0 Replies
      Latest reply on Jun 9, 2015 5:32 PM by rtrouton
      rtrouton Level 1 Level 1 (0 points)

        Network security

         

        • HTTPS, TLS
        • In 2015, TLS is a minimum baseline

         

        Many servers default to TLSv1.0, from 1999

        Newest version is TLSv1.2

         

        TLSv1.2 is not enough. Compromise of a server key lets you decrypt all TLS traffic that was encrypted in the past.

         

        With forward secrecy, a server key compromise will only let you read future traffic. Past traffic will not be able to be decrypted.

         


        By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections.

        TLS connections will need to comply with best practices

        - Exceptions can be declared on a case-by-case basis in your app's Info.plist file.

         

         

        System Integrity Protection

         

         

        Defense in Depth

         

         

        Security is about layers

        One layer failing shouldn't defeat all security

         

        Rely on multiple layers of protection

        • Delay the attacker
        • Reduce your attack surface

         

        Seque into talking about Vauban and star fortresses. History lesson FTW.

         

         

        OS X's star fortress security model:

         

        • Outermost line - Developer ID and Gatekeeper
        • Second layer - Sandbox - attacker only gets access to the data which the user permits
        • Third layer - POSIX - Unix-level permission, only able to access data permitted by permissions.
        • Fourth (innermost) layer - Keychain - uses cryptography to protect secrets stored inside.

         

        Weaknesses

         

        • Most Macs are single-user systems, where the user has admin rights
        • Root hidden behind a single - often weak - password
        • Root can disable all security measures on the device

         

         

        System Integrity Protection

         

        Limits the power of root

        Protect the system by default, on disk and at run time

         

        New security policy applying to every process, including privileged code running unsandboxed.

        System file objects cannot be modified

        System binaries can only be modified by Apple Installer and Software update, and no longer permit runtime modification.

         

        No impact on Mac App Store applications, already SIP-compliant

         

        Potential impact for non-AppStore applications (watch video, went fast.)

         

         

        • Filesystem protections
        • Runtime protections
        • Kernel Extensions
        • Configuration mechanism

         

         

        Filesystem protections

         

         

        Installer marks system locations with special flag

        Kernel stops processes from:

         

        • Writing to protected files or folders
        • Writing to block devices that back protected content
        • Mounting over protected content

         

         

        Only applies to the boot and root volumes.

         

         

        System-only (protected by System Integrity Protection)

         

        /System

        /bin

        /usr

        /sbin

         

        Available to developers

         

        ~/Library

        /Library

        /usr/local

        /Applications

         

        System Migration will move 3rd-party content out of system locations after upgrading.

         

         

        Runtime protections

         

        Injecting code into a process is equivalent to modifying the binary on disk

        Processes are marked restricted by the kernel

        - Main executable is protected on disk

        - (other stuff went by fast, watch the video)

         

         

        Restricted processes

         

        • task_for_pid() / processor_set_tasks() fail with EPERM
        • Mach special ports are reset on exec(2)
        • dyld environment variables are ignored
        • dtrace probes unavailable

         

         

        Kext signing

         

        Kernel extensions must be signed with a Developer ID for Kexts certificate

        Install into /Library/Extensions

         

        kext-dev-mode boot-arg is now obsolete

         

         

        Configuration mechanism

         

         

        Disabling System Integrity Protection

         

        1. Boot to Recovery HD
        2. Launch "Security Configuration" from "Utilities" menu
        3. Change configuration and hit the Apply button

         

         

        System Integrity Protection configuration is stored in NVRAM

         

        - Applies to the entire machine

        - Persists across OS install

         

         

        The configuration change can *only* be made via Recovery, because root on the boot OS can't be trusted.

         

        Third party content *must* be migrated out of system locations protected by System Integrity Protection.

         

         

         

         

        The Keychain and Touch ID - iOS

         

         

        Protecting Data:

         

         

        Keychain - a very specialized database

         

        • Efficiently searched by attributes
        • Optimized for small payloads (secrets)

         

         

        Factor keychain into a small, testable unit

        - Wrapper class

         

        Use the highest data protection level you can.

         

         

        Reducing password prompts

        - Shared web credentials

         

        Safari Saved Passwords

         

        iCloud Keychain - share the saved passwords across devices


        It's possible to extend Safari Saved Passwords to iOS 9 apps as well.

         

         

         

         

        Touch ID

         

        Convenience

        - Don't need to enter your passcode all the time

         

        Security

        - Stronger passcode

         

        Touch ID APIs in iOS 8

         

        • LocalAuthentication
        • Keychain Access Control List

         

         

        Touch ID enrollment changes in iOS 9


        - Checking finger enrollment over time, make evaluations and ask user if they still want to use Touch ID.

         

         

        Keeping Things Inside the Secure Enclave

         

        Asymmetric cryptography using public key / private key encryption

        Data is sent from the Secure Enclave across kernel space as encrypted data, decrypted once it hits userspace.

         

         

        Generated private keys

         

        EC-P256 Elliptic curve cryptography

        Not extractable