Authenticating XPC peers
In the past few days I’ve been catching up with security in the context of XPC services. Here are my findings current as of macOS 10.15.5
Embedded XPC Services
These are services that live inside your app’s bundle and thus no extra work is needed:
an XPC service is private, and is available only to the main application that contains it.
Privileged Helper Tools using XPC
When an XPC service needs perform privileged tasks, such as updating or installing applications on user’s behalf, it should be elevated via SMJobBless.
The service will be run as root and will be available for any other process in the system.
Thus to authorize privilged operations it must authenticate its peers first. The common practice is to ensure that:
- Peer is code-signed by Apple
- Peer is code-signed by You
- Peer’s bundle is one of the expected
- Peer does not have entitlements that allow code injection
1. Peer is code-signed by Apple
If, god forbid, your signing key gets stolen you can invalidate it with Apple and prevent any future apps to be signed by both You and Apple (via Mac App Store submission or Notarization). Thus rendering it impossible for an attacker to publish a modified app in your name.
2. Peer is code-signed by You
Naturally, you don’t want any app to perform priviliged tasks through your service.
3. Peer’s bundle is one of the expected
If you have multiple apps signed using the same key you may want to limit which of them have access to your privileged service.
4. Peer does not have entitlements that allow code injection
That’s an important one. It is possible to sign your app in such a way that it allows loading of 3rd party libraries or is open to mach task injection. Thus making it possible for an attacker to communicate with the privileged service under a disguise of your app.
References
- SimpleXPCApp by Wojciech Reguła (code)
- “Abusing & Securing XPC in macOS apps” by Wojciech Reguła (research & guidelines)
- “Secure coding PrivilegedHelperTools” by Csaba Fitzl: 1, 2 and 3 (overview & research)
- “Job(s) Bless Us! Privileged Operations on macO” by Julia Vashchenko (postmortem)
- The Story Behind CVE-2019–13013 by Little Snitch (postmortem)
