HACKING AT MACH SPEED! - Reverse Engineering Mac OS X

HACKING AT MACH SPEED!HOW I FOUND AN 0DAY AT 9PM THE NIGHT BEFORE SUMMERCONAND SPENT THE REST OF THE NIGHT MAKING SLIDESDINO A. DAI ZOVI@DINODAIZOVI / DDZ@THETA44.ORGHTTP://TRAILOFBITS.COM / HTTP://THETA44.ORG

INTRODUCTION

THIS STORY STARTS WITH TWO GUYS NAMED ANDREW,

AND THE UNIVERSITY THAT THEY FOUNDED.

CMU GRAD STUDENTS WROTE A MICROKERNEL FOR 4.2BSD/VAX

WHICH WAS USED IN NEXTSTEP

AND NEXTSTEP EVENTUALLY BECAME MAC OS X

THIS MICROKERNEL IS CALLED MACH

WHAT IS LOVE MACH?

WHAT IS IT?A MICROKERNEL BASED ON FOUR KEY ABSTRACTIONS:TASKS HOLD RESOURCES AND RUN THREADSA THREAD IS A CONTEXT OF EXECUTION ON A PROCESSORPORTS ARE UNIDIRECTIONAL QUEUES BETWEEN TASKSMESSAGES ARE STRUCTURED OBJECTS SENT TO PORTS

TASKSRESOURCE CONTAINERS THAT HOLD:VIRTUAL MEMORY ADDRESS SPACEONE OR MORE THREADSPORT SEND AND RECEIVE RIGHTS

THREADSREPRESENT A CONTEXT OF EXECUTION ON A CPUVALUES STORED IN EACH CPU REGISTERCPU FLAGS AND OTHER STATEMAY BE SCHEDULED TO RUN ON ANY CPUMUST BELONG TO ONE AND ONLY ONE TASK

PORTSQUEUE OF STRUCTURED MESSAGESVERY UNLIKE UNIX FILE-BASED IPC ABSTRACTIONSTHE ONE TASK WITH THE EXCLUSIVE RECEIVE RIGHT OWNS ITZERO OR MORE TASKS MAY HOLD SEND RIGHTS TO A PORTRIGHTS MAY BE SENT TO OTHER TASKS IN MESSAGES

MESSAGESBASIC UNIT OF INTER-TASK COMMUNICATIONHEADER SPECIFIES SOURCE/DESTINATION, ETC.BODY CONTAINS IN-LINE DATAINTEGERS, STRINGS, FLOATING POINT NUMBERSMESSAGE MAY ALSO CONTAIN OUT-OF-LINE DATAPORT RIGHTSMEMORY PAGES

MACH RPCMACH RPC IS BUILT USING MESSAGES AND PORTSTHE MACH INTERFACE GENERATOR (MIG)TAKES A USER-WRITTEN RPC INTERFACE FILE (FOO.DEFS)GENERATES USER AND/OR SERVER STUB ROUTINES THATABSTRACT AWAY THE MARSHALING AND COMMUNICATIONRPC ROUTINE COMMUNICATION IS ENCODED USING THESAME FORMAT AS MICROSOFT RPC

SUP DAWG,WE HEARDYOU LIKEKERNELS, SOWE PUT AMICRO-KERNEL INYOURKERNEL (SOYOU CANMACH WHILEYOU BSD)WHERE CAN I FIND IT?

THE KERNEL IS JUST A TASKMOST LOW-LEVEL FUNCTIONS ARE RPC CALLS TO KERNELTASK, THREAD, MEMORY, SEMAPHORES, ETCTHE KERNEL IS A TASK, JUST LIKE OTHER PROCESSES ARECAN READ/WRITE KERNEL MEMORYCREATE, SUSPEND, AND TERMINATE KERNEL THREADSCALL OTHER RPC SERVERS IN THE KERNEL

