Session
Fahrplan rc3
CWTV

Escape the macOS sandbox and TCC

Chaos-West TV
"SomeApp would like to access files in your Documents folder." Anyone who has used macOS recently will be familiar with these prompts. But how do they work? What happens if you deny the access? Are they an effective defense against malware?
Sandboxing on macOS was introduced 13 years ago, but Apple didn't leave it at that. Starting with the release of macOS Catalina in 2019, even non-sandboxed apps need to deal with sandbox-like restrictions for files: all apps now need to ask permission to access sensitive locations, like the user's documents or desktop folder. Features such as the camera and geolocation already needed user approval from a permission prompt. This system of user controlled permissions is known as Transparency, Consent, and Control (TCC). Any new security measure like this will also mean the introduction of new security boundaries, with new classes of vulnerabilities. Many parts of the system have to be re-examined to check for these vulnerabilities. For example, apps can now try to attack other apps in order to "steal" the permissions granted by the user to those apps. Apple has taken steps to allow apps to defend themselves against this, such as the hardened runtime. Ultimately, however, it is up to the developer of an app to safeguard its permissions. Many developers are not aware of this new responsibility or do not take it seriously. Developers who are used to the security model of Windows or Linux often do not know that these boundaries even exist. To make matters worse, Apple's documentation and APIs for these features are not as clear and easy to use as they should be. This talk will start with an overview of local security restrictions that apps on macOS need to deal with. Then, it will cover some ways these protections might be bypassed in third-party applications. Finally, we will show some vulnerabilities we found in software that allowed escaping the macOS sandbox, stealing TCC permissions and privilege escalation, such as CVE-2020-10009 and CVE-2020-24428.

Additional information

Type Talk
Language English

More sessions

12/27/20
CWTV
Lars Roemheld
Chaos-West TV
Die Corona-Warn-App (CWA) verkörpert ein Novum von (einigermaßen) agilem staatlichen Handeln im Bereich Software. Wie kam es dazu? Dieser Vortrag erzählt die Geschichte der Entstehung aus einer Innenperspektive.
12/27/20
CWTV
DysphoricUnicorn
Chaos-West TV
A quick dive into best practices including but not limited to semantic HTML and aria attributes and how they can make your website usable by a wider audience with relatively low effort.
12/27/20
CWTV
Hendrik Heuer
Chaos-West TV
This talk explains why audits are a useful method to ensure that machine learning systems operate in the interest of the public. Scripts to perform such audits are released and explained to empower civic hackers.
12/27/20
CWTV
Jolly
Chaos-West TV
Was war das C-Netz? Was ist eine C-Netz-Basisstation? Was ist die Funkvermittlungsstelle? Wie bringt man damit die Basisstation wieder zum Laufen?
12/27/20
CWTV
betalars
Chaos-West TV
Gute Autismusrepresentation in Medien ist wichtig, aber auch schwer. In diesem Vortrag möchten wir uns angucken, wie autistische Menschen in Medien dargestellt werden und, was wir selbst an schlechten Beispielen über Empathie lernen können.
12/27/20
CWTV
Chaos-West TV
Noch nie war gemeinsammes Waffeln backen und verzehren so kompliziert wie dieses Jahr. Doch davon lässt sich das Chaos nicht aufhalten. Überall haben Hacksen, Hacker und alle Wesen des Chaos sich versammelt um unter dem Motto “Waffeln everywhere” gemeinsam eine wohlschmeckende remote Waffel Erfahrung zu haben.
12/28/20
CWTV
pathfinder
Chaos-West TV
An exploration of the available data discovered worldwide by probing MQTT endpoints. MQTT is a popular IoT protocol which, due to configuration, oversight or error (or all three), can be found open globally with at times highly personal data published for all to see. This talk encompasses the speaker's journey through developing a framework of parsing and exploring large datasets and building data collection and monitoring automation, showcasing the sheer lack of attention given to protection of ...