$30 off During Our Annual Pro Sale. View Details »

No Apology Required: Deconstructing BB10

Zach Lanier
December 04, 2014
Technology
0
120

No Apology Required: Deconstructing BB10

Zach Lanier

December 04, 2014
Tweet

More Decks by Zach Lanier

See All by Zach Lanier
Internet Of Sieves
quine
0
32
What Healthcare Can Learn From Interesting Directions in IoT Security
quine
0
150
The Kitchen's Finally Burned Down: DLP Security Bakeoff
quine
1
990
Stay out of the kitchen: A DLP Security Bake-off (IT-Defense 2015)
quine
0
180
API = Auth Poorly Implemented
quine
1
180
GoPro or GTFO: An (Incomplete) Tale of (Kinda) Reversing an Embedded System
quine
0
230
Avoiding Android App Security Pitfalls
quine
0
140
Mapping and Evolution of Android Permissions
quine
0
470
Voight-Kampff'ing The BlackBerry PlayBook (v2)
quine
1
250

Other Decks in Technology

See All in Technology
ウェブフロントエンジニアから見る Flutter Webの 現在地点 / Flutter web as of now
kgsi
3
2.6k
データ操作について
miyakemito
0
270
EMになって半年でやったこと
yuu26
0
260
バンドルカードの クレジットカード決済システムの 泥臭い運用
hiroakis
5
3.3k
Microsoft Ignite 2022 Azure AI アップデート
hirosatogamo
0
160
AWS Fault Injection Simulator (FIS) のネットワーク接続中断アクションで リージョン間フェイルオーバーを試してみた
yama1998
0
240
[CNDT2022] 実践!OpenTelemetry と OSS を使った Observability 基盤の構築
k6s4i53rx
1
210
宣言的 UI 時代のクライアントサイド DDD 大考察 / Client-side DDD in the Age of Declarative UI
guvalif
9
6.3k
いにしえのエンプラ情シスが内製化ではなくアーキテクトの「手の内化」を推進した話
minorun365
1
330
デザインシステムにフロントエンドのプラクティスを詰め込んで再配布する
sakito
4
4.1k
re:Invent 2022 事前勉強 〜 東京 & 大阪両方に参加したので振り返ってみる 〜
kentosuzuki
0
130
Web Runtime
dynamis
6
4.2k

Featured

See All Featured
Dealing with People You Can't Stand - Big Design 2015
cassininazir
351
21k
Docker and Python
trallard
28
1.8k
Bash Introduction
62gerente
600
210k
Learning to Love Humans: Emotional Interface Design
aarron
262
38k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
44
14k
Intergalactic Javascript Robots from Outer Space
tanoku
260
25k
Unsuck your backbone
ammeep
658
55k
Design by the Numbers
sachag
271
17k
Producing Creativity
orderedlist
PRO
335
37k
WebSockets: Embracing the real-time Web
robhawkes
58
5.9k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
120
29k
How to Ace a Technical Interview
jacobian
269
21k

Transcript

  1. No Apology Required Deconstructing BB10 CanSecWest 2014

  2. Introduction • Body Level One • Body Level Two •

    Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything

  3. Introduction • Body Level One • Body Level Two •

    Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything

  4. Introduction Ben Nell
 bNull
 Sr. Security Consultant
 Accuvant Labs Zach

    Lanier
 quine
 Sr. Security Researcher
 Duo Security Presentation foul:
 <--- mixing memes --->

  5. Why this matters

  6. Why this matters

  7. Why this matters You’re an appsec consultant and your customer

    asks you if BlackBerry Balance solves BYOD

  8. Agenda • Previous Research • Platform Overview • Methodology •

    Attack Surface • Future Work

  9. Previous Research

  10. Our PlayBook stuff • Targeted predecessor of BB10 — TabletOS

    on BB PlayBook • Discovered AuthZ token disclosure for Bridge/Balance (steal all the corporate data) • RE’d firmware • Mirrored all of AppWorld (steal all the premium apps) • And more...

  11. Our PlayBook stuff (cont’d) • Discovered that native apps can

    exec*() / spawn*() and open AF_INET sockets unfettered (no perm’s req’d) • Still true in BB10, but (even detached) child procs killed when app/parent ends • “Headless Apps” allow for background services, but special perms required • Granting of perms is contingent upon approval from RIM/BB signing service

  12. Others • Julio Cesar Fort’s QNX research • SEC Consult

    BB10 paper • RPW’s BB10 preso (BH USA ’13) • Tim Brown’s various QNX/TabletOS/BB10 works

  13. Platform Overview

  14. Overview • ARM-based SoCs (Z10, Q10, and Z30 all Snapdragon

    S4 SoC) • BB10 (based on QNX Neutrino RTOS 8.0.0) • Major components (as of 10.2.1.1925): • WebKit (537.10 / 10.2.1.66) • Adobe Flash (11.1.121.199) • Adobe AIR (3.1.0.230) • BlackBerry Balance (isolated, corporate PIM)

  15. QNX • Microkernel, only truly trusted component • Userspace kernel

    and process manager - procnto • Separation of network,
 I/O, HMI, etc. into separate components • Messaging layer provides IPC (QNX message passing + POSIX IPC abstraction) • Prev. public bugs disclosed by Ilja van Sprundel, Tim Brown, Julio Cesar Fort, cenobite, and others

  16. Security Controls / Mitigations • OpenBSD NetBSD pf • POSIX

    (filesystem) ACLs • Compiler & linker protections for native apps • Usual suspects: XN, ASLR, ProPolice, PIE + full RELRO

  17. QDE/Momentics default build options

  18. Security Features • Blackberry Balance • Encrypted, FACL’d “container” •

    a.k.a. “perimeter” • BES policy enforcements • DISA STIGs guide these

  19. authman & permissions • authman service - maps app permissions

    to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together

  20. authman & permissions • /dev/authman: resource manager “dispatch” path (QNX

    IPC endpoint) • /etc/authman: configs • Pair of files (".res" & ".acl"), named for profile type

  21. authman & permissions • Controls access to app permissions (allow,

    prompt, deny) • Sets FACLs on filesystem objects based on app permission requested • Also sets process capabilities for certain permission types (e.g. “Headless apps”)

  22. authman & pf • authman handles setting up (app) GID:rule

    mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2

  23. Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp

    ext __def personal dual 100001000 100001000 sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet post_notification gain_oma_fl_group access_oma_fl_write_personal acce ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native permanent access_perimeter_personal' Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow execute Dec 06 01:53:04 5 41 0 authman: Applying execute Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000 Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited Dec 06 01:53:04 5 41 0 authman: req:Allow run_native Dec 06 01:53:04 5 41 0 authman: req:Allow permanent Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control Dec 06 01:53:04 5 41 0 authman: Applying access_location_services Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control “Capabilities” based on permissions ACLs based on permissions pf rule(s) output from sloginfo (tool to print system log)

  24. PPS • “Persistent Publish / Subscribe” • Implemented by pps

    manager process • Simple interface for sharing data, notifications/eventing via filesystem objects

  25. IPC • IPC is key in QNX • “Message passing”

    & signals implemented in microkernel • Other IPC (POSIX-compatible) mechanisms implemented by manager processes Message passing Shared memory Pipes FIFOs Message copying Simple messages Channels Events (pulses, signals, unblocks) Typed memory Signals Kernel Kernel External process/manager

  26. Application Model • Native • WebWorks / Cordova • Adobe

    AIR • Android C/C++ Flash/AS/ HTML/JS HTML/JS Java/DEX 20 app perms documented 340 unique app & sys perms observed

  27. Application Model • App processes run with same UIDs, but

    separate GIDs (incl. supplemental GIDs) • Apps have separate data stores/”sandboxes” • With Balance/corporate separation, additional data stores • Production apps are signed by BB/RIM signing server

