0 Replies
      Latest reply on Jun 9, 2015 5:32 PM by rtrouton
      rtrouton Level 1 Level 1 (0 points)

        Network security


        • HTTPS, TLS
        • In 2015, TLS is a minimum baseline


        Many servers default to TLSv1.0, from 1999

        Newest version is TLSv1.2


        TLSv1.2 is not enough. Compromise of a server key lets you decrypt all TLS traffic that was encrypted in the past.


        With forward secrecy, a server key compromise will only let you read future traffic. Past traffic will not be able to be decrypted.


        By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections.

        TLS connections will need to comply with best practices

        - Exceptions can be declared on a case-by-case basis in your app's Info.plist file.



        System Integrity Protection



        Defense in Depth



        Security is about layers

        One layer failing shouldn't defeat all security


        Rely on multiple layers of protection

        • Delay the attacker
        • Reduce your attack surface


        Seque into talking about Vauban and star fortresses. History lesson FTW.



        OS X's star fortress security model:


        • Outermost line - Developer ID and Gatekeeper
        • Second layer - Sandbox - attacker only gets access to the data which the user permits
        • Third layer - POSIX - Unix-level permission, only able to access data permitted by permissions.
        • Fourth (innermost) layer - Keychain - uses cryptography to protect secrets stored inside.




        • Most Macs are single-user systems, where the user has admin rights
        • Root hidden behind a single - often weak - password
        • Root can disable all security measures on the device



        System Integrity Protection


        Limits the power of root

        Protect the system by default, on disk and at run time


        New security policy applying to every process, including privileged code running unsandboxed.

        System file objects cannot be modified

        System binaries can only be modified by Apple Installer and Software update, and no longer permit runtime modification.


        No impact on Mac App Store applications, already SIP-compliant


        Potential impact for non-AppStore applications (watch video, went fast.)



        • Filesystem protections
        • Runtime protections
        • Kernel Extensions
        • Configuration mechanism



        Filesystem protections



        Installer marks system locations with special flag

        Kernel stops processes from:


        • Writing to protected files or folders
        • Writing to block devices that back protected content
        • Mounting over protected content



        Only applies to the boot and root volumes.



        System-only (protected by System Integrity Protection)







        Available to developers







        System Migration will move 3rd-party content out of system locations after upgrading.



        Runtime protections


        Injecting code into a process is equivalent to modifying the binary on disk

        Processes are marked restricted by the kernel

        - Main executable is protected on disk

        - (other stuff went by fast, watch the video)



        Restricted processes


        • task_for_pid() / processor_set_tasks() fail with EPERM
        • Mach special ports are reset on exec(2)
        • dyld environment variables are ignored
        • dtrace probes unavailable



        Kext signing


        Kernel extensions must be signed with a Developer ID for Kexts certificate

        Install into /Library/Extensions


        kext-dev-mode boot-arg is now obsolete



        Configuration mechanism



        Disabling System Integrity Protection


        1. Boot to Recovery HD
        2. Launch "Security Configuration" from "Utilities" menu
        3. Change configuration and hit the Apply button



        System Integrity Protection configuration is stored in NVRAM


        - Applies to the entire machine

        - Persists across OS install



        The configuration change can *only* be made via Recovery, because root on the boot OS can't be trusted.


        Third party content *must* be migrated out of system locations protected by System Integrity Protection.





        The Keychain and Touch ID - iOS



        Protecting Data:



        Keychain - a very specialized database


        • Efficiently searched by attributes
        • Optimized for small payloads (secrets)



        Factor keychain into a small, testable unit

        - Wrapper class


        Use the highest data protection level you can.



        Reducing password prompts

        - Shared web credentials


        Safari Saved Passwords


        iCloud Keychain - share the saved passwords across devices

        It's possible to extend Safari Saved Passwords to iOS 9 apps as well.





        Touch ID



        - Don't need to enter your passcode all the time



        - Stronger passcode


        Touch ID APIs in iOS 8


        • LocalAuthentication
        • Keychain Access Control List



        Touch ID enrollment changes in iOS 9

        - Checking finger enrollment over time, make evaluations and ask user if they still want to use Touch ID.



        Keeping Things Inside the Secure Enclave


        Asymmetric cryptography using public key / private key encryption

        Data is sent from the Secure Enclave across kernel space as encrypted data, decrypted once it hits userspace.



        Generated private keys


        EC-P256 Elliptic curve cryptography

        Not extractable