AUDITING MACH RPC

BOOTSTRAP SERVERHOW CLIENTS FIND SERVERSEVERY TASK IS GIVEN SENDRIGHTS TO BOOTSTRAPSERVER’S RPC SERVICEPORTTHE BOOTSTRAP SERVERLIVES INSIDE LAUNCHDLAUNCH SERVERS ONDEMANDWILL ALSOAUTOMATICALLYRELAUNCH CRASHED ONES

WHERE THE SERVERS AT?BOOTSTRAP SERVERS ARE CONFIGURED IN:{/SYSTEM,/,~}/LIBRARY/LAUNCHAGENTS{/SYSTEM,/,~}/LIBRARY/LAUNCHDAEMONS/ETC/MACH_INIT.D/ETC/MACH_INIT_PER_USER.D/ETC/MACH_INIT_PER_LOGIN_SESSION.DDYNAMICALLY USING CALLS TO BOOTSTRAP_REGISTER()

UPDATE_SHARING.DEFSprajna% ls /System/Library/LaunchAgents/com.apple.AOSNotificationOSX.plistcom.apple.AddressBook.abd.plistcom.apple.AirPortBaseStationAgent.plistcom.apple.AppleGraphicsWarning.plistcom.apple.BezelUI.plistcom.apple.CoreLocationAgent.plistcom.apple.DictionaryPanelHelper.plistcom.apple.Dock.plistcom.apple.FileSyncAgent.plistcom.apple.Finder.plistcom.apple.FontRegistryUIAgent.plistcom.apple.FontValidator.plistcom.apple.FontValidatorConduit.plistcom.apple.FontWorker.plistcom.apple.Kerberos.renew.plistcom.apple.KerberosHelper.LKDCHelper.plistcom.apple.NetworkDiagnostics.plistcom.apple.PCIESlotCheck.plist[ ... ]

BOOTSTRAP_INFOprajna% ./bootstrap_inforu (Apple)_OpenStep ([0x0-0x27027].com.apple.AppleSpell) = ACTIVEcom.apple.finder.ServiceProvider (com.apple.Finder) = ACTIVEcom.apple.FontRegistry.FontRegistryUIAgent (com.apple.FontRegistryUIAgent) =ON_DEMANDcom.apple.FontObjectsServer (com.apple.fontd) = ACTIVEWaveMessagePort.314.23499425 (0x100403990.anonymous.wineloader) = ACTIVEcom.apple.rcd (0x100400510.mach_init.rcd) = ON_DEMANDcom.apple.netauth.useragent (com.apple.netauth.useragent) = ON_DEMANDcom.apple.datadetectors.compiler (com.apple.datadetectors.compiler) =ON_DEMANDcom.apple.autologinPWHandler (0x100400000.anonymous.loginwindow) = ACTIVEcom.apple.FontWorker (com.apple.FontWorker) = ON_DEMANDcom.apple.Preview.ServiceProvider ([0x0-0x4b04b].com.apple.Preview) = ACTIVEcom.apple.ReportCrash (com.apple.ReportCrash) = ON_DEMANDcom.apple.coreservices.quarantine-resolver (com.apple.coreservices.uiagent) =ON_DEMANDcom.apple.DictionaryPanelHelper (com.apple.DictionaryPanelHelper) = ON_DEMAND[ ... ]

LET’S GO A BUG-HUNTING

REDACTED

PWN2OWN PRIZES FOR 2012OR, REPORT YOUR BUGS TO THE VENDORS FOR FREE

VULNERABILITY HANDLINGWE NEED TO DEBATE “VULNERABILITY HANDLING” NOT“RESPONSIBLE DISCLOSURE”“RESPONSIBLE DISCLOSURE” PRESUPPOSES MANYDECISIONS, JUDGEMENTS, AND INTERESTSWAS CREATED FOR 2002’S INTERNET, BUT NOW IT’S 2010MANY OF ZDI’S “UPCOMING ADVISORIES” COULD ENABLE AN“AURORA”-STYLE ATTACK IF EXPLOITED

ARE WE CHASING OUR TAIL?IS THE VULNERABILITY DISCLOSURE STATUS QUO:AWESOME?SUFFICIENT?IRRELEVANT?A DISTRACTION AT BEST?ENABLING AN ADDICT?

