nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Objective-C can fly the COOP, says subversive at Microsoft Research

Redmond offers hardening ideas to Cupertino

By Richard Chirgwin, 24 Jun 2016

Objective-C programmers should use message authentication codes to protect sensitive objects and data structures, according to research presented to this week's Usenix Annual Technical Conference (ATC).

A Microsoft Research staffer, and software researchers from UC Irving in America and folks in Germany focused on a technique called counterfeit object-oriented programming (COOP), which has already been demonstrated as a way to attack C++ programs but not Objective-C.

As they explain in this paper, their discovery opens the door to “COOP-style exploits” in programs running on both OS X and iOS.

Their “Subversive-C” exploits work by “carefully arranging the metadata used to dispatch messages in the Objective-C runtime”, they write, and aren't caught by existing randomisation-based defences.

The paper uses Apple's AppKit library from Cocoa, because it's popular as the basis for UIs in applications like iTunes, Safari, Pages, Keynote and more.

The proof-of-concept demonstrates that Subversive-C exploits don't need many bugs in a AppKit program to take over the target:

  • A memory corruption bug is needed, so attacker can inject data in the target process, and overwrite an Objective-C instance in execution;
  • An information leak is needed to bypass address space layout randomisation (ASLR); and
  • The target process has to load the AppKit library.

Their suggested mitigation is that message authentication codes (MACs) can be added to sensitive fields and data structures. This would mean attackers couldn't alter Objective-C data structures unless they also know how to update the MAC with the right values – and that would require access to the MACs' key store.

Even in the overweight iTunes, the researchers say, providing this kind of protection only imposes a startup overhead of half a second.

A good background on the COOP class of attacks is here. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing