Full Program »
iService: Detecting and Evaluating the Impact of Confused Deputy Problem in AppleOS
Confused deputy problem is a specific type of privilege escalation. It happens when a program tricks another more privileged one into misusing its authority. On AppleOS, system services are adopted to perform privileged operations when receiving inter-process com- munication (IPC) request from a user process. The confused deputy vulnerabilities may result if system services overlook the checking of IPC input. Unfortunately, it is tough to identify such vulnerabil- ities, which requires to understand the closed-source system ser- vices and private frameworks of the complex AppleOS by unravel- ing the dependencies among the binaries. To this end, we propose iSeRvice, a systematic method to au- tomatically detect and evaluate the impact of confused deputies in AppleOS system services. Instead of looking for insecure IPC clients, it focuses on sensitive operations performed by system services, which might compromise the system if abused, ensuring whether the IPC input is properly checked before the invocation of those operations. Moreover, iSeRvice evaluates the impact of each confused deputy based on i) how severity of the corresponding sen- sitive operation if abused, and ii) to what extent the sensitive oper- ation could be controlled by external input. iSeRvice is applied to four versions of MacOS (10.14.3, 10.15.7, 11.4, and 12.4) separately. It successfully discovers 11 confused deputies, five of which are zero-day bugs and all of them have been fixed, with three of them are considered to be high risk. Furthermore, the five zero-day bugs have been confirmed by Apple and assigned with CVE numbers to date.