A nice drop of Cocoa

Title: Professional Cocoa Application Security

Author: Graham J. Lee

Publisher: Wrox (Wiley)

ISBN: 978-0-470-52595-1

Price: £33.99

Graham Lee is well known for his work on Mac and iGadgets (http://fuzzyaliens.com), his writing on security for the Mac Developer Network, and his blog at http://blog.securemacprogramming.com/. Recently, his book on application security was published by Wrox (a Wiley imprint) as part of a series of professional guides intended for programmers, developers and IT professionals.

The book isn’t focused on malware: in fact, Lee hardly mentions malware at all except (briefly) in the introduction, and the only specific instance that he mentions is the formerly widespread, decidedly malicious, but reassuringly pre-OS X Autostart worm. Conceding that malware is much less of an issue on the OS X and iOS platforms (something of an understatement), he does not dismiss the importance of social engineering as a means of getting malcode installed onto a system, but that isn’t a theme he develops in the rest of this book.

Rather, he stresses the developer’s ability to enhance the customer’s security by making use of Apple’s security tweaks in its implementation of Unix. His focus is on building security into the application right from the beginning of the development process (and not many of us are likely to argue with that).

As well as being one of the comforting night-time beverages of choice for my generation, Cocoa is an object-oriented API for Mac OS X intended to automate the inclusion of functionality compliant with Apple’s human interface guidelines. As a result, the book is copiously dusted with examples of code in Objective-C, the weapon of choice for Cocoa development. (Example code is also available via the Wrox code download page, for those whose typing is apt to falter at compound terms like ‘SCNetworkReachabilityCreateWithName’ and barely-human-readable syntax.)

This is not a beginner’s book – at any rate, it’s not one for novice developers. While Lee doesn’t assume that the reader is conversant with the basics of security or the development of secure applications, he does assume enough familiarity with C, Objective-C and the Apple APIs for the example code to make sense.

Chapter one, ‘Secure by Design’, is (apart from a brief and abstract summary of the security implications of Cocoa) a platform-agnostic discussion of the principles of application security. It’s a clear abstract description that could be useful to any newcomer to secure application development working on any OS. It covers the basics of risk profiling, security ergonomics and user psychology, asset audit, and threat classification and assessment applying the DREAD model (Damage, Reproducibility, Ease of attack, Affected users, Discoverability) and STRIDE threat classification (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege).

Chapter two, ‘Managing Multiple Users’, is pretty OS X-specific, since the Unix multi-user paradigm is effectively unused by the iPhone SDK. It does a good job of illustrating the similarities and differences between OS X and other Unix implementations, explaining the workings of Directory Services and the use of Kerberos for authentication.

Chapter three, ‘Using the Filesystem Securely’, is no substitute for Apple’s own, extensive historical documentation on the inner workings of the file system – but that isn’t what a Cocoa developer needs. Instead, it summarizes the format and use of the Unix permission bits, setuid and setgid, HFS+ extensions, and Access Control Lists and the ACL API. It includes a high-level introduction to FileVault and other encryption options on OS X and on the iPhone, ranging from a high-level description of symmetric and asymmetric encryption to code illustrating a staged approach to building an encrypted file. After a brief description of network filesystems, there is a discussion of domains within the OS X filesystem, going on to security-specific issues such as the quarantine feature in Launch Services and secure deletion.

Chapter 4, ‘Handling Multiple Processes’, explains the need to design and implement multi-process systems in such a way as to reduce the risk of vulnerabilities being introduced during the development process – starting from the obvious area of privilege separation and touching on a related issue with the ‘all or nothing’ nature of the launchd daemon and the use of the setuid and setgid bits. The section on communication between processes reviews Mach ports and the Distributed Objects IPC interface, and ‘Playing in the Sandbox’ looks at the public API to sandboxing in OS X. Again, iPhone sandboxing is not considered because access controls on iGadgets are mandatory, so there is no API for changing policy. The final section of this chapter looks at code signing services.