VULNERABILITIES VS.EXPLOITSA VULNERABILITY NEVER 0WNED ANYONE, AN EXPLOIT DIDTHERE ARE MORE PEOPLE THAT CAN FIND VULNERABILITIESTHAN CAN WRITE RELIABLE EXPLOITSCOUNT NUMBER OF ZDI VULNERABILITY CONTRIBUTORS VS.PWN2OWN CONTESTANTS PAST AND PRESENTA MINORITY OF VULNERABILITIES HAVE THE POTENTIAL TOBE TURNED INTO A DANGEROUS EXPLOIT

EXPLOITS MATTEROSVDB QUERY FOR REMOTE VULNERABILITIES IN 2009~1000 POTENTIAL CODE/COMMAND EXECUTIONMANUAL ANALYSIS OF EXPLOIT KITS, INCIDENTS, ETC.40 EXPLOITS OBSERVED BEING USED IN THE WILDMOST COPIED FROM MILWORM WITH FEW CHANGESCOMMENT OUT SKAPE/SKYWING DEP BYPASS

BUGS FOR BOSCH“GOOGLE ATTACK HIGHLIGHTS 'ZERO-DAY' BLACKMARKET” (AP, 1/29/2010)"I BASICALLY HAD TO MAKE A CHOICE BETWEEN DOINGSOMETHING THAT WOULD PROTECT EVERYBODY ANDREMODELING MY KITCHEN — AS TERRIBLE AS THAT IS, IMADE THAT CHOICE, AND IT'S HARD," MILLER SAID. "IT'S ALOT OF MONEY FOR SOMEONE TO TURN DOWN."ADOBE JBIG2 EXPLOIT WAS SOLD FOR $75K (TWITTER, I THINK)REPORTING BUG RESPONSIBLY FEELS LIKE A MILLIONBUCKS!

$75K IS A LOT OF FOOD$75K = ~ $512K CNYAVERAGE YEARLY SALARY FOR A SOFTWARE ENGINEER INCHINA IS $90K CNYHTTP://WWW.PAYSCALE.COM/RESEARCH/CN/COUNTRY=CHINA/SALARYWOULD YOU “DO THE RIGHT THING” FOR FREE WHEN YOUCOULD “DO THE WRONG THING” FOR 5-6 YEARS SALARY?

FIGHTING 0DAY EXPLOITSMAKE THEM ILLEGAL!RIGHT... BEST OF LUCK WITH THAT (WTO SANCTIONS?)MAKE A TRANSPARENT, OPEN, LEGITIMATE MARKET!VENDORS WILL NEVER PAY OR PLAY ALONGMAKE THEM INEFFECTIVE!NOW YOU’RE ONTO SOMETHING...

ONE 0DAY RUINS YOUR DAYONE 0DAY BROWSER OR DOCUMENT READER EXPLOIT IS ASKELETON KEY FOR EVERYONE’S SIDE DOORSTHE FRONT DOOR HAS LAYERED FIREWALLS, DMZS,HARDENED SERVERS, INGRESS/EGRESS FILTERINGCLIENT DESKTOPS ARE A WILDERNESS OF UNMANAGEDOR BARELY MANAGED SYSTEMS WITH SOFTWAREHANDLING UNTRUSTED DATA AS ADMINISTRATORCLIENT DESKTOPS HAVE UNLIMITED INTERNAL ACCESS

LET’S TALK ABOUT TAVIS

IS THIS THE ADVANCED PERSISTENT THREAT?OR, “HOW MANY CHINESE HACKERS DOES IT TAKE TOCOMPROMISE YOUR NETWORK?”

CYBERWARRIORS ORCYBERPUNKS?STOP FLATTERING YOURSELF, YOUR NETWORK ISTRIVIAL TO 0WNYOUR EMPLOYEES AND THEIR E-MAIL ADDRESSES AREENUMERABLE ON SOCIAL NETWORKING SITES?YOUR EMPLOYEES ANSWER EXTERNAL E-MAIL ANDACCESS INTERNET WEB SITES ON THE SAME MACHINETHAT THEY CREATE OR HANDLE PROPRIETARY IP?ARE THEIR E-MAIL ADDRESSESFIRSTNAME.LASTNAME@COMPANY.COM?

0DAY ATTACKS != H1N1STOP TREATING 0DAY ATTACKS LIKE H1N1PEOPLE ARE GETTING SICK WITH AN UNKNOWN VIRUS,WE MUST RESPOND TO THIS INCIDENTTAKE ANTI-VIRAL MEDICATION TO TREAT INFECTIONSWE HAVE DEVELOPED AN IMMUNIZATION SHOT FOR H1N1,EVERYONE PLEASE GO APPLY IT TO YOURSELVESANY HAND-WRITTEN MALWARE WILL EVADE ANTI-VIRUSWE DON’T HAVE A CYBER IMMUNE SYSTEM YET

PUBLIC HEALTH VS. CRIMEMASS MALWARE AND BOTNETS ARE AN INTERNET PUBLICHEALTH PROBLEM (CYBERHEALTH?)OPPORTUNISTIC, LOW-SKILL AND ATTENTIONTARGETED ATTACKS ARE A CYBERCRIME PROBLEMDETERRENCE REQUIRES ENFORCEMENT AND PROSECUTION(GOOD LUCK ON THAT!)IN ABSENCE OF THOSE, PREVENTION IS BEST RECOURSE

PREVENTION IS HARDBECAUSE THE SECURITY INDUSTRY ISN’T MAKING THE RIGHTPRODUCTS OR TOOLSNO ONE BOUGHT THE EFFECTIVE ONES BECAUSE THEYDIDN’T UNDERSTAND THEM OR COULDN’T JUSTIFY THEMVULNERABILITY AND EXPLOITABILITY ANALYSIS ISCONFUSINGWHAT MITIGATIONS ARE ENABLED IN THIS APPLICATION?ARE THEY EFFECTIVE? HAVE THEY BEEN DISABLED?

EXPLOITS SHOULD BE HARDAND THEY ARE GETTING HARDER, BUT NOT HARD ENOUGHMASS MALWARE INCREASINGLY TURNING TO SOCIALENGINEERING TACTICS INSTEAD (I.E. ROGUE AV)MISANTHROPINGLY EFFECTIVEREAL ANTI-VIRUS CAN HANDLE THIS PROBLEMDEFENDING AGAINST ADVANCED ATTACKERS REQUIRESADVANCED DEFENSE SYSTEMS

EAT THE RICH AV VENDORSOVERHEARD OUTSIDE RSA EXHIBITION HALL:“VENDOR SPENT $500K ON THEIR BOOTH EXHIBIT AND ITCOSTS THEM $90K TO TRANSPORT AND SET IT UPANYWHERE”THEY HAVE TOO MUCH MONEY FOR NOT SOLVING TODAY’SREAL-WORLD PROBLEMSWHY PAY PROTECTION MONEY TO THE MAFIA WHEN YOU ARESTILL GETTING ROBBED EVERY DAY?

STOP CALLING THEM BUFFER OVERFLOWS!UNLESS A BUFFER IS ACTUALLY BEING OVERFLOWN(INCREASINGLY RARE)

VULNERABILITY TERMINOLOGYBUFFER OVERFLOWWHAT ABOUT OUT-OF-BOUNDS ARRAY INDEXES?ARBITRARY CODE EXECUTIONWHAT ABOUT SOLARIS TELNETD BUG => AUTH BYPASSMEMORY CORRUPTIONWHAT ABOUT USE-AFTER-FREE?WHAT ABOUT MEMORY DISCLOSURE VULNERABILITIES?

