What s New in Security

Transcription

1 System Frameworks #WWDC16 What s New in Security Session 706 Lucia Ballard Secure Transports Engineering Manager Simon Cooper Trusted Execution Engineering Manager 2016 Apple Inc. All rights reserved. Redistribution or public display not permitted without written permission from Apple.

2 What s New in Security?

3 What s New in Security? Network Security

4 What s New in Security? Network Security Cryptography APIs

5 What s New in Security? Network Security Cryptography APIs Platform Security on macos

6 What s New in Network Security Lucia Ballard Secure Transports Engineering Manager

7 Secure Communications

8 Secure Communications HTTPS is the new HTTP Confidentiality Data integrity

9 Secure Communications HTTPS is the new HTTP Confidentiality Data integrity Not all HTTPS is created equal

10 App Transport Security Current standards

11 App Transport Security Current standards For NSURLSession and NSURLConnection APIs

12 App Transport Security Current standards For NSURLSession and NSURLConnection APIs TLS v1.2

13 App Transport Security Current standards For NSURLSession and NSURLConnection APIs TLS v1.2 Strong crypto AES-128 and SHA-2

14 App Transport Security Current standards For NSURLSession and NSURLConnection APIs TLS v1.2 Strong crypto AES-128 and SHA-2 Forward secrecy ECDHE

15 App Transport Security Current standards For NSURLSession and NSURLConnection APIs TLS v1.2 Strong crypto AES-128 and SHA-2 Forward secrecy ECDHE Exceptions global or for particular domains

16 App Transport Security Enforcement

17 App Transport Security Enforcement Enforced at the end of 2016

18 App Transport Security Enforcement Enforced at the end of 2016 Reasonable justification required for most exceptions NSAllowsArbitraryLoads NSExceptionAllowsInsecureHTTPLoads NSExceptionMinimumTLSVersion

19 App Transport Security Enforcement Enforced at the end of 2016 Reasonable justification required for most exceptions NSAllowsArbitraryLoads NSExceptionAllowsInsecureHTTPLoads NSExceptionMinimumTLSVersion Example Communicating with a specific third-party server

20 App Transport Security Enforcement Enforced at the end of 2016 Reasonable justification required for most exceptions NSAllowsArbitraryLoads NSExceptionAllowsInsecureHTTPLoads NSExceptionMinimumTLSVersion Example Communicating with a specific third-party server

21 App Transport Security Enforcement

22 App Transport Security Enforcement New exceptions to make it easier

23 App Transport Security Enforcement New exceptions to make it easier Streaming media using AVFoundation

24 App Transport Security Enforcement New exceptions to make it easier Streaming media using AVFoundation Web content using WKWebView

25 App Transport Security Enforcement New exceptions to make it easier Streaming media using AVFoundation Web content using WKWebView NSAppTransportSecurity : Dictionary { NSAllowsArbitraryLoads : Boolean NSAllowsArbitraryLoadsInWebContent : Boolean }

26 Evolving Standards Deprecation of older algorithms

27 Evolving Standards Deprecation of older algorithms RC4 disabled by default

28 Evolving Standards Deprecation of older algorithms RC4 disabled by default SSLv3 disabled in SecureTransport

29 Evolving Standards Deprecation of older algorithms RC4 disabled by default SSLv3 disabled in SecureTransport Other algorithms showing their age SHA-1 3DES

30 Evolving Standards Deprecation of older algorithms RC4 disabled by default SSLv3 disabled in SecureTransport Other algorithms showing their age SHA-1 3DES Now is the time to upgrade your servers

31 Certificates

32 Certificates Strong TLS is not enough

33 Certificates Strong TLS is not enough Certificate ensures that you re talking to the right server

34 Certificates Today

35 Certificates Today Certificate Authority Server Client

36 Certificates Today Certificate Authority Server Client

37 Certificates Today Certificate Authority Server Client

38 Certificates Today What could go wrong?

39 Certificates Today What could go wrong? Certificate Authority Server Client

40 Certificates Today What could go wrong? Certificate Authority Server Attacker s Server Client

41 Certificates Today What could go wrong? Certificate Authority Server Attacker s Server Client

42 Certificates Today What could go wrong? Certificate Authority Server Attacker s Server Client

43 Certificate Transparency

44 Certificate Transparency Public verifiable logs of issued certificates

45 Certificate Transparency Public verifiable logs of issued certificates Anyone can submit a certificate to a log

46 Certificate Transparency Public verifiable logs of issued certificates Anyone can submit a certificate to a log Client checks for proof that certificate has been logged In the certificate itself In a TLS extension Delivered via OCSP stapling

47 Certificate Transparency How it works

48 Certificate Transparency How it works Certificate Authority Server Client

49 Certificate Transparency How it works Certificate Authority Log Server Client

50 Certificate Transparency How it works Certificate Authority Log Server Client

51 Certificate Transparency How it works Certificate Authority Log Server Client

52 Certificate Transparency How it works Certificate Authority Log Server Client

53 Certificate Transparency How it works Certificate Authority Log Server Client

54 Certificate Transparency Makes attacks more difficult Certificate Authority Server Attacker s Server Client

55 Certificate Transparency Makes attacks more difficult Certificate Authority Server Attacker s Server Client

56 Certificate Transparency Makes attacks more difficult Certificate Authority Certificate rejected by client Server Attacker s Server Client

57 Certificate Transparency Makes attacks more difficult Certificate Authority Log Server Attacker s Server Client

58 Certificate Transparency Makes attacks more difficult Publicly visible Certificate Authority Log Server Attacker s Server Client

59 Certificate Transparency How to try it out

60 Certificate Transparency How to try it out You can require Certificate Transparency through App Transport Security

61 Certificate Transparency How to try it out You can require Certificate Transparency through App Transport Security NSAppTransportSecurity { NSExceptionDomains { example.com : { NSRequiresCertificateTransparency : YES } } }

62 Certificate Transparency How to try it out You can require Certificate Transparency through App Transport Security NSAppTransportSecurity { NSExceptionDomains { example.com : { NSRequiresCertificateTransparency : YES } } } Proofs required from at least two logs More information at certificate-transparency.org

63 Revocation Best practices

64 Revocation Best practices Certificate Transparency does not replace revocation

65 Revocation Best practices Certificate Transparency does not replace revocation Recommended practice OCSP stapling Enhancement to the Online Certificate Status Protocol (OCSP)

66 OCSP Certificate Authority Server Client

67 OCSP Certificate Authority? Server Client

68 OCSP Certificate Authority? Server Client

69 OCSP Stapling Certificate Authority Server Client

70 OCSP Stapling Certificate Authority? Server Client

71 OCSP Stapling Certificate Authority? Server Client

72 OCSP Stapling Certificate Authority? Server Client

73 Benefits of OCSP Stapling

74 Benefits of OCSP Stapling Reliable, quick revocation information

75 Benefits of OCSP Stapling Reliable, quick revocation information Protects your users privacy

76 Benefits of OCSP Stapling Reliable, quick revocation information Protects your users privacy Deliver certificate transparency proofs as well

77 Benefits of OCSP Stapling Reliable, quick revocation information Protects your users privacy Deliver certificate transparency proofs as well Widely supported and backwards-compatible Now fully supported on all Apple platforms

78 Summary Network security

79 Summary Network security Move forward to secure algorithms and ciphers TLS v1.2, forward secrecy, and SHA-2 certificates

80 Summary Network security Move forward to secure algorithms and ciphers TLS v1.2, forward secrecy, and SHA-2 certificates Add your certificates to certificate transparency logs

81 Summary Network security Move forward to secure algorithms and ciphers TLS v1.2, forward secrecy, and SHA-2 certificates Add your certificates to certificate transparency logs Enable OCSP stapling

82 Cryptographic Improvements SecKey and smart cards

83 SecKey Improvements

84 SecKey Improvements API for asymmetric keys Unification of macos and ios APIs Support for common operations

85 SecKey Improvements API for asymmetric keys Unification of macos and ios APIs Support for common operations Replacement for deprecated CDSA calls

