Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS

Apple uses several access control mechanisms to prevent third party applications from directly accessing security sensitive resources, including sandboxing and file access control. However, third party applications may also indirectly access these resources using inter-process communication (IPC) with system daemons. If these daemons fail to properly enforce access control on IPC, confused deputy vulnerabilities may result. Identifying such vulnerabilities begins with an enumeration of all IPC services accessible to third party applications. However, the IPC interfaces and their corresponding access control policies are unknown and must be reverse engineered at a large scale. In this paper, we present the Kobold framework to study NSXPC-based system services using a combination of static and dynamic analysis. Using Kobold, we discovered multiple NSXPC services with confused deputy vulnerabilities and daemon crashes. Our findings include the ability to activate the microphone, disable access to all websites, and leak private data stored in iOS File Providers.

[1]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[2]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[3]  William Enck,et al.  ARF: identifying re-delegation vulnerabilities in Android system services , 2019, WiSec.

[4]  Xiangyu Zhang,et al.  iRiS: Vetting Private API Abuse in iOS Applications , 2015, CCS.

[5]  Wenke Lee,et al.  Jekyll on iOS: When Benign Apps Become Evil , 2013, USENIX Security Symposium.

[6]  Ahmad-Reza Sadeghi,et al.  XiOS: Extended Application Sandboxing on iOS , 2015, AsiaCCS.

[7]  Ahmad-Reza Sadeghi,et al.  SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles , 2016, CCS.

[8]  Sang Kil Cha,et al.  IMF: Inferred Model-based Fuzzer , 2017, CCS.

[9]  Lei Zhang,et al.  Invetter: Locating Insecure Input Validations in Android Services , 2018, CCS.

[10]  Ninghui Li,et al.  AceDroid: Normalizing Diverse Android Access Control Checks for Inconsistency Detection , 2018, NDSS.

[11]  Zhuoqing Morley Mao,et al.  Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework , 2016, NDSS.

[12]  C. Roberts,et al.  Foundation , 2000, The Fairchild Books Dictionary of Fashion.

[13]  Matthias Büchler,et al.  CRiOS: Toward Large-Scale iOS Application Analysis , 2016, SPSM@CCS.

[14]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[15]  Eric Bodden,et al.  ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware , 2019, CODASPY.

[16]  Dionysus Blazakis,et al.  The Apple Sandbox , 2011 .

[17]  Andrew Ruef,et al.  Evaluating Fuzz Testing , 2018, CCS.

[18]  Shi-Min Hu,et al.  Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS~X and iOS , 2015, CCS.

[19]  Ninghui Li,et al.  iOracle: Automated Evaluation of Access Control Policies in iOS , 2018, AsiaCCS.

[20]  Juanru Li,et al.  An Empirical Study of SDK Credential Misuse in iOS Apps , 2018, 2018 25th Asia-Pacific Software Engineering Conference (APSEC).

[21]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[22]  Robert H. Deng,et al.  Launching Generic Attacks on iOS with Approved Third-Party Applications , 2013, ACNS.

[23]  Bin Ma,et al.  Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS , 2016, 2016 IEEE Symposium on Security and Privacy (SP).