> The story of how I gained unauthorized Camera access on iOS and macOS
> We are beginning to form the attack plan - if we can somehow trick Safari into thinking our evil website is in the “secure context” of a trusted website, we can leverage Safari’s camera permission to access the webcam via the mediaDevices API.
Aperture: Senior QA (2004-2005)
> This project is tricky to write about as there was so much positive and negative emotion involved — a real roller coaster.
A good retrospective on a project that starts going sideways and then really jumps the rails.
Information Leaks via Safari's Intelligent Tracking Prevention
> Intelligent Tracking Prevention (ITP) is a privacy mechanism implemented by Apple’s Safari browser, released in October 2017. ITP aims to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data. As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design. These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search). This report is a modestly expanded version of our original vulnerability submission to Apple (WebKit bug #201319), providing additional context and edited for clarity. A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019.
All about the new ML Super Resolution feature in Pixelmator Pro
> To create the ML Super Resolution feature, we used a convolutional neural network. This type of deep neural network reduces raster images and their complex inter-pixel dependencies into a form that is easier to process (i.e. requires less computation) without losing important features (edges, patterns, colors, textures, gradients, and so on). The ML Super Resolution network includes 29 convolutional layers which scan the image and create an over-100-channel-deep version of it that contains a range of identified features. This is then upscaled, post-processed and turned back into a raster image. Below is a simplified representation of the neural network.
Not quite all about it, and there’s better references for the technique, but neat to see this trickle down to entry level photo editing.
So We Don'T Have A Solution For Catalina...Yet
> With the release of macOS 10.15 (Catalina), Apple has dropped support for running 32-bit executables and removed the 32-bit versions of system frameworks and libraries. Most Windows applications our users run with CrossOver are 32-bit and CrossOver uses a 32-bit Mac executable, system frameworks, and libraries to run them. This will break with Catalina.
And then comes the fun part:
> We have built a modified version of the standard C language compiler for macOS, Clang, to automate many of the changes we need to make to Wine’s behavior without pervasive changes to Wine’s source code.
> First, our version of Clang understands both 32- and 64-bit pointers. We are able to control from a broad level down to a detailed level which pointers in Wine’s source code need to be 32-bit and which 64-bit. Any code which substitutes for Windows at the interface with the Windows app has to use 32-bit pointers. On the other hand, the interfaces to the system libraries are always 64-bit.
Dramatically reduced power usage in Firefox 70 on macOS with Core Animation
> In Firefox 70 we changed how pixels get to the screen on macOS. This allows us to do less work per frame when only small parts of the screen change. As a result, Firefox 70 drastically reduces the power usage during browsing.
> Every Firefox window contains one OpenGL context, which covers the entire window. Firefox 69 was using the API described above. So we were always redrawing the whole window on every change, and the window manager was always copying our entire window to the screen on every change. This turned out to be a problem despite the fact that these draws were fully hardware accelerated.
> Core Animation is the name of an Apple framework which lets you create a tree of layers (CALayer). These layers usually contain textures with some pixel content. The layer tree defines the positions, sizes, and order of the layers within the window. Starting with macOS 10.14, all windows use Core Animation by default, as a way to share their rendering with the window manager.
Turning a MacBook into a Touchscreen Using the Webcam
> Our idea was to retrofit a small mirror in front of a MacBook’s built-in webcam, so that the webcam would be looking down at the computer screen at a sharp angle. The camera would be able to see fingers hovering over or touching the screen, and we’d be able to translate the video feed into touch events using computer vision.
Memory Unsafety in Apple's Operating Systems
> Rather than just talking about a single release, what if we aggregated the total memory unsafety-related vulnerability statistics in Apple’s two flagship operating systems: iOS and macOS?
> Across the entirety of iOS 12 Apple has fixed 261 CVEs, 173 of which were memory unsafety. That’s 66.3% of all vulnerabilities.
Bad UI: MacOS 10.14’s Software Update Release Notes
> The release notes for the 10.14.4 update are quite long, as you can see from the relative size of the scroll. That’s good — there’s a lot new in this update and the release notes should mention everything new or different. But the sheet containing the release notes can’t be resized. You see about 9 lines of text at a time, and there’s nothing you can do about it.
> Worse, the text can’t be selected, so you can’t even copy and paste it into TextEdit or some other app to read it comfortably. They even have URLs at the bottom of the note, pointing to support pages on apple.com which contain even more details about the update — but the URLs aren’t clickable. Can’t copy them, can’t click them — the only way to actually open these URLs is to retype them manually.
Death by vmmap
> In this blog post, we dug into why (on macOS Mojave) executing vmmap against launchd (pid 1), deadlocks the entire system. In short, after vmmap has suspended launchd it (indirectly) attempts to ‘call’ into launchd via XPC. As launchd has been suspended (by vmmap), everything grinds to a halt.
Deciphering the Messages of Apple’s T2 Coprocessor
> To discover and communicate with advertised services, the T2 exposes itself to macOS as a network interface, assigned as en6 on our lab machines. This macOS interface is configured for IPv6 with a universally static local address of fe80::aede:48ff:fe00:1122. The T2 exposes itself at a fixed IPv6 address of fe80::aede:48ff:fe33:4455.
> MacOS and the T2 communicate over a typical network stack, with a few notable exceptions. Ethernet frames are encapsulated within Mobile Broadband Interface Model (MBIM) packets for transmission over what we can therefore infer is a USB-based interface. For simple application-level messages, one MBIM frame will typically contain a single message, but for larger data transfers, multiple Ethernet frames will be encapsulated within each packet. This is somewhat ironic, as often a data transfer segment will be split into MTU-sized chunks at the TCP layer, only to be combined into a single packet at the MBIM layer.
> Above the TCP/IP layer, macOS and the T2 use the HTTP/2 protocol to open, and often maintain, persistent connections between different applications
Advanced Mac Substitute
> Advanced Mac Substitute is an API-level reimplementation of classic Mac OS. It runs 68K Mac applications in an emulator without an Apple ROM or system software.
> Unlike traditional emulators, Advanced Mac Substitute doesn’t emulate the hardware on which an operating system runs (except for the 680x0 processor), but actually replaces the OS — so it launches directly into an application, without a startup phase.
The design flaw behind MacBook Pro’s “stage light” effect
> Apple opted for thin, fragile flex cables as opposed to the beefier wire cables used in previous designs that could be routed through the hinge instead of wrapped around it, helping mitigate the stress of repeated openings and closings. But the bigger problem is that, in an apparent effort to make the display as thin as possible, Apple designed the cables as part of the display, so they cannot be replaced. This means that when (not if) those cables start to fail, the entire display unit needs to be replaced, as opposed to one or two little cables—effectively turning a $6 problem into a $600 disaster.
Secure Boot in the Era of the T2
> Today, we are continuing our series on Apple’s new T2 platform and examining the role it plays in Apple’s vision of Secure Boot. The T2 was first introduced with the release of the iMac Pro and has now found its way into every new 2018 Macbook Pro. This article covers the security properties and technical implementation details of what makes this platform unique.
An introduction to exploiting userspace race conditions on iOS
> Let’s walk through the discovery and exploitation of CVE-2018-4331, a race condition in the com.apple.GSSCred XPC service that could be used to execute arbitrary code inside the GSSCred process, which runs as root on macOS and iOS. The exploit, gsscred-race, targets iOS 11.2, although versions up through iOS 11.4.1 are vulnerable. This post will show how I discovered the bug, how I analyzed its exploitability, and how I developed a JOP program that allowed me to take control of the process.
Although in practice it’s maybe more interesting on macos?
> On macOS, GSSCred runs outside of any sandbox, meaning once we get the task port we have unsandboxed arbitrary code execution as root.
Getting the iPad to Pro
> I have a near endless bag of these nits to share. For the last year I’ve kept a text file of all the walls I’ve run into using an iPad Pro as a pro machine. Is this all too pedantic? Maybe. But it’s also kind of fun. When’s the last time we’ve been able to watch a company really figure out a new OS in public?
Apple T2 Security Chip - Security Overview
Where the crypto happens.
Intel ME Manufacturing Mode: obscured dangers and their relationship to Apple MacBook vulnerability CVE-2018-4251
> Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users.
> This mode allows configuring critical platform settings stored in one-time-programmable memory (FUSEs). These settings include those for BootGuard (the mode, policy, and hash for the digital signing key for the ACM and UEFI modules). Some of them are referred to as FPFs (Field Programmable Fuses).
> We analyzed several platforms from a number of manufacturers, including Lenovo and Apple MacBook Prо laptops. The Yoga and ThinkPad computers we examined did NOT have any issues related to Manufacturing Mode. But we found that Apple laptops on Intel chipsets are running in Manufacturing Mode. After this information was reported to Apple, the vulnerability (CVE-2018-4251) was patched in macOS High Sierra update 10.13.5.
Remote Mac Exploitation Via Custom URL Schemes
> Which also means custom URL scheme handlers:
> ■ are registered automatically by macOS as soon as application (that “advertises” support for such handlers) hits the file-system
> ■ will trigger the execution of the (automatically registered) handler application, when the custom url scheme is invoked
Kind of obvious in hindsight, making things too easy leads to runaway.
Apple’s Trillion-Dollar Fairy Tale, Warts and All
> Having had a front-row seat for what is surely the most ridiculous comeback in business history — I began covering the company when it couldn’t find a buyer willing to spend even $10 billion — I’d add two more key reasons for its success.