  28. Our Approach to the Platform meth·od·ol·o·gy / ˌmeTHəәˈdäləәjē/ ( )

  29. Testing Limitations

  30. Testing Limitations • General lack of enthusiasm for BB10 as

    a target • General lack of public information about the system • Effective security controls • We’re left looking at a black box

  31. OSINT Just ask the internet!

  32. OSINT Existing previous work • Our PlayBook work • SEC

    Consult paper • Works by RPW, Tim Brown, Julio Cesar Fort, etc. • Not a ton of stuff out there https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf

  33. OSINT QNX Foundry • Man pages for QNXisms • Downloads

    • Forums • Wiki • Google dorks are golden…

  34. OSINT Speaking of Google dorks…

  35. OSINT Some random RIM employee’s file dump? Upcoming product feature

    assessment hardware code names Upcoming project effort estimations/ release dates

  36. OSINT • Body Level One • Body Level Two •

    Body Level Three • Body Level Four • Body Level Five Some random RIM employee’s file dump? Internal bug tracker internal URL

  37. OSINT Some random RIM employee’s file dump? Pre-release BB10 developer

    image for Winchester/PlayBook

  38. Dynamic Analysis Watch it work and try to understand “why”

  39. Dynamic Analysis RIM wants to get your hacking^Wdevelopment
 projects up

    and running as quickly as possible! Lots of SDK stuff, including a native SDK, giving us: • libc, libcurl, OpenSSL, V8, and tons more • Easy cross-compilation

  40. Dynamic Analysis Development Tools Sample code

  41. Dynamic Analysis Momentics target navigator Proc/thread mem info FS nav,

    etc. Controller app Controls NFC, Camera, geoloc, etc. for Simulator

  42. Dynamic Analysis • Momentics provides QNX-specific versions/ builds of the

    typical toolchain • gdb • also objdump, nm, readelf, gcc, etc.

  43. Dynamic Analysis Blackberry Simulator QNX Software Dev Platform (SDP) •

    Gives us something similar to the real thing • We can have root access* • Access to tools relevant to the real thing • MDS Simulator • It’s like the non-official “platform” debug tool • A fully accessible QNX environment * - with a bit of work

  44. Dynamic Analysis Just another box on the network • Testing

    harness • Wireshark • Proxy (Burp and friends) • nmap • Various fizzers • Custom stuff

  45. Dynamic Analysis There are lots of network services BB10 network

    services
  46. None

  47. Dynamic Analysis • Unsurprisingly, logs => info • slogger (app

    event logger) and slogger2 (system event logger) • Readable on simulator with sloginfo and slog2info • slog* devices not readable on device :( Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts for service "contacts" Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated accountId 4 Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account for AccountKey = 4 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts/4 Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1 Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http:// 127.0.0.1:8888/accounts Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0

  48. Dynamic Analysis Debugging is a breeze

  49. Target Host

  50. Fuzzing…

  51. Static Analysis For the things that can’t be watched

  52. Static Analysis Installation bundles • BAR format (hurr durr) •

    De-facto standard for any non-factory packages • META-INF directory • Code signatures and app info • “assets” % zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar META-INF/MANIFEST.MF META-INF/AUTHOR.SF META-INF/AUTHOR.EC META-INF/RDK.SF META-INF/RDK.EC native/bar-descriptor.xml native/icon.png native/assets/main.qml native/qm/Gooby.qm native/Gooby.so native/GoobyService native/assets/.assets.index

  53. Static Analysis MANIFEST.MF: Package Meta Info

  54. Static Analysis MANIFEST.MF: Application Meta Info

  55. Static Analysis MANIFEST.MF: Entry Point Info

  56. Static Analysis MANIFEST.MF: Entry Point Info

  57. Static Analysis Getting Firmware • MITM the CDN downloads •

    The “community” has built some good tools http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/