Chapter 5 looks at ‘Storing Confidential Data in the Keychain’, explaining what the keychain is and how to use it on both the Mac and the iPhone, explaining the differing functionality between the two platforms (iPhone keychain functionality is more limited) and the various uses for the facility (general passwords, Internet passwords, certificate management).

Chapter 6 returns to the subject of privilege, discussing the way in which an authorized application gains the right to perform a privileged task, and reducing the potential damage from a compromised application by dividing different privileges between separate processes. A description of the Authorization Database precedes a warning about the possible misuse of helper tasks as root, a summary of the padlock view, and finishes with a discussion of authorization plug-ins.

Chapter 7, ‘Auditing Important Operations’, goes beyond damage limitation to using auditing as a positive tool for reiteration of the threat-modelling process and for forensic use. It describes OS X facilities for audit using Authorization Services, firewall, sudo and user account logs, and change tracking. The author summarizes the advantages of using ASL (Apple System Logger) as the basis for an audit system. Finally, he briefly refers to NCSC’s rainbow series of books and the more recent Common Criteria, though if conformity was important to a developer, he or she would need much more information than is available here before even considering how to implement a CC-conformant application.

Chapter 8 discusses ‘Securing Network Connections’ – an important topic in an era of remote applications and data. The first section looks at remote authentication using HTTP, and other authentication methods such as Kerberos, OpenID and OAuth. Several pages (including code samples) are devoted to service discovery and Bonjour, using NSNetService and NSNetServiceBrowser, with a high-level summary of the application of device pairing to the iPhone. The application firewall and ipfw packet filtering are described, but the text moves quickly on to network configuration with SystemConfiguration. SSL, however, is addressed at some length with a significant amount of example code.

Chapter 9, ‘Writing Secure Application Code’, focuses on defensive coding in Objective-C and C in general, and could be described as the meat of the book for a Cocoa developer – though some of the issues raised, such as problems with strcpy() and printf(), are far from specific to Objective-C. Nevertheless, this chapter offers a good start on considering the mitigation of insecure functions and such issues as safe buffer handling. The rest of the chapter looks at fairly formal aspects of defensive programming such as code review and code checklists and the use of static analysis tools, unit testing with Xcode, and automated testing with hardening tools: however, only one paragraph is devoted to fuzzing.

Chapter 10 is quite general, covering the secure deployment of software. This includes the provision of security documentation within the application and within the manual, the use of code signing to identify the provider, distribution and installation issues, the handling of bug reports, and software updating. Chapter 11 covers kernel extensions in just a few pages, and chapter 12 briefly summarizes the threat model that underpins the book and offers some suggestions for further reading.

A former manager of mine once cited the CIA tripod model of security (Confidentiality, Integrity, Availability) and said (understandably) that as far as he was concerned, availability trumped the other two. This seems to be a cornerstone of Lee’s view of security too: while his quintessential summary of application security is ‘Know your app and its users’, his emphasis on making apps ‘appropriately secure’ is supplemented by his awareness – made explicit at several points in the text – that the most secure program in the world is useless if it’s unusable, and that it doesn’t matter how secure data is in other respects, if it can’t be accessed by the people who are authorized to make use of it.

Though it’s by no means a complete reference, this book is a good, clear read, combining general principles of application security and defensive programming with enough Cocoa-specific information and sample code to provide an OS X developer with a basis for enhancing the security of his applications. An iPhone developer would, I think, need to do rather more in the way of additional research. On the other hand, any application developer with an interest in defensive programming could do worse than take a look through this as primer material. It’s easy (and rather common) to overstate the impact of attacks that exploit vulnerabilities in software rather than the naïveté of users. However, readers of this book can make a significant difference to the welfare of the Apple-using community if it inspires them to think more proactively about reducing risks to their customers by reducing the likelihood of inherent weaknesses in their applications that lead to common exploit types.