computer Festival the Computer History Museum and a special group of Apple 76ers Want to cook up an industry? Its easy! Just

398 views • 17 slides
Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th December, 2019 Institute of Actuaries Agenda Regulatory Sandbox Regulations Salient Features Operational Guidelines Salient Features

578 views • 15 slides
iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox Sandbox Shared Container App Group Extension App Sandbox Sandbox Shared Container Shared NSUserDefaults

509 views • 7 slides
Review of Canadian Apple Market &amp; Trends 2015 Mid-Summer Meeting- Canadian Apple Industry

Review of Canadian Apple Market &amp; Trends 2015 Mid-Summer Meeting- Canadian Apple Industry

Review of Canadian Apple Market &amp; Trends 2015 Mid-Summer Meeting- Canadian Apple Industry Wolfville, NS August 4 th , 2015 Farid Makki Sector Development &amp; Analysis Directorate Agriculture and Agri-Food Canada Significance of Apple

645 views • 28 slides
iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f o r e n s i c s . c o m . t w / i n d e x E N . h t m l Agenda Company Profile APP Sandbox DG-Secure COMPANY PORTFOLIO Company

247 views • 20 slides
Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer Architecture Lab (CALCM) Carnegie Mellon University Nurvitadhi &amp; Hoe, CMU/ECE WARFP 2005, February 2005, Slide 1 Sandbox Desiderata A PC where I

157 views • 4 slides
SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Labs Core member of The Shadowserver Foundation Core member of The Honeynet Project Creator of Cuckoo Sandbox Founder of Malwr.com H ERE Mark

1.02k views • 89 slides
T he Apple iPod, a portable music player, is available with a variety of storage capacities at

T he Apple iPod, a portable music player, is available with a variety of storage capacities at

Apple iPod Creating Mathematical Models T he Apple iPod, a portable music player, is available with a variety of storage capacities at different prices. The table below shows the price and storage capacity as of 2010 (Source: www.apple.com).

213 views • 4 slides
FTL WebKits LLVM based JIT Andrew Trick, Apple Juergen Ributzka, Apple LLVM Developers

FTL WebKits LLVM based JIT Andrew Trick, Apple Juergen Ributzka, Apple LLVM Developers

FTL WebKits LLVM based JIT Andrew Trick, Apple Juergen Ributzka, Apple LLVM Developers Meeting 2014 San Jose, CA WebKit JS Execution Tiers OSR Entry LLInt DFG FTL Baseline JIT Interpret High-level opts bytecode

749 views • 28 slides
Welcome to Apple Class! Apple Class Class teachers - Mrs Akers (Monday to Wednesday) Mrs Ashley

Welcome to Apple Class! Apple Class Class teachers - Mrs Akers (Monday to Wednesday) Mrs Ashley

Bishops Down Primary School Welcome to Apple Class! Apple Class Class teachers - Mrs Akers (Monday to Wednesday) Mrs Ashley (Thursday and Friday) Teaching assistants Miss Bryan M-F, Mrs Magee (M-Th), Miss Marriot (M-W), Mrs Bekesi (Th/F)

282 views • 14 slides
FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019 Bibiana McHugh, Manager, Mobility &amp; Location-Based Services 1 FTA Mobility on Demand (MOD) Sandbox Grant Jan 2017 - Jan 2019 TriMet was one of

391 views • 12 slides
The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code

417 views • 40 slides
Malicious Bytecode Peter Cawley &lt;lua@corsix.org&gt; Lua Workshop 2011 A Common Pattern 1.

Malicious Bytecode Peter Cawley &lt;lua@corsix.org&gt; Lua Workshop 2011 A Common Pattern 1.

Mitigating the Danger of Malicious Bytecode Peter Cawley &lt;lua@corsix.org&gt; Lua Workshop 2011 A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox A Common Pattern 1. Create sandbox 2.

369 views • 35 slides
Apple IPv6 Experiences Stuart Cheshire, Apple 72 nd IETF, 30 th July 2008, Dublin This

Apple IPv6 Experiences Stuart Cheshire, Apple 72 nd IETF, 30 th July 2008, Dublin This

Apple IPv6 Experiences Stuart Cheshire, Apple 72 nd IETF, 30 th July 2008, Dublin This presentation is available with audio soundtrack at http://www.stuartcheshire.org/IETF72/ 1 Good evening ladies and gentleman. My name is Stuart Cheshire, and

645 views • 38 slides
Recommendations for Randomness in the Operating System Henry Corrigan-Gibbs and Suman Jana

Recommendations for Randomness in the Operating System Henry Corrigan-Gibbs and Suman Jana

Recommendations for Randomness in the Operating System Henry Corrigan-Gibbs and Suman Jana Stanford University HotOS XV 20 May 2015 1 2 GE Ethernet card Apple iOS Android Sandbox OpenSSL Firefox DNS resolver In the past

249 views • 23 slides

More recommend