Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mac OS Sandboxing

Mac OS Sandboxing

How to be a fanboy and still be secure


Jameel Haffejee

October 10, 2011


  1. Being a fanboy (and still being secure) 1

  2. About: Jameel • Researcher / Developer @ Thinkst. • Built

    the InfoSec Conference App (http:// cc.thinkst.com) • Built the Chrome GPG plugin (http://thinkst.com/ tools/cr-gpg) • Built 2 of the bots in #zacon (fpm & kiba) • Built other stuff we don’t talk about :> 2
  3. What is this talk about? 3

  4. sandboxing 4 wikipedia Definition : “A security mechanism for separating

    running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users.”
  5. Why do we need it? 5

  6. <Conference_Attendee> I see you are running a Mac. What do

    you do to keep yourself safe? 6
  7. <Conference_Attendee> I see you are running a Mac. What do

    you do to keep yourself safe? I try to be nice to people, so that when I _do_ get owned, i dont look like such a douche! <haroon> 6
  8. Hope is not a Strategy 7

  9. Alternatives? 8

  10. Fix All Bugs, Evar! 9 really smart guys have tried

    this and have thrown money and resources at the problem microsoft has invested a ton of time, money and research and still get their code owned periodically.. and even if you are the one programmer in the world whose code is 100%, you still have to run code written by other programmers.. this is not going to be viable for a loong time.
  11. Exploit Mitigations 10 Lots of talk these days about mitigations

    like: DEP / ASLR / GS / SEHOP They are excellent, and in some cases really make exploitation much harder.. but.. they are mostly designed to stop generic exploitation. (so it stops worms and malware). They are bypassable with a sufficiently sophisticated attacker.
  12. Plan to Fail 11 this simply means that we expect

    that we will be compromised. we now work form that point and ask how can we frustrate an attacker completely o how much can we limit him to either be unattractive as a target.. or to slow him down enough for us to detect him.
  13. Other SandBoxes? 12 is this a new concept?

  14. 13 Other guys doing it: MSIE / Office protected View

    - http://office.microsoft.com/en-us/excel-help/what-is-protected-view-HA010355931.aspx - By using Protected View, you can read a file and inspect its contents while reducing the risks that can occur. Google Chrome : http://www.chromium.org/developers/design-documents/sandbox Adobe ReaderX - Protected Mode is new functionality in Reader X that opens PDF files within an isolated, sandboxed instance of the application. It protects your computer and data from malicious code that might be contained in a PDF file. Protected Mode is enabled by default and lets you securely interact with a fully functional, robust PDF.
  15. 14 selinux / app armor offer protection through fine grained

    syscall filtering
  16. The OS X Sandbox 15 OSX Sandbox (See Seatbelt)

  17. “The Apple Sandbox” Dionysus Blazakis (BHDC 2011) 16 how it

    works Previously, codenamed “Seatbelt” For XNU systems, implemented as a TrustedBSD policy module Runtime configurable, per-process access control policy Used to contain AppStore application on iOS underneath -> uses a kernel extension (sandbox.kext) to enforce the sn profiles.
  18. Why is this cool? 17 its free its not compile

    time protection (so we can protect apps that were previously weak)
  19. [1] sandbox-init [2] sandbox-exec 18 we going to look at

    the 2 implementations of this on mac..
  20. sandbox_init (3) 19 (3) refers to its man page ie.

    man 3 sandbox_init (http://en.wikipedia.org/wiki/Man_page) this means c-functions/libs
  21. 20 places a process in a sandbox. we see the

    prototyp is simple.. it needs a string which represents the profile to be used.. what are these profiles?
  22. 20 places a process in a sandbox. we see the

    prototyp is simple.. it needs a string which represents the profile to be used.. what are these profiles?
  23. 21 also from the man page..

  24. 21 also from the man page..

  25. Simple Demo 22 We have a simple .c program that

    calls 2 functions readfile (which reads /etc/passwd) & writefile (which writes to hello.txt) (you can alt tab and show the functions) - then compile and run
  26. Simple Demo 23 we simply add one line.. alt tab

    to compiletime2 (explain that we do some basic error handling) show the difference.. important: summarise! most ppl dont know what they just saw. so say it: so you see.. just adding that line, prevented the app from reading or writing files..
  27. I thought this was a non- compile-time protection? 24

  28. SANDBOX-EXEC(1) 25 man 1 -> meaning userland app

  29. SANDBOX-EXEC(1) 26 this allows us to invoke the sandbox at

    runtime, using a profile-file.
  30. profile-file Simple to read/write scheme like syntax. 27 "app-armor" Simple

    utility to help make sandboxes happen
  31. Simple Demo 2 • ./runtime1.sh • ./runtime2.sh • ./runtime3.sh 28

  32. Lion 29 Apple are getting more behind the sandbox it

    was a private interface till now.. now its being used heavily.. Apple has decreed that all applications submitted to the Mac App Store must be sandboxed, starting in November. (a submitting app needs to submit and “entitlement” saying what functionality it needs.. (so a mail client cant spawn a shell))
  33. What about non-app-store apps? 30 the profiles are still confusing

    enough for folks to ignore them.. so we are busy with..
  34. macArmor 31 Its a super simple app (that right now

    is no better than a python script) (in fact it stayed as a python script in a homedir for about 2 years)
  35. Make building sandbox profiles trivial Make sharing sandbox profiles possible

  36. Demo 33

  37. • Still not releaseworthy • (will post to http://blog.thinkst.com R.S.N)

    34 RSN == real soon now
  38. Questions ? 35