深入解析MacOS和iOS 卷三 笔记

MacOS and iOS Internals, Volume III : Security & Insecurity.md

Part I: Defensive Techniques and Technologie

1. Authentication

It’s important to emphasize - at the lowest level of the kernel - UNIX only sees
user ids and group, not names. The name “root” is meaningless - it is the uid of 0 which
is all powerful.

Password Files (*OS)

/etc/master.passwd

SetUID and SetGID (MacOS)

Darwin has steadily been reducing its setuid/setgid club membership. With the move to
opendirectory, passwd(1) could be made a standard binary again. Other binaries likewise
benefitted from the move to XPC and (as discussed later in this book) entitlements.

# The list of setuid root programs on MacOS
find / -user root -perm -4000 2> /dev/null

The Pluggable Authentication Module (MacOS)

The Pluggable Authentication Module (PAM) is a standard UNIX library which aims to
abstract and modularize the UNIX authentication APIs.
logging, auditing, or poliy enforcers.
Most importantly, PAM decouples portions of the authentication logic from the processes
themselves, enabling external configuration through files.

• Function classes
  auth/account/session/password
• Control flags
  requisite/required/sufficient/binding/optional
  /etc/pam.d/su

opendirectoryd (MacOS)

[/Library/Preferences/OpenDirectory]
[/System/Library/OpenDirectory/Modules/]
Module exist for ActiveDirectory and NetLogon (Windows) integration
Kerberosv5 (RFC1510), FDESupport, keychain integration, ConfigurationProfiles (MCX) and more.
[/var/log/opendirectoryd.log]

odutil set log

• Maintaining permissons
  [/System/Library/OpenDirectory/permissions.plist]
• The data stores
  [/System/Library/OpenDirectory/Configurations/Local.plist]

  defaults read /System/Library/OpenDirectory/Configurations/Local.plist modules

  /var/db/dslocal/nodes/Default

  sudo defaults read /var/db/dslocal/nodes/Default/users/root.plist

  Directory Utility.app -> Directory Editor
  dscl(1)

  dscl . -list Users
  dscl . -read /Users/root
  dscl . -read /Users/`whoami` Password
  sudo dscl . -read /Users/`whoami` ShadowHashData

• Communicating with clients
  finger /var/utmpx
  ports

• com.apple.system.opendirectoryd.libinfo
• com.apple.system.opendirectoryd.membership
• com.apple.system.opendirectoryd.api
  odutil
• com.apple.system.opendirectoryd.rpc

The LocalAuthentication Framework

• coreauthd
  In iOS the daemon is started as a LaunchDaemon, but in MacOS an additional instance is started
  as a LaunchAgent, as well.
• XPC protocol
  com.apple.CoreAuthentication.[daemon/agent]
• Entitlements

Apple IDs

• AppleIDAuthAgent
  /System/Library/CoreServices

External Account

Accounts.framework
accountsd

• External Providers
  [/Library/Preferences/SystemConfiguration/com.apple.accounts.exists.plist] (MacOS)

2. Auditing (MacOS)

Design

• A little history
• Auditing Concepts (a refresher)

  ls /etc/security
  sudo ls /var/audit

  /dev/auditpipe
  The device node intentionally desugbed to be clonebale, in order to allow multiple consumers
  to work concurrently and get events.
  praudit/auditreduce

Audit Sessions

Implementation

AUDIT_MACH_SYSCALL_ENTER
[bsd/security/audit/audit.h]
audit_syscall_entry()
[bsd/security/audit/audit_worker.c]
audit_worker_cv/audit_commit

• auditd
  [/usr/sbin/auditd]
  com.apple.auditd.plist
  HOST_AUDIT_CONTROL_PORT
  audit_send_trigger() [bsd/security/audit/audit_bsd.c]
  <mach/audit_triggers.defs>

System call interface

• audit (#350)
  [bsd/security/audit/audit_syscalls.c]
• auditon (#351)
  The auditon(2) syscall provides a way to configure various audit parameters from userspace.
• [get/set]auid (#353, #354)
• [get/set]audit_addr (#357, #358)
• auditctl (#359)

OpenBSM APIs

• Querying the policy
• Reading Audit Records
  Audit consumers may tap audit records by enumerating and reading from the audit files
  in /var/audit, or the “live stream” of /dev/auditpipe.
  au_read_rec(3)/au_fetch_tok(3)
  struct tokenstr [<bsm/libbsm.h>]
  au_print_tok(3)/au_print_flags_tok(3) AU_OFLAG_[RAW/SHORT/XML]
• Writinng Audit Records

Auditing Considerations

The main drawback to keep in mind, however, is that auditing reports events post factum.

3. Authorization (KAuth)

MacOS 10.4 (Tiger)

Design

kauth_authorize_action()/kauth_cred_get()

Implementation

[bsd/kern/kauth_authorization.c]
kauth_register_scope()

• KAUTH_SCOPE_GENERIC com.apple.kauth.generic
  kauth_cred_getuid()
• KAUTH_SCOPE_PROCESS com.apple.kauth.process
  KAUTH_PROCESS_CANTRACE/KAUTH_PROCES_CANSIGNAL
  ptrace (PT_ATTACH) -> task port
• KAUTH_SCOPE_FILEOP
• KAUTH_SCOPE_VNODE com.apple.kauth.vnode
  vnode_authorize()

• Authorizing vnode operations

KAuth Credentials

KAuth Identity Resolvers (MacOS)

identitysvc() (#293)

procexp opendirectoryd threads

Debugging KAuth

KAUTH_DEBUG

3. Mandatory Access Control Framework

Background

FreeBSD 6.0

• Nomenclature
  MAC is enforced by the Administrator (or, at times, the operating system itself), and user are
  constrained by it. Only the Administrator (and, in *OS, not even the Administrator - only
  Apple itself) can override or toggle the MAC settings.
  A key conecpt in MAC is that of labels.
  struct label [security/_label.h]
  cr_label field of KAuth’s struct ucred
• MACFramework.kext
  com.apple.kpi.dsep
  /System/Library/Extensions/System.kext/Plugins/MACFramework.kext

  kextstat | grep -B1 dsep

MACF Policies

mac_policy_conf/mac_policy_register
The heart of the policy is in two fields: the mpc_ops, specifying the operations the policy
wished to filter, and mpc_labelnames, which are the label namespace to which the policy applies.
struct mac_policy_ops [security/mac_policy.h]

Setting up MACF

mac_policy_init()

MACF Callouts

[bsd/kern/kern_mman.c]

sysctl security.mac | grep enforc

• expos_task (MacOS 10.11)
• priv_check
  [bsd/sys/priv.h]

MACF System Calls

<security/mac.h>
__mac_syscall
The Sanbox.kext makes heavy use of this, as described later in Chaper 8.

Final Notes

Unfortunately, if you have any plans of getting Apple’s blessing - forget about using this.

5. Code Signing

The Code Signature Format

• LC_CODE_SIGNATURE and the SuperBlob
  [bsd/sys/codesign.h]
• The Code Directory Blob
  [osfmk/kern/cs_blobs.h]
• Code Page Slots

  codesign -d -vvvvvv /bin/ls

• Special Slots
• Ad-Hoc Signatures
• Code Signing Flags

Code Signature Requiements

• The Requirements Grammer
• Encoding requirements
  The SecReuirementCreateWithString[AndErrors] functions are the “compiler”, and the “decompiler”
  is SecRequirementsCopyString.

  codesign -dr- /Applications/Xcode.app/Contents/MacOS/Xcode
  codesign -dr- /Applications/wpsoffice.app/Contents/MacOS/wpsoffice
  codesign -d /Applications/wpsoffice.app/Contents/MacOS/wpsoffice
  man csreq

• Requirement validation
  Apple’s PKI page

Entitlements

Code signatures may optionallu contain an entitlement blob.
The entitlement blob is, in effect, nothing more than a property list in XML form.