86 SecKey Improvements API for asymmetric keys Unification of macos and ios APIs Support for common operations Replacement for deprecated CDSA calls Replacement for asymmetric SecTransforms

87 CryptoTokenKit

88 CryptoTokenKit System support for cryptographic devices Smart cards, USB cryptographic tokens

89 CryptoTokenKit System support for cryptographic devices Smart cards, USB cryptographic tokens Out-of-the-box integration with system services Token content accessible through keychain Token cryptographic operations available using SecKey API

90 CryptoTokenKit System support for cryptographic devices Smart cards, USB cryptographic tokens Out-of-the-box integration with system services Token content accessible through keychain Token cryptographic operations available using SecKey API More information in Security Labs

91 What s New in Platform Security Simon Cooper Trusted Execution Engineering Manager

92 What s New in Security

93 What s New in Security How Software is Delivered

94 What s New in Security How Software is Delivered Developer ID

95 What s New in Security How Software is Delivered Developer ID Gatekeeper

96 What s New in Security How Software is Delivered Developer ID Gatekeeper Software Packaging

97 How Software is Delivered

98 Software Delivery for ios

99 Software Delivery for ios App Store

100 Software Delivery for ios App Store Xcode

101 Software Delivery for ios App Store Xcode Enterprise programs

102 Software Delivery for macos

103 Software Delivery for macos Mac App Store

104 Software Delivery for macos Mac App Store Developer ID

105 Software Delivery for macos Mac App Store Developer ID Xcode

106 Developer ID

107 What is Developer ID?

108 What is Developer ID? Deliver apps outside of the App Store

109 What is Developer ID? Deliver apps outside of the App Store Usually downloaded

110 What is Developer ID? Deliver apps outside of the App Store Usually downloaded Developer ID Signing Identity

111 What is Developer ID? Deliver apps outside of the App Store Usually downloaded Developer ID Signing Identity Developer ID Signed Apps treated specially

112 icloud for Developer ID NEW

113 icloud for Developer ID NEW Developer ID can now use icloud features icloud Drive icloud Keychain Push Notifications VPN

114 icloud for Developer ID

115 icloud for Developer ID Deliver icloud-enabled Apps outside of the App Store

116 icloud for Developer ID Deliver icloud-enabled Apps outside of the App Store Developer ID apps can now share data with icloud ios apps

117 icloud for Developer ID Deliver icloud-enabled Apps outside of the App Store Developer ID apps can now share data with icloud ios apps Deploy back to macos 10.9

118 icloud for Developer ID

119 icloud for Developer ID icloud Development testing today

120 icloud for Developer ID icloud Development testing today icloud Deployment Testing in upcoming seeds Export a Developer ID-signed Application Save a copy of the application signed with your Developer ID. Distribution using GM tools

121 Gatekeeper

122 What is Gatekeeper?

123 What is Gatekeeper? Controls what software is allowed to run on your Mac Mac App Store Mac App Store and identified developers Anywhere

124 What is Gatekeeper? Controls what software is allowed to run on your Mac Mac App Store Mac App Store and identified developers Anywhere Prompts user before first run

125 Changes to Gatekeeper

126 Changes to Gatekeeper Changing the default options Mac App Store Mac App Store and identified Developers Can still open anyway

127 Changes to Gatekeeper

128 Changes to Gatekeeper Repackaging problem Gatekeeper enhancement

129 Repackaging Problem App Correctly Signed App Container: Zip, DMG, ISO Code or Code equivalent External Resources Libraries, plugins, HTML, Lua, Python, etc.

130 Repackaging Problem App Correctly Signed App Code or Code equivalent External Resources Libraries, plugins, HTML, Lua, Python, etc.

131 Repackaging Problem App Code or Code equivalent External Resources Libraries, plugins, HTML, Lua, Python, etc.

132 Repackaging Problem App External Resources

133 Repackaging Problem App External Resources

134 Repackaging Problem App External Resources

135 Repackaging Problem App External Resources

136 Repackaging Problem App Malicious Content

137 Repackaging Problem

138 Repackaging Problem Not affected From