Tuesday, July 26, 2011

Viruses, iOS, and Apple

About twenty years ago I used to do a presentation, based upon an early paper, in which I identified four conditions necessary and sufficient for the successful spread of a computer virus.
" A population of similar systems, capable of executing and replicating the virus;
" Sharing of vectors to carry the virus across the population;
" A way for the virus to replicate, i.e., to get itself executed, and
" And storage to hold the copy.
By restricting any one of these things, we could resist the spread of a virus. Of course, these things are all otherwise desirable. There is resistance to restricting them.

In the early nineties I attended a meeting at IBM Research. Fred Cohen, the godfather of all viruses, gave a presentation in which he observed that, in a world of application-only computers, we might still enjoy most, but not all, of the advantages of the modern computer.

I thought about this for a while. This was a way of looking at the third condition, the ability of the virus to get itself executed. The Windows operating system had a dozen ways for a program to be executed automatically. Even if we restricted all of these, the virus might still get itself executed by duping the user into "clicking on it."

We have had application-only computers for a long time. My favorite example is the ATM, the automated teller machine. I also like the arcade machines like Pac-Man.

One thing that distinguishes the application-only machine from the general purpose computer is programmability. The virus exploits the ability of the user to execute an arbitrary program of his own choice or even writing. After listening to Fred, I concluded that even if we could stamp out programming, it is so valuable that some SOB would just re-invent it.

Then, along came Apple with the iPhone and what we now know as iOS. At first Apple said "no user programs." Of course, they did not say that explicitly, They just did not provide any capability for creating one, importing it, or executing it. It did not offer an application programming interface, API, or a software development kit, SDK. Voila, an application-only virus-resistant computer.

Only a few geeks understood. Apple was offering a closed system while the geeks preferred, not to say demanded, open. Most of us did not realize that we were buying a "crippled" computer; we thought that we were buying a "smart" phone.

Gradually Apple has rehabilitated iOS. They have provided an API and SDK, both carefully crafted to maintain security. Applications run in an isolated compartment that Apple calls a "sandbox." Each application looks like an application machine to the user and hides the operating system, file system, and network from the user.

However, all four of the necessary conditions for the success of a virus are still restricted in some way or another. iPhones and iPads can be viewed as application-only computers.

Just as Fred Cohen promised, the tens of millions of users of iOS enjoy most, but not all, of the advantages of the general purpose computer. On the other hand, just as Fred predicted, they are pretty much virus free.

On the other hand, I was right too. The geeks are still trying to liberate, to "jailbreak," iOS, to restore to it all of the generality, flexibility, and capability, that Apple has "arbitrarily" denied to them, along with the inherent vulnerability from which Apple has protected them.

On July 15 Apple released an update to iOS, Version 4.3.4, to close a vulnerability exploited by the jail-breakers, one that could have been exploited by others. German authorities assert that this vulnerability had, in some form or another, existed for four years. Less than 12 hours later, a new jail-break was available. On July 5, 2011 Apple released Version 4.3.5 with a fix for that and 3 other vulnerabilities in other parsers

So far, Apple has patched the PDF parser half a dozen times. Each time the geeks have found another vulnerability. We call this strategy of late vulnerability detection and patching, the Microsoft strategy. It is likely to be about as successful for Apple as it has been for Microsoft.

All that is necessary to use this vulnerability to jail-break is to click on a crafted PDF on a web-page. How can it be that easy? It exploits an implementation-induced vulnerability, an unchecked input in the pdf parser within the Safari browser. While the jail-break PDF is overt, chosen by the user, and only Apple considers it malicious, the same vulnerability could be used to make more covert and malicious changes to an iOS device.

As we have noted here before, checking inputs is difficult. It is particularly difficult for a browser, where most inputs are legal and illegal ones difficult to enumerate. Therefore including a browser, Safari, in the operating system is inherently dangerous. Trying to parse PDFs in the OS is insane.

We have talked here before about how difficult it is to check inputs in modern systems. That is why we recommend the use of the OWASP Enterprise Security API Library for web servers. No such library exists for browsers or PDF parsers. Parsing PDF input appears to be so difficult that even adobe must issue frequent, not to say weekly, patches.

Eventually Apple is going to have to resort to a more fundamental strategy, like removing Safari from the OS. In the meantime, there are six alternative browsers for iOS. Unlike Safari, they all run as applications. Using one of these, running in its sandbox, a user could parse a rogue PDF safely.

Users who like the relatively sanitary environment of their idevices should care about a fundamental fix. Enterprises should care. Android is too open to ever be trusted. RIMM is struggling just to stay in business. On July 24, 2011 they laid off ten percent of their workforce.

The geeks will whine and complain about any fundamental fix. Steve will tell them that if they want an open system to buy a Mac, hell, even buy an Android. iOS is about as open as it is going to get. I am glad that there are more open alternatives to iOS but not nearly so glad as I am that iOS is closed.

So far this vulnerability has been used by geeks to jail-break. While it might have been used in a few narrowly targeted attacks, it has not been exploited by rogue hackers for widespread attacks.. It is a vulnerability without a threat, not a risk, not a problem. So far.

Until Apple does something more effective than patch, professionals that rely upon iOS to protect the applications and data of their principals must be on the alert for any emergent threat. While we are not happy about it, that is why we are called professionals and are paid the big bucks.

No comments:

Post a Comment