TYPE SAFETYALL OF THESE VULNERABILITIES ARE FAILURES OF TYPESAFETYC/C++ ARE NOT MEMORY-SAFE OR TYPE-SAFETYPE-SAFE LANGUAGES ONLY HAVE THESE PROBLEMS WHENTHEIR IMPLEMENTATIONS, WRITTEN IN UNSAFE LANGUAGES,HAVE THESE VULNERABILITIESOR PROGRAMS USE “UNSAFE” EXTENSIONSWHAT SHOULD WE CALL THESE ISSUES?

“MEMORY TRESPASS”“MEMORY TRESPASS VULNERABILITIES ARE SOFTWAREWEAKNESSES THAT ALLOW MEMORY ACCESSES OUTSIDE OFTHE SEMANTICS OF THE PROGRAMMING LANGUAGE IN WHICHTHE SOFTWARE WAS WRITTEN.”DAI ZOVI, “SECURITY APPLICATIONS OF DYNAMIC BINARYTRANSLATION”, UNIVERSITY OF NEW MEXICO TECH REPORTTR-CS-2002-38YES, I AM QUOTING MYSELF. DEAL WITH IT.CODE INJECTION AND EXECUTION IS ONLY ONE WAY TO EXPLOITA FEW SPECIFIC CLASSES OF MEMORY TRESPASSVULNERABILITIES

OR...TYPE VIOLATIONTYPE SAFETY BYPASSMEMORY SAFETY BYPASSJUST DON’T SAY “BUFFER OVERFLOW” WHEN IT ISN’TDON’T GET ME STARTED ON THE WORD “SHELLCODE"

BUT, BUT, ASLR, DEP!ASLR AND DEP DO A GREAT JOB OF MAKING EXPLOITATION OFSERVER-SIDE VULNERABILITIES IMPOSSIBLE IN THE VASTMAJORITY OF CASESLOW-INTEGRITY PREVENTS WRITING, BUT NOT READING YOURSENSITIVE DOCS AND INFORMATIONSCRIPTABLE CLIENT APPLICATIONS OFFER A MUCH LARGERELEMENT OF ATTACKER CONTROLYIELDS MORE POSSIBILITIES FOR EVADING ASLRCODE-REUSE EXPLOIT TECHNIQUES CAN BE USED TO BYPASSDEP

CODE-REUSE EXPLOITSRETURN-TO-LIBC (SOLAR DESIGNER, 1997)RETURN INTO FUNCTIONS IN LIBCBORROWED CODE CHUNKS (KRAHMER, 2005)LINK RETURNS TO SINGLE-INSTRUCTIONSRETURN-ORIENTED PROGRAMMING (SHACHAM, 2007)TURING COMPLETE W/ COMPILER FOR C-LIKE LANGUAGE

TACTICS VS. STRATEGYMALICIOUS INJECTED CODE IS NOT THE TRUE PROBLEMIT IS ONLY THE MOST COMMON EXPLOITATION TACTICCODE-REUSE EXPLOITATION TECHNIQUES DON’T NEED TOINJECT ANY CODE, WILL REUSE WHAT IS THERETHE STRATEGY IS TO MAKE THE TARGET APPLICATION DOUNEXPECTED THINGS IN A WAY USEFUL TO THE ATTACKERUNEXPECTED/UNDESIRABLE BEHAVIOR IS PROBLEM

MY SANDBOX SOAPBOXWHY DOES MY BROWSER NEED TO BE ABLE TO WRITE TOANYWHERE EXCEPT FOR ~/DOWNLOADS?WHY DO DOC READERS, IM CLIENTS, NEED TO WRITE FILES AT ALL?MULTI-USER DAC SECURITY MODEL IS ILL-SUITED TO THEDESKTOPWE NEED A NEW MULTI-APPLICATION DESKTOP SECURITY MODELPHONES (IPHONE AND ANDROID) ALREADY HAVE THISIPHONE PREVENTS INJECTED CODE AND APP MISBEHAVIOR

QUESTIONS?@DINODAIZOVI / DDZ@THETA44.ORG