iService: Detecting and Evaluating the Impact of Confused Deputy Problem in AppleOS

Abstract

Confused deputy problem is a specific type of privilege escalation. It happens when a program tricks another more privileged one into misusing its authority. On AppleOS, system services are adopted to perform privileged operations when receiving inter-process communication (IPC) request from a user process. The confused deputy vulnerabilities may result if system services overlook the checking of IPC input. Unfortunately, it is tough to identify such vulnerabilities, which requires to understand the closed-source system services and private frameworks of the complex AppleOS by unraveling the dependencies in binaries. To this end, we propose iService, a systematic method to automatically detect and evaluate the impact of confused deputies in AppleOS system services. Instead of looking for insecure IPC clients, it focuses on sensitive operations performed by system services, which might compromise the system if abused, ensuring whether the IPC input is properly checked before the invocation of those operations. Moreover, iService evaluates the impact of each confused deputy based on iService is applied to four versions of MacOS (10.14.3, 10.15.7, 11.4, and 12.4) separately. It successfully discovers 11 confused deputies, five of which are zero-day bugs and all of them have been fixed, with three considered high risk. Furthermore, the five zero-day bugs have been confirmed by Apple and assigned with CVE numbers to date.