Luke Deshotels
Razvan Deaconescu
William Enck
ABSTRACT
Recent literature on iOS security has focused on the malicious potential of third-party applications, demonstrating how developers can bypass application vetting and code-level protections. In addition to these protections, iOS uses a generic sandbox profile called "container" to confine malicious or exploited third-party applications. In this paper, we present the first systematic analysis of the iOS container sandbox profile. We propose the SandScout framework to extract, decompile, formally model, and analyze iOS sandbox profiles as logic-based programs. We use our Prolog-based queries to evaluate file-based security properties of the container sandbox profile for iOS 9.0.2 and discover seven classes of exploitable vulnerabilities. These attacks affect non-jailbroken devices running later versions of iOS. We are working with Apple to resolve these attacks, and we expect that SandScout will play a significant role in the development of sandbox profiles for future versions of iOS.
- AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device. http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/. Accessed: 2016-05-05.Google Scholar
- Antid0te 2.0 - aslr in ios. http://conference.hackinthebox.org/hitbsecconf2011ams/materials/D1T1%20-%20Stefan%20Esser%20-%20Antid0te%202.0%20-%20ASLR%20in%20iOS.pdf. Accessed: 2016-02--15.Google Scholar
- The apple sandbox. https://media.blackhat.com/bh-dc-11/Blazakis/BlackHat_DC_2011_Blazakis_Apple%20Sandbox-Slides.pdf. Accessed: 2016-02--15.Google Scholar
- Download. https://developer.apple.com//ios/download/. Accessed: 2016-04--20.Google Scholar
- dsc\_extractor.cpp. https://opensource.apple.com/source/dyld/dyld-195.6/launch-cache/dsc\_extractor.cpp. Accessed: 2016-05--19.Google Scholar
- Firmware Keys. https://www.theiphonewiki.com/wiki/Firmware_Keys. Accessed: 2016-04--19.Google Scholar
- iTunes Preview. https://itunes.apple.com/us/genre/ios/id36?mt=8. Accessed: 2016-05-04.Google Scholar
- Joker. http://newosxbook.com/tools/joker.html. Accessed: 2016-05--19.Google Scholar
- Lekensteyn/dmg2img. https://github.com/Lekensteyn/dmg2img. Accessed: 2016-05--19.Google Scholar
- lzssdec.cpp. http://nah6.com/~itsme/cvs-xdadevtools/iphone/tools/lzssdec.cpp. Accessed: 2016-05--19.Google Scholar
- Multiple iOS apps found to be harvesting Snapchat user credentials. http://9to5mac.com/2016/03/08/ios-apps-snapchat-harvest-credentials/. Accessed: 2016-05-05.Google Scholar
- Package "regex". http://www.swi-prolog.org/pack/list?p=regex. Accessed: 2016-05--19.Google Scholar
- Pirated App Store client for iOS found on Apple's App Store. https://www.helpnetsecurity.com/2016/02/22/pirated-app-store-client-ios-found-apples-app-store/. Accessed: 2016-05-05.Google Scholar
- PLY (Python Lex-Yacc). http://www.dabeaz.com/ply/. Accessed: 2016-05--17.Google Scholar
- Smart phones overtake client PCs in 2011. http://www.canalys.com/newsroom/smart-phones-overtake-client-pcs-2011. Accessed: 2016-05--18.Google Scholar
- Smartphone OS Market Share, 2015 Q2. http://www.idc.com/prodserv/smartphone-os-market-share.jsp. Accessed: 2016-05--18.Google Scholar
- SWI Prolog. http://www.swi-prolog.org/. Accessed: 2016-05--19.Google Scholar
- Trustedbsd mandatory access control (mac) framework. http://www.trustedbsd.org/mac.html. Accessed: 2015--11-06.Google Scholar
- VFDecrypt. https://www.theiphonewiki.com/wiki/VFDecrypt. Accessed: 2016-05--19.Google Scholar
- M. Alam, J.-P. Seifert, Q. Li, and X. Zhang. Usage control platformization via trustworthy selinux. In Proceedings of the 2008 ACM symposium on Information, computer and communications security, pages 245--248. ACM, 2008. Google ScholarDigital Library
