research-article

iDEA: Static Analysis on the Security of Apple Kernel Drivers

Authors:

Xiaolong Bai,

Luyi Xing,

Min Zheng,

Fuping QuAuthors Info & Claims

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Pages 1185 - 1202

https://doi.org/10.1145/3372297.3423357

Published: 02 November 2020 Publication History

Get Access

Abstract

Drivers on Apple OSes (e.g., iOS, tvOS, iPadOS, macOS, etc.) run in the kernel space and driver vulnerabilities can incur serious security consequences. A recent report from Google Project Zero shows that driver vulnerabilities on Apple OSes have been actively exploited in the wild. Also, we observed that driver vulnerabilities have accounted for one-third of kernel bugs in recent iOS versions based on Apple's security updates. Despite the serious security implications, systematic static analysis on Apple drivers for finding security vulnerabilities has never been done before, not to mention any large-scale study of Apple drivers.

In this paper, we developed the first automatic, static analysis tool iDEA for finding bugs in Apple driver binaries, which is applicable to major Apple OSes (iOS, macOS, tvOS, iPadOS). We summarized and tackled a set of Apple-unique challenges: for example, we show that prior C++ binary analysis techniques are ineffective (i.e., failing to recover C++ classes and resolve indirect calls) on Apple platform due to Apple's unique programming model. To solve the challenges, we found a reliable information source from Apple's driver programming and management model to recover classes, and identified the unique paradigms through which Apple drivers interact with user-space programs. iDEA supports customized, pluggable security policy checkers for its security analysis. Enabled by iDEA, we performed the first large-scale study of 3,400 Apple driver binaries across major Apple OSes and 15 OS versions with respect to two common types of security risks - race condition and out-of-bound read/write, and discovered 35 zero-day bugs. We developed PoC and end-to-end attacks to demonstrate the practical impacts of our findings. A portion of the bugs have been patched by recent Apple security updates or are scheduled to be fixed; others are going through Apple's internal investigation procedure. Our evaluation showed that iDEA incurs a low false-positive rate and time overhead.

Supplementary Material

MOV File (Copy of CCS2020_fpe424_XiaolongBai - Pat Weeden.mov)

Presentation video

Download
300.21 MB

References

[1]

Adam Donenfeld. 2018. Viewer Discretion Advised: (De)coding an iOS Kernel Vulnerability. http://phrack.org/papers/viewer_discretion_advised.html.

Abstract

Supplementary Material

References

Cited By

Index Terms

Recommendations

Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS~X and iOS

Linux Goes Apple Picking: Cross-Platform Ad hoc Communication with Apple Wireless Direct Link

SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations