Gast
2015-12-06, 11:10:13
Objective-C ein Security-Desaster? Oder ist der Inhalt des untenstehenden Podcasts Unsinn?
Und warum wird nur iOS und kein OSX erwähnt?
Verifying iOS App Behavior
● The current iOS Application model, which uses Objective-C as an option, is FUNDAMENTALLY UNSECURABLE against rogue apps accessing privileged platform functions.
Why?... Because it wasn't originally built to support untrusted applications!! ...And, thus, it cannot do so securely.
● Appleactuallyd epended uponthe“obscurity”ofnotdocumentingrestrictedAPIsinthe file headers.
● Strict process controls, known as “Entitlements” exist, but since the public API libraries also need to use private APIs, the private APIs MUST be accessible within the unprivileged process space.
● “Dynamic code generation” must be provided for Safari’s JIT compiler, but it CAN and IS denied for other apps. But... dynamic code generation is not needed.
● As long as Objective-C, with its dynamic string-based dictionary lookup binding is supported, iOS will be vulnerable.
https://www.grc.com/sn/SN-532-Notes.pdf
https://twit.tv/shows/security-now/episodes/532?autostart=false
Und warum wird nur iOS und kein OSX erwähnt?
Verifying iOS App Behavior
● The current iOS Application model, which uses Objective-C as an option, is FUNDAMENTALLY UNSECURABLE against rogue apps accessing privileged platform functions.
Why?... Because it wasn't originally built to support untrusted applications!! ...And, thus, it cannot do so securely.
● Appleactuallyd epended uponthe“obscurity”ofnotdocumentingrestrictedAPIsinthe file headers.
● Strict process controls, known as “Entitlements” exist, but since the public API libraries also need to use private APIs, the private APIs MUST be accessible within the unprivileged process space.
● “Dynamic code generation” must be provided for Safari’s JIT compiler, but it CAN and IS denied for other apps. But... dynamic code generation is not needed.
● As long as Objective-C, with its dynamic string-based dictionary lookup binding is supported, iOS will be vulnerable.
https://www.grc.com/sn/SN-532-Notes.pdf
https://twit.tv/shows/security-now/episodes/532?autostart=false