iOracle: Automated Evaluation of Access Control Policies in iOS

Modern operating systems, such as iOS, use multiple access control policies to define an overall protection system. However, the complexity of these policies and their interactions can hide policy flaws that compromise the security of the protection system. We propose iOracle, a framework that logically models the iOS protection system such that queries can be made to automatically detect policy flaws. iOracle models policies and runtime context extracted from iOS firmware images, developer resources, and jailbroken devices, and iOracle significantly reduces the complexity of queries by modeling policy semantics. We evaluate iOracle by using it to successfully triage executables likely to have policy flaws and comparing our results to the executables exploited in four recent jailbreaks. When applied to iOS 10, iOracle identifies previously unknown policy flaws that allow attackers to modify or bypass access control policies. For compromised system processes, consequences of these policy flaws include sandbox escapes (with respect to read/write file access) and changing the ownership of arbitrary files. By automating the evaluation of iOS access control policies, iOracle provides a practical approach to hardening iOS security by identifying policy flaws before they are exploited.

[1]  Yizheng Chen,et al.  On the Feasibility of Large-Scale Infections of iOS Devices , 2014, USENIX Security Symposium.

[2]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Dionysus Blazakis,et al.  The Apple Sandbox , 2011 .

[4]  Ahmad-Reza Sadeghi,et al.  SandBlaster: Reversing the Apple Sandbox , 2016, ArXiv.

[5]  Srikanth V. Krishnamurthy,et al.  Detecting Android Root Exploits by Learning from Root Providers , 2017, USENIX Security Symposium.

[6]  Xiangyu Zhang,et al.  iRiS: Vetting Private API Abuse in iOS Applications , 2015, CCS.

[7]  Ralf-Philipp Weinmann,et al.  iOS Hacker's Handbook , 2012 .

[8]  Shi-Min Hu,et al.  Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS~X and iOS , 2015, CCS.

[9]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[10]  Hong Chen,et al.  Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems , 2009, NDSS.

[11]  Felix C. Freiling,et al.  Fingerprinting Mobile Devices Using Personalized Configurations , 2016, Proc. Priv. Enhancing Technol..

[12]  Avik Chaudhuri,et al.  EON: modeling and analyzing dynamic access control systems with logic programs , 2008, CCS.

[13]  Robert N. M. Watson,et al.  A decade of OS access-control extensibility , 2013, CACM.

[14]  Robert H. Deng,et al.  Launching Generic Attacks on iOS with Approved Third-Party Applications , 2013, ACNS.

[15]  Ahmad-Reza Sadeghi,et al.  PSiOS: bring your own privacy & security to iOS devices , 2013, ASIA CCS '13.

[16]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[17]  Robert H. Deng,et al.  Comparing Mobile Privacy Protection through Cross-Platform Applications , 2013, NDSS.

[18]  Bin Ma,et al.  Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[19]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[20]  Prasad Naldurg,et al.  SEAL: a logic programming framework for specifying and verifying access control models , 2011, SACMAT '11.

[21]  Ninghui Li,et al.  SPOKE: Scalable Knowledge Collection and Attack Surface Analysis of Access Control Policy for Security Enhanced Android , 2017, AsiaCCS.

[22]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[23]  Wenke Lee,et al.  Jekyll on iOS: When Benign Apps Become Evil , 2013, USENIX Security Symposium.

[24]  Diptikalyan Saha,et al.  Extending logical attack graphs for efficient vulnerability analysis , 2008, CCS.

[25]  Peng Ning,et al.  EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning , 2015, USENIX Security Symposium.

[26]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[27]  Ahmad-Reza Sadeghi,et al.  XiOS: Extended Application Sandboxing on iOS , 2015, AsiaCCS.

[28]  Ahmad-Reza Sadeghi,et al.  SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles , 2016, CCS.