Code Signature Enforcement

kernel mode
load_code_signature()
mac_vnode_check_signature

• Exceptions

• JIT CONFIG_DYNAMIC_CODE_SIGNING
• Resilient Code Signing

• Debugging
• Code Signing Weaknesses

• Jekyll Apps
• Bait-and-Switch inode reuse (< iOS 9)
• Locked memory
• Lack of validation on __DATA sections and writable memory
• Exploiting kernel bugs

• The struct cs_blob
  csb_entitelments*

Code Signing APIs

• System Calls
  fnctl -> F_ADDSIGS, F_FINDSIGS and F_ADD_FILEISGS[_RETURN]
• Framework-Level Wrappers
  Security.framework
  sysctl vm.cs_*

  sysctl vm. | grep cs_

• DTrace probes (MacOS)
  csops[_audittoken]

6. Software Restrictions (MacOS)

Authorizations

Rather than being defined at the object level, authorizationas are associated with particular
actions, which are generally sensitive.

• The authorization database
  /var/db/auth.db
  /System/Library/Security/authorization.plist
  rules defined in Security’s [libsecurity_authorization/lib/AuthorizationTagsPriv.h]
  allow-root/timeout/shared/requirement/comment/class

  # Dumping the authorization rules
  sudo sqlite3 /var/db/auth.db "select name, comment from rules"
  # Listing a particular authorization
  security authorizationdb read com.apple.activitymonitor.kill | plutil -p -
  # Viewing ActivityMonitor's entitlements
  codesign --display --entitlements - /System/Applications/Utilities/Activity\ Monitor.app/Contents/MacOS/Activity\ Monitor 
  codesign --display --entitlements - --xml /System/Applications/Utilities/Activity\ Monitor.app/Contents/MacOS/Activity\ Monitor | plutil -p -

authd

• Protocol
  /System/Library/LaunchDaemons/com.apple.security.authtrampoline.plist

  plutil -p /System/Library/LaunchDaemons/com.apple.*.plist
  plutil -p /System/Library/LaunchDaemons/com.apple.security.authtrampoline.plist

  Elevating privileges requires security to fork(2) and exec(2) /usr/libexec/security_authtrampoline.

  sudo sqlite3 /var/db/auth.db .dump | grep system.privilege.admin

GateKeeper (MacOS)

MacOS 10.7.5

• Precursor: Quarantine
  com.apple.quarentine -> LaunchServices.framework’s LSQuarentine.h
  Quarantine.kext
• libquarantine
  /usr/lib/system/libquarantine.dylib
• Quarantine.kext
  com.apple.security.quarantine
  as a MACF kext
  /System/Library/Extensions/Quarantine.kext/Contents/MacOS/Quarantine
• User mode interface

• quarantine mount option
• sysctl MIBs

Quarantine in action

~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 .dump

• CoreServicesUIAgent
  /System/Library/CoreServices/CoreServicesUIAgent.app
  -> com.apple.coreservices.quarantine-resolve XPC servive
  in the com.apple.coreservices.uiagent.plist

  plutil -p /System/Library/LaunchAgents/com.apple.coreservices.uiagent.plist

  Xprotectframework.framework
  XProtect.plist
  Xprotect.yara -> VirusTotal’s yara
  XprotectService -> com.apple.XprotectFramework.AnalysisService

syspolicyd

/var/db/SystemPolicy

sudo sqlite3 /var/db/SystemPolicy .dump

[OSX/libsecurity_codesigning/lib/policydb.cpp]
[OSX/libsecurity_codesigning/lib/syspolicy.sql]

sudo sqlite3 /var/db/SystemPolicy "select id, label from authority where disabled=1"

• MacOS 13: Secure Kernel Extension Loading
  /var/db/SystemPolicyConfiguration
  Default.plist/migration.plist/KextPolicy

  sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy ".headers on" "select * from kext_policy"
  sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy .dump

• XPC protocol
  NSXPC -> com.apple.security.syspolicy.kext
  private SystemPolicy.framework (MacOS 13)
• spctl(8)
  One of the mose useful options of spctl(8), –list, is actually undocumented.
  The spctl(8) utility is nothing more than a command line front-end to an XPC client,
  which connects to syspolicyd(8) for purposes of querying the policy database.
  spctl -a -t exec -vv binary

  spctl -a -t exec -vv /System/Applications/Calculator.app
  spctl -a -t exec -vv /Applications/wpsoffice.app

App Translocation

offically called “Gatekeeper Path Randimization” by Apple
App translocation depends on the com.apple.quarantine extend attribute, so if the attribute
is manually removed, or the Application is moved using Finder, it is no longer translocated.

• Test Translocation

Managed Clients (MacOS)

like Windows with its Group Policy Objects (GPO)
/var/db/ConfigurationProfiles -> profiles(1)

• parentalcontrolsd
• mdmclient
  /usr/libexec/mdmclient
  private ConfigurationProfiles.framework
• Startup

• As a LaunchDaemon
• As a LaunchAgent

• Arguments
• Entitlements
• ManagedClient
• ManagedClientAgent
  ManagedClient.framework
  /usr/libexec/mcxalr
  mcxalr.kext

  sysctl -a | grep mcx

  Plugins
  [/System/Library/CoreServices/SecurityAgentPlugins/MCXMechanism.bundle]
  [/System/Library/DirectoryServices/dscl/mcxcl.dsclext]

7. AppleMobileFileIntegrity

AppleMobileFileIntegrity.kext

/usr/libexec/amfid
Though AMFI’s inclusion was puzzling at first, the reasoning for it became painfully apparent
with the advent of System Integrity Protection (SIP), in 10.11

• Initialization
  AMFI is a MACF policy kext
• boot-args

The MACF Policy

• proc_check_cpumon (*OS)
• proc_check_inherit_ipc_ports
• proc_check_get_task
• proc_check_map_anon (*OS)
  In cases where MAP_JIT is indicated, therefore, AMFI checks for the dynamic-codesigning
  entitlement.
• file_check_mmap
• proc_check_library_validation
• proc_check_mprotect (*OS)
• proc_check_run_cs_invalid (*OS)
• vnode_check_exec (*OS)
• vnode_check_signature
  loadEntitlementsFromVnode

  nm /System/Library/Extensions/AppleMobileFileIntegrity.kext/Contents/MacOS/AppleMobileFileIntegrity

• cred_label_update_execve

Exception Handling hooks (MacOS 12+)

nm /System/Library/Extensions/AppleMobileFileIntegrity.kext/Contents/MacOS/AppleMobileFileIntegrity -Cj | grep amfi_exc | sort -u

Debugging is enabled under any of the follow conditions

• The target process is unsigned
• System Integrity Protection (SIP) is disabled
• The victim process possesses the get_task_allow entitlement
• The victim process is not marked restricted
• The handling process is entitled with com.apple.private.amfi.can-set-execption-ports

• Kernel APIs

amfid

• Daemon-Kext communication
  HOST_AMFID_PORT -> mach_host_special_port_description
• MIG subsystem 1000
• 1000: verify_code_directory
  MacOS 10.12 /usr/lib/libdz.dylib

  nm /usr/lib/libdz.dylib -UCgj

  dz_check_policy_exec
• 1001: permit_unrestricted_debugging (*OS)
• 1001/1002: check_lv_denial (MacOS)
• 1003: check_platform_identifiler_mismatch_override (MacOS 12 only)
• 1004: check_broken_signature_with_teamid_fatal (MacOS 12+)
• 1005: device_lock_state (*OS 10 only)

Provisoning Profiles

• A certificate, signing the developer’s public key
• Restrictive entitlements

  # Dumping a sample embedded.mobileprovision
  openssl asn1parse -inform der -in embedded.mobileprovision

• libmis.dylib
  /usr/lib/libmis.dylib
  In MacOS, libmis is statically compiled into Apple’s private MobileDevice.framework, and
  signature validation is provided directly by the Security.framework.
• misagent
  /usr/libexec/misagent
• Protocol
  com.apple.misagent
• online-auth-agent

The AMFI Trust Caches

The AMFI User Client

Final Notes

8. The Sandbox

The Evolution of the Sandbox

Apple’s Sandbox was introduced as “SeatBelt” in MacOS 10.5 (“Leopard”) along side the MAC
framework, and provided the first full fledged implementation of a MACF policy.

