Archive for October, 2016

Apple confuses deputy

The MacOS API has something called an NSURLSession object, which relies on a background process (daemon) called ‘nsurlsessiond’ (if I understand correctly). If an application wants to fetch a web page, it uses an NSURLSession object, which pokes the daemon, which pokes the site, which returns the bits to the daemon, which returns the bits to the application.

Because I’m curious and a bit paranoid, I use a program called Little Snitch, which monitors all network requests made by applications. Little Snitch implements a conventional access control system: you can grant or deny any application access to network hosts, ports, etc. If you don’t want, say, gamed making any outward network connection, you can make a Little Snitch rule that prevents that.

So what if a program uses nsurlsessiond to make a connection? Little snitch only knows that nsurlsessiond is asking for network access, so there is no way for it to grant different permissions to the different programs that are _using_ nsurlsessiond. I can’t ask Little Snitch to let, say, icloud make connections, but not to let gamed make connections, because Little Snitch only knows from nsurlsessiond, not gamed or icloud. So I have to allow neither or both.

This is a classic confused deputy scenario. I have to let nsurlsessiond connections through, or I can’t get work done. But when I do so, some evil principals will gain access I didn’t want them to get.

I never noticed nsurlsessiond before a recent upgrade. It’s not a bad programming pattern; a reuseable piece of code is packaged up for general use. In fact deputies (abstractions, services) of this kind are generally considered good practice. The evil comes when use of a deputy ‘launders’ access so that information needed for permission-granting is lost. This particular deputy has a daemon, I guess so that requests from many programs can be coordinated, with the side effect that requests are ‘laundered’.

It may sound like I’m suggesting that the whole authority chain should be preserved through to the point where an access decision is made, so that Little Snitch can see it, but in general that doesn’t work either. There are ways to do this right (capability architecture), but they usually require an overhaul of the code, and a rewrite of the operating system…

Categories: Uncategorized