  58. Static Analysis Getting Into the Firmware • “pbtools” • Mount

    the firmware in Simulator or SDP • SCP the files back out https://github.com/intrepidusgroup/pbtools

  59. Static Analysis Shell Scripts • /base/scripts/ • Easy to read

    • grep-fu for great success! from “startup.sh”

  60. Static Analysis Python: For everything important on BB10 that isn’t

    written in bash • Most of it is compiled Python (bytecode; *.pyc) • unpyc3.py https://code.google.com/p/unpyc3/

  61. Static Analysis ActionScript • Decompile with Sothink / whatever •

    Most ActionScript apps handle front-end stuff qnx.AIRServices.ota.OtaUpdate

  62. Static Analysis Compiled binaries • IDA cleanly disassembles • ARM

    / x86 • Without a public root, disassembly might be your best/only bet for dorking with many network services

  63. Attack Surface http://www.harkavagrant.com/?id=250

  64. Entry Points Where the device accepts data

  65. IPC • Numerous IPC endpoints available • QNX channels particularly

    caught our eye • Wrote some horrible IPC scanners / fuzzers • Problem: not always sure WTF is on the other end of a channel (or able to attach to channel but unable to send) • Also DoS’d/froze device multiple times during mass channel scans $ ./scanchan.py 643092 Could not find platform independent libraries <prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] [+] PID: 643092 - Connected to channel: 2 [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted $ ./fchan1.py 1019928 16 [+] PID: 1019928 - Connected to channel: 16 (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')\n c \x01\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x0 0\x00\x00O\x00\x00\x00s\x16\x00\x00\x00|\x01\x00| \x00\x00_\x00\x00|\x02\x00|\x00\x00_\x01\x00d \x00\x00S(\x01\x00\x00\x00N(\x02\x00\x00\x00u \x04\x00\x00\x00argsu\x06\x00\x00\x00…

  66. Network Services • Samba! • WWW! • WebDAV! • Proxies!

    • SSH! • Other stuff!

  67. Network Services Local-hosted CGI scripts are used for device management

    “stuff” • Backup & restore • Application installation • Device reset • Limited logging control • Limited PIM management • Enterprise registration • Etc

  68. WiFi • Many device management functions happen over HTTP/ SMB

    with the option of operating over WiFi • Handset acts as an UPnP gateway • There are some real problematic areas observable over WiFi

  69. USB • Mass storage? Nay, Ethernet! • Similar to WiFi

    (WWW/SMB), with additional capabilities

  70. Bluetooth • Tether your handset to your tablet • SapphireProxy

    (get it?) • WebDAV • HTTP proxy • Protected by pf BlackBerry “Bridge” / SapphireProxy This service has had problems in the past… * * Barely recognizable BattleStar reference

  71. NFC It works and there are no security problems? •

    Haven’t really explored this ourselves. • Biggest concern likely bad NDEF message parsing by 3rd party native apps

  72. Local Application • Malware / Client- side attacks • Insufficient

    controls on sensitive local file and network resources • Privilege escalations are like gold

  73. Balance • An attempt at solving BYOD • “Perimeters” manage

    the separation between personal and enterprise applications, data, and network resources • Enterprise perimeter security is controlled by BES and enforced locally

  74. Balance Concerned Consumer: Sounds great. How does it work? I

    am familiar with the iOS security model and might expect to see some sort of sandboxing technology to enforce this separation.

  75. Balance RIM: I don’t want to say that it’s all

    based on file permissions… …but it’s all based on file permissions

  76. Future Work

  77. TODO • Further (re-)exploration of... • authman • system IPC

    endpoints • Balance • Android support • Radio (NFC, Cell/BB, BT) • HDMI, USB

  78. Conclusion

  79. Questions / Contact • https://twitter.com/quine
 zach@n0where.org
 zach@duosecurity.com
 • https://twitter.com/bnull
 [NO_EMAIL_PROVIDED]

    <--shameless plug