Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mac OS Sandboxing

Mac OS Sandboxing

How to be a fanboy and still be secure

Jameel Haffejee

October 10, 2011
Tweet

More Decks by Jameel Haffejee

Other Decks in Research

Transcript

  1. Being a fanboy
    (and still being secure)
    1

    View full-size slide

  2. About: Jameel
    • Researcher / Developer @ Thinkst.
    • Built the InfoSec Conference App (http://
    cc.thinkst.com)
    • Built the Chrome GPG plugin (http://thinkst.com/
    tools/cr-gpg)
    • Built 2 of the bots in #zacon (fpm & kiba)
    • Built other stuff we don’t talk about :>
    2

    View full-size slide

  3. What is this talk about?
    3

    View full-size slide

  4. sandboxing
    4
    wikipedia Definition : “A security mechanism for separating running programs. It is often
    used to execute untested code, or untrusted programs from unverified third-parties,
    suppliers and untrusted users.”

    View full-size slide

  5. Why do we need it?
    5

    View full-size slide


  6. I see you are running a
    Mac. What do you do to
    keep yourself safe?
    6

    View full-size slide


  7. I see you are running a
    Mac. What do you do to
    keep yourself safe?
    I try to be nice to
    people, so that when I
    _do_ get owned, i dont
    look like such a douche!

    6

    View full-size slide

  8. Hope is not a Strategy
    7

    View full-size slide

  9. Alternatives?
    8

    View full-size slide

  10. Fix All Bugs, Evar!
    9
    really smart guys have tried this and have thrown money and resources at the problem
    microsoft has invested a ton of time, money and research and still get their code owned periodically..
    and even if you are the one programmer in the world whose code is 100%, you still have to run code written by
    other programmers.. this is not going to be viable for a loong time.

    View full-size slide

  11. Exploit Mitigations
    10
    Lots of talk these days about mitigations like:
    DEP / ASLR / GS / SEHOP
    They are excellent, and in some cases really make exploitation much harder.. but.. they are mostly designed to stop generic exploitation. (so it stops worms and malware).
    They are bypassable with a sufficiently sophisticated attacker.

    View full-size slide

  12. Plan to Fail
    11
    this simply means that we expect that we will be compromised.
    we now work form that point and ask how can we frustrate an attacker completely
    o how much can we limit him to either be unattractive as a target.. or to slow him down enough for us to detect him.

    View full-size slide

  13. Other SandBoxes?
    12
    is this a new concept?

    View full-size slide

  14. 13
    Other guys doing it:
    MSIE / Office protected View - http://office.microsoft.com/en-us/excel-help/what-is-protected-view-HA010355931.aspx - By using Protected View, you can read a file and inspect its
    contents while reducing the risks that can occur.
    Google Chrome : http://www.chromium.org/developers/design-documents/sandbox
    Adobe ReaderX - Protected Mode is new functionality in Reader X that opens PDF files within an isolated, sandboxed instance of the application. It protects your computer and data from
    malicious code that might be contained in a PDF file. Protected Mode is enabled by default and lets you securely interact with a fully functional, robust PDF.

    View full-size slide

  15. 14
    selinux / app armor
    offer protection through fine grained syscall filtering

    View full-size slide

  16. The OS X Sandbox
    15
    OSX Sandbox (See Seatbelt)

    View full-size slide

  17. “The Apple Sandbox”
    Dionysus Blazakis (BHDC 2011)
    16
    how it works
    Previously, codenamed “Seatbelt”
    For XNU systems, implemented as a TrustedBSD policy module
    Runtime configurable, per-process access control policy Used to contain AppStore application on iOS
    underneath -> uses a kernel extension (sandbox.kext) to enforce the sn profiles.

    View full-size slide

  18. Why is this cool?
    17
    its free
    its not compile time protection (so we can protect apps that were previously weak)

    View full-size slide

  19. [1] sandbox-init
    [2] sandbox-exec
    18
    we going to look at the 2 implementations of this on mac..

    View full-size slide

  20. sandbox_init (3)
    19
    (3) refers to its man page
    ie. man 3 sandbox_init (http://en.wikipedia.org/wiki/Man_page)
    this means c-functions/libs

    View full-size slide

  21. 20
    places a process in a sandbox.
    we see the prototyp is simple.. it needs a string which represents the profile to be used..
    what are these profiles?

    View full-size slide

  22. 20
    places a process in a sandbox.
    we see the prototyp is simple.. it needs a string which represents the profile to be used..
    what are these profiles?

    View full-size slide

  23. 21
    also from the man page..

    View full-size slide

  24. 21
    also from the man page..

    View full-size slide

  25. Simple Demo
    22
    We have a simple .c program that calls 2 functions
    readfile (which reads /etc/passwd) &
    writefile (which writes to hello.txt) (you can alt tab and show the functions) - then compile
    and run

    View full-size slide

  26. Simple Demo
    23
    we simply add one line..
    alt tab to compiletime2 (explain that we do some basic error handling)
    show the difference..
    important: summarise! most ppl dont know what they just saw.
    so say it: so you see.. just adding that line, prevented the app from reading or writing files..

    View full-size slide

  27. I thought this was a non-
    compile-time protection?
    24

    View full-size slide

  28. SANDBOX-EXEC(1)
    25
    man 1 -> meaning userland app

    View full-size slide

  29. SANDBOX-EXEC(1)
    26
    this allows us to invoke the sandbox at runtime, using a profile-file.

    View full-size slide

  30. profile-file
    Simple to read/write scheme like syntax.
    27
    "app-armor"
    Simple utility to help make sandboxes happen

    View full-size slide

  31. Simple Demo 2
    • ./runtime1.sh
    • ./runtime2.sh
    • ./runtime3.sh
    28

    View full-size slide

  32. Lion
    29
    Apple are getting more behind the sandbox
    it was a private interface till now.. now its being used heavily..
    Apple has decreed that all applications submitted to the Mac App Store must be sandboxed,
    starting in November.
    (a submitting app needs to submit and “entitlement” saying what functionality it needs.. (so a
    mail client cant spawn a shell))

    View full-size slide

  33. What about non-app-store
    apps?
    30
    the profiles are still confusing enough for folks to ignore them..
    so we are busy with..

    View full-size slide

  34. macArmor
    31
    Its a super simple app (that right now is no better than a python script)
    (in fact it stayed as a python script in a homedir for about 2 years)

    View full-size slide

  35. Make building sandbox profiles trivial
    Make sharing sandbox profiles
    possible
    32

    View full-size slide

  36. • Still not releaseworthy
    • (will post to http://blog.thinkst.com R.S.N)
    34
    RSN == real soon now

    View full-size slide

  37. Questions ?
    35

    View full-size slide