- D. Blazakis. The apple sandbox. Arlington, VA, January, 2011.Google Scholar
- M. Bucicoiu, L. Davi, R. Deaconescu, and A.-R. Sadeghi. Xios: Extended application sandboxing on ios. In ACM Symposium on Information, Computer and Communications Security, ASIACCS '15, 2015. Google ScholarDigital Library
- S. Byford. Apple removes malware-infected App Store apps after major security breach. The Verge, Sept. 15. http://www.theverge.com/2015/9/20/9362585/xcodeghost-malware-app-store-security.Google Scholar
- H. Chen, N. Li, and Z. Mao. Analyzing and comparing the protection quality of security enhanced operating systems. In NDSS, pages 11--16, 2009.Google Scholar
- D. A. Dai~Zovi. Apple ios 4 security evaluation. Black Hat USA, 2011.Google Scholar
- L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. Mocfi: A framework to mitigate control-flow attacks on smartphones. In NDSS, 2012.Google Scholar
- R. Deaconescu, L. Deshotels, M. Bucicoiu, W. Enck, L. Davi, and A.-R. Sadeghi. Sandblaster: Reversing the apple sandbox. Technical Report arXiv:1608.04303, Aug 2016.Google Scholar
- Z. Deng, B. Saltaformaggio, X. Zhang, and D. Xu. iris: Vetting private api abuse in ios applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 44--56. ACM, 2015. Google ScholarDigital Library
- M. Egele, C. Kruegel, E. Kirda, and G. Vigna. Pios: Detecting privacy leaks in ios applications. In NDSS, 2011.Google Scholar
- W. Enck, M. Ongtang, and P. McDaniel. Mitigating Android Software Misuse Before It Happens. Technical Report NAS-TR-0094--2008, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, USA, Sep 2008.Google Scholar
- S. Esser. ios8 containers, sandboxes and entitlements. http://www.slideshare.net/i0n1c/ruxcon-2014-stefan-esser-ios8-containers-sandboxes-and-entitlements. Accessed: 2015--11--6.Google Scholar
- fG! Apple's sandbox guide v 1.0. http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf. Accessed: 2015-02-04.Google Scholar
- J. Han, S. M. Kywe, Q. Yan, F. Bao, R. Deng, D. Gao, Y. Li, and J. Zhou. Launching generic attacks on ios with approved third-party applications. In Applied Cryptography and Network Security, pages 272--289. Springer, 2013. Google ScholarDigital Library
- J. Han, S. M. Kywe, Q. Yan, F. Bao, R. Deng, D. Gao, Y. Li, and J. Zhou. Launching generic attacks on iOS with approved third-party applications. In Applied Cryptography and Network Security, ACNS '13, 2013. Google ScholarDigital Library
- J. Han, Q. Yan, D. Gao, J. Zhou, and R. Deng. Comparing mobile privacy protection through cross-platform applications. 2013.Google Scholar
- B. Hicks, S. Rueda, L. S. Clair, T. Jaeger, and P. McDaniel. A Logical Specification and Analysis for SELinux MLS Policy. ACM Transaction on Information and System Security, 13(3), 2010. Google ScholarDigital Library
- B. Hicks, S. Rueda, L. St~Clair, T. Jaeger, and P. McDaniel. A logical specification and analysis for selinux mls policy. ACM Transactions on Information and System Security (TISSEC), 13(3):26, 2010. Google ScholarDigital Library
- V. Iozzo. A sandbox odyssey. https://prezi.com/lxljhvzem6js/a-sandbox-odyssey-infiltrate-2012/. Accessed: 2015--11--7.Google Scholar
- T. Jaeger, R. Sailer, and X. Zhang. Analyzing integrity protection in the selinux example policy. In Proceedings of the 12th conference on USENIX Security Symposium-Volume 12, pages 5--5. USENIX Association, 2003. Google ScholarDigital Library
- A. Kurtz, H. Gascon, T. Becker, K. Rieck, and F. Freiling. Fingerprinting mobile devices using personalized configurations. Proceedings on Privacy Enhancing Technologies, 2016(1):4--19, 2016.Google ScholarCross Ref
- M. Kydyraliev. Mining mach services within os x sandbox. http://2013.zeronights.org/includes/docs/Meder_Kydyraliev_-_Mining_Mach_Services_within_OS_X_Sandbox.pdf. Accessed: 2015--11--6.Google Scholar
- C. Miller, D. Blazakis, D. DaiZovi, S. Esser, V. Iozzo, and R.-P. Weinmann. iOS Hacker's Handbook. John Wiley & Sons, 2012. Google ScholarDigital Library
- S. Rueda, D. H. King, and T. Jaeger. Verifying Compliance of Trusted Programs. In Proceedings of the USENIX Security Symposium, 2008. Google ScholarDigital Library
- A. Sasturkar, P. Yang, S. D. Stoller, and C. Ramakrishnan. Policy analysis for administrative role based access control. In Computer Security Foundations Workshop, 2006. 19th IEEE, pages 13--pp. IEEE, 2006. Google ScholarDigital Library
- A. Voida, R. E. Grinter, N. Ducheneaut, W. K. Edwards, and M. W. Newman. Listening in: practices surrounding itunes music sharing. In Proceedings of the SIGCHI conference on Human factors in computing systems, pages 191--200. ACM, 2005. Google ScholarDigital Library
- R. Wang, W. Enck, D. Reeves, X. Zhang, P. Ning, D. Xu, W. Zhou, and A. M. Azab. Easeandroid: Automatic policy analysis and refinement for security enhanced android via large-scale semi-supervised learning. In 24th USENIX Security Symposium (USENIX Security 15), pages 351--366, 2015. Google ScholarDigital Library
- T. Wang, Y. Jang, Y. Chen, S. Chung, B. Lau, and W. Lee. On the feasibility of large-scale infections of ios devices. In 23rd USENIX Security Symposium (USENIX Security 14), pages 79--93, 2014. Google ScholarDigital Library
- T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee. Jekyll on ios: When benign apps become evil. In Usenix Security, volume~13, 2013. Google ScholarDigital Library
- R. N. M. Watson. TrustedBSD: Adding Trusted Operating System Features to FreeBSD. In Proceedings of the USENIX Annual Technical Conference, FREENIX Track, 2001. Google ScholarDigital Library
- T. Werthmann, R. Hund, L. Davi, A.-R. Sadeghi, and T. Holz. Psios: bring your own privacy & security to ios devices. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 13--24. ACM, 2013. Google ScholarDigital Library
- C. Xiao. Yispecter. http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/. Accessed: 2015--10--21.Google Scholar
- L. Xing, X. Bai, T. Li, X. Wang, K. Chen, X. Liao, S.-M. Hu, and X. Han. Cracking app isolation on apple: Unauthorized cross-app resource access on mac os. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 31--43. ACM, 2015. Google ScholarDigital Library
- G. Zanin and L. V. Mancini. Towards a formal model for security policies specification and validation in the selinux system. In Proceedings of the ninth ACM symposium on Access control models and technologies, pages 136--145. ACM, 2004. Google ScholarDigital Library
Index Terms
- SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles
Recommendations
Mobile Attacks and Defense
Smartphones' features are great, but with the power they provide, there's also a threat. Smartphones are becoming a target of attackers in the same way PCs have been for many years. This article examines the security models of two popular smart phone ...
A First Look at On-device Models in iOS Apps
Powered by the rising popularity of deep learning techniques on smartphones, on-device deep learning models are being used in vital fields such as finance, social media, and driving assistance. Because of the transparency of the Android platform and the ...
A Large-Scale Study of iPhone App Launch Behaviour
CHI '18: Proceedings of the 2018 CHI Conference on Human Factors in Computing SystemsThere have been many large-scale investigations of users' mobile app launch behaviour, but all have been conducted on Android, even though recent reports suggest iPhones account for a third of all smartphones in use. We report on the first large-scale ...
Comments