Apple may still be in the process of patching XARA, the series of weaknesses that surfaced in its authentication infrastructure last week, but Facebook has stepped up and made it easier for organizations to detect whether their system is being exploited by the vulnerabilities.
Engineers with the social network announced Monday morning that they had layered some XARA detection capabilities on top of their osquery framework, a monitoring tool Facebook rolled out via GitHub last October.
— Mike Arpaia (@mikearpaia) June 22, 2015
Last week Luyi Xing and five other scholars from Indiana University published a paper (.PDF) on a smattering of unauthorized cross-app resource access, or XARA, vulnerabilities. If leveraged, the vulnerabilities could help attackers pilfer passwords and other sensitive information, like iCloud tokens, from apps on OS X machines.
Victims would have to downloaded a malicious app that’s been vetted by Apple’s App Store, onto their computer in order for someone to be able to carry out the attacks. While currently unavailable, Xing and company plan on releasing the app to the public later this year.
To combat XARA Facebook developers unveiled three different tables they’ve added to osquery to help users determine if something has gone awry with any of their OS X applications. The tables can help thwart three types of XARA vulnerabilities: Password theft, container cracking, and scheme hijacking.
The first table, “keychain_acls,” prevents password theft and uses APIs to keep track of any changes made to ACLs that may have been applied to keychain items. Osqueryd spits out logs that chronicle changes in any applications authorized to access items in Keychain. For each app the table maps out the:
- Item’s label
- The path of the application which is authorized to access the item in question
- The authorizations that the application has for the given item
- The full path of the Keychain that the item exists in
“With this data, you can observe new, potentially nefarious applications add themselves to ACLs,” Mike Arpaia, a Software Engineer with Facebook’s security team, wrote of the capability.
The second table, “sandboxes,” gives users the option to query a cache of data regarding any sandboxes on an OS X system, including their:
- BID (bundle identifier)
- The path of the application which registered the BID
- The username of the user that owns the sandbox, and more
With XARA an attacker could copy a sandbox’s BID and steal information from the app associated with it. With “sandboxes,” osquery can keep track of any suspicious changes within the system, including how sandboxed applications on a host are registered. This can also help tip a user off if anyone’s attempted to register a faux BID on their system.
Lastly, “app_schemes” helps uncover any registered schemes on an OS X machine. This table took what Facebook calls a “significant amount of reverse engineering” on their part.
“By scheduling a query against the schemes table, osqueryd will emit logs that illustrate how the state of the schemes table changes over time. With this data, you can observe anomalies in the scheme registry across your enterprise,” Arpaia wrote.
.@Facebook Helps Combat Apple #XARA Vulnerabilities With @Osquery via @threatpostTweet
Apple is in the process of patching XARA, although there is no set timeline for the fix.
For what it’s worth, the company did issue a server-side stopgap to secure data and block apps with fishy configuration issues until they fully deploy a fix.
“Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store,” an Apple spokesperson said last week. “We have additional fixes in progress and are working with the researchers to investigate the claims in their paper.”
Osquery was released last year to help developers write SQL-based queries and better explore operating systems. Arpaia, a member of its development team, points out the Apple vulnerability detection capabilities can be extended to Linux and BSD.