Structure and Interpretation of Computer Programmers

I make it easier and faster for you to write high-quality software.

Sunday, April 19, 2009

On default keychain settings

After my presentation at NSConference there was a discussion of default settings for the login keychain. I mentioned that I had previously recommended some keychain configuration changes including using a different password than your login password. Default behaviour is that any application can add a secure item to the keychain, and the app that did the adding is allowed to read and modify the entry without any user interaction. As Mike Lee added, all other apps will trigger a user dialogue when they try to do so – the user doesn’t then need to authenticate but does have to approve the action.

That almost – but not quite – solves the issue of a trojan horse attempting to access the secure password. Sure, a trojan application can’t get at it without asking the user. What about other trojan code? How about a malicious SIMBL hijack or a bundle loaded with mach_override? It should be possible to mitigate those circumstances by using custom code signing requirements, but that’s not exactly well documented, and it’s not really good usability for an app to just die on its arse because the developer doesn’t like the other software their user has.

There’s a similar, related situation – what if the app has a flawed design allowing it to retrieve a keychain item when it doesn’t need it? Sounds like something which could be hard to demonstrate and harder to use, until we remember that some applications have “the internet” as their set of input data. Using a web browser as an example, but remembering that I have no reason to believe whether Safari, Camino or any other browser is designed in such a way, imagine that the user has stored an internet password. Now all that the configuration settings on the user’s Mac can achieve is to stop other applications from accessing the item. If that browser is itself subject to a “cross-site credentials request” flaw, where an attacking site can trick the browser into believing that a login form (or perhaps an HTTP 401 response, though that would be harder) comes from a victim site, then that attacker will be able to retrieve the victim password from the keychain without setting off any alarms with the user.

If the user had, rather than accepting the default keychain settings, chosen to require a password to unlock the keychain, then the user would at least have the chance to inspect the state of the browser at the time the request is made. OK, it would be better to do the right thing without involving the user, but it is at least a better set of circumstances than the default.

posted by Graham Lee at 17:00  

Friday, August 24, 2007

Random collection of amazing stuff

The most cool thing that I noticed today ever is that Google Maps now allows you to add custom waypoints by dragging-and-dropping the route line onto a given road. This is great! I’m going to a charity biker raffle thing in Pensford next weekend, and Google’s usual recommendation is that I stay on the M4 to Bristol, and drive through Bristol towards Shepton Mallet. This is, frankly, ludicrous. It’s much more sensible to go through Bath and attack the A37 from the South, and now I can let Google know that.

Trusted JDS is ├╝ber-cool. Not so much the actual functionality, which is somewhere between being pointy-haired enterprisey nonsense and NSA-derived "we require this feature, we can’t tell you why, or what it is, or how it should work, but implement it because I’m authorised to shoot you and move in with your wife" fun. But implementing Mandatory Access Control in a GUI, and having it work, and make sense, is one hell of an achievement. Seven hells, in the case of Trusted Openlook, of which none are achievement. My favourite part of TJDS is that the access controls are checked by pasteboard actions, so trying to paste Top Secret text into an Unrestricted e-mail becomes a no-no.

There does exist Mac MAC (sorry, I’ve also written "do DO" this week) support, in the form of SEDarwin, but (as with SELinux) most of the time spent in designing policies for SEDarwin actually boils down to opening up enough permissions to stop from breaking stuff – and that stuff mainly breaks because the applications (or even the libraries on which those applications are based) don’t expect to not be allowed to, for instance, talk to the pasteboard server. In fact, I’m going to save this post as a draft, then kill pbs and see what happens.

Hmmm… that isn’t what I expected. I can actually still copy and paste text (probably uses a different pasteboard mechanism). pbs is a zombie, though. Killed an app by trying to copy an image out of it, too, and both of these symptoms would seem to fit with my assumption above; Cocoa just doesn’t know what to do if the pasteboard server isn’t available. If you started restricting access to it (and probably the DO name servers and distributed notification centres too) then you’d be in a right mess.

posted by Graham Lee at 22:57  

Powered by WordPress