App Sandbox (MacOS)

The AppSandbox is supported by the AppSandbox private framework, which itself relies on the
private AppContainer.framework.
/usr/libexec/AppSandbox

• (semi)-Voluntary confinement
  Sandboxing is enabled by the com.apple.security.app-sandbox entitlement, embedded in
  the code signature by Apple.
  libsystem_secinit -> /usr/libexec/secinitd
• Diagnosing and controlling the App Sandbox

Mobile Containers (*OS)

Sandbox Profiles

Apple’s Sandbox is dynamic, in that it can generate and apply sandbox restrictions on the fly.

• Sandbox profile language
  The sandbox profile language (SBPL) is a derivative of Scheme (which is itself a dialect of Lisp).
  /usr/lib/sandbox.dylib is staticlly compiled with TinySCHEME (apparently version 1.38 or higher).
  /System/Library/Sandbox/Profiles
  /Library/Sandbox/Profiles
  sandbox-exec -t trace_file -p “(version 1)” /bin/ls
• Sandbox operations
• Compiling profiles

  # Compiling and dumping a profile using the open source sandbox-exec

• Extensions

User mode APIs

• sandbox_check
• sandbox_[un]suspend
• sandbox tracing (460+)
  sandbox_set_trace_path()
  sandbox_vtrace_enable/sandbox_vtrace_report
• Inspection (460+)
  sandbox_inspect_pid
• User state items (570+)

mac_syscall

__sandbox_ms

Sandbox.kext

• Flow
  platform_start/amfi_register_mac_policy/mac_policy_register
• hook_policy_init
• hook_policy_initbsd
• hook_policy_syscall

The Sandbox MACF Hooks

cred_sb_evaluate

• Handling process execution
  cred_set_sandbox

Profile Evaluation

sandboxed (MacOS)

/usr/libexec/sandboxed
/System/Library/LaunchDaemons/com.apple.sandboxd.plist
HOST_SEATBELT_PORT

• Daemon-Kext communication

9. MacOS System Integrity Protection (SIP)

MacOS 10.11
The term “rootless”, therefore, likely means that root, while it still exists, can do less.
Internally, you can find many references to CSR, an acronym which stands for
Configurable Software Restrictions.

Design

The “restricted” objects, however, now get a level of protection which shields them even from root -
as files, they cannot be modified or removed. As processes, they cannot be debugged or tampered with.

launchctl hostinfo | grep allows

Implementation

Internally, the implementation of SIP boils down to a sandbox profile. This profile - appropriately
called the platform_profile - is effectively the default profile for nearly all applications in the
system. Even when applications are reportedly unsandboxed, this profile holds (with few execptions).
/usr/libexec/rootless-init
/System/Library/Sandbox/rootless.conf

• Filesystem protections

• The restricted flag
• The com.apple.rootless extended attribute

• Debugging protections
  task_for_pid/check_debug
• Protecting launchd services
• Entitlements
• Enablement/Disablement
  The solution here is to use the recovery operating system. The recovery operating system boots from
  a separate partion, and there is no programmatic way to force boot into it.

  codesign -d --entitlements - --xml /usr/bin/csrutil | plutil -p -

  The csrutil also possesses the special com.apple.private.iokit.nvram-csr entitlement.

APIs

csrctl (#483) [bsd/kern/kern_csr.c]
rootless_* APIs -> libsystem_sandbox.dylib

10. Privacy

Transparency, Consent and Control

• The TCC daemons(s)
  Apply employs a dedicated daemon - tccd - to handle potentially sensitive operations.
  MacOS is a multi-user system, so usually you can find tccd runs in 2+ instances, one for each logged
  on user, and another as uid 0, with an argument of “system”. The per-user instances are started from
  /System/Library/LaunchAgents, and the system-wide from /System/Library/LaunchDaemons.
• Protected Information
  kTCCService
• The TCC Database(s)
  [$HOME/Library/Application Support/com.apple.TCC/tcc.db]
  [/Library/Application Support/com.apple.TCC/tcc.db]
• Prompting for access
  On MacOS, this is done by posting a Mach message to the com.apple.notificationcenterui,
  which eventually brings up the UserNotificationCenter.app (in /System/Library/CoreServices).
• XPC API
  The MacOS daemons register the com.apple.tccd and com.apple.tccd.system Mach XPC ports (respectively),
  over which they provide service to clients.
• TCCAccess APIs
  private TCC.framework
  Apple provides a vert basic tccutil(1) as part of MacOS, which is even documented in its own manual page,
  but only supports a “reset” functionality.
• Entitlements
• Debugging Options
  /var/db/.debug_tccdsync

Unique Device Identifiers

Differential Privacy (MacOS 12/iOS 10)

• Implementation
  private DifferentialPrivacy.framework
  /usr/libexec/dprivacyd
  Surprisingly, the framework also contains a hidden dprivacytool(!).
  The daemon registers the com.apple.dprivacyd XPC service, and maintains a database at
  /var/db/DifferentialPrivacy/.

11. Data Protection

For MacOS, Apple provides FileVault 2 as of 10.7, as a “Full Disk Encryption” (FPD) solution.
More accurately, this is a special case of Volume-Level Encryption, which enables booting the
system and provides access to data only when an authorized user’s password is validated. For iOS,
granularity is even finder, through the use of File-Level Encryption.

Volume-level Encryption (MacOS)

FileVault fdesetup(8)

sudo fdesetup list
diskutil list
diskutil corestorage list

• Mounting Encrypted Volumes
  When an encrypted volume is detected, the system brings up a prompt for the password via the
  SecurityAgent using its DiskUnlock.bundle.
• corestorage daemons
  corestoraged
  /usr/libexec/corestoreaged -> com.apple.corestoreage.corestoraged
  FDERecoveryAgent
  corestoragehelperd
• CSFDE* APIs
  libCoreStorage.dylib and libcsfde.dylib

File-level Encryption (*OS)

• com.apple.system.cprotect and protection classes
  [bsd/hfs/hfs_cprotect.h]
• Effaceable Storage
• Device Lock/Unlock

mobile_obliterator

KeyBags

• KeyBagd
  The /usr/libexec/keybagd is a *OS daemon which handles the keystore on the device.
• MobileKeyBag.framework

The AppleKeyStore.kext

• Entitlements
• Hardware backing

Keychains

• System Keychain

  ls -l /Library/Keychains
  ls -l /System/Library/Keychains

• The Login keychain

  ls -l ~/Library/Keychains/ | head -n4
  ls -l ~/Library/Keychains/6E002C5E-E99D-5CD3-9532-BEEB74F3E778

• The iOS Keychain

  ls -F /private/var/Keychains

• Programmatic API
  [Security/SecKeyChain.h]
  /usr/libexec/securityd
  [OSX/sec/ipc/securityd_client.h]
• KeyChain structure
  [OSX/sec/Security/SecItemConstants.c]
  [OSX/libsecurity_keychain/lib/SecItemPriv.h]

Final Notes

Part II: Vulnerabilities and Exploitation

12. MacOS Vulnerabilities

OSX

10.1 The ntpd remote root (CVE-2014-9295)

10.2 The rootpipe privilege escalation (CVE-2015-1130)

10.3 Racing Kextd (CVE-2015-3708)

10.4 DYLD_PRINT_TO_FILE privilege escalation (CVE-2015-3760)

10.5 DYLD_ROOT_PATH privilege escalation

11.0 tpwn privilege escalation and/or SIP neuering

11.3 “Mach Race” local priilege escalaion (CVE-2016-1757)

11.4 LokiHardt’s Trifecta (CVE-2016-1796, 1797, 1806)

13. Jailbreaking

Mythbusting

• Terminology

The jailbreaking process

Kernel Patches

setreuid

Kernel Patch Protection

Evolution of iOS Jailbreaks

14. Evasi0n

The Loader

…….

Appendix: MacOS Hardening Guide

Patching, Patching and Patching

Logging and Auditing

• syslog/acl
• log (MacOS 12)
• Enabling Auditing

User-level Security

• Login banner
• Password Hints
• Login/Logout hooks
• Password Policies
• Screen Saver locking
• disable su
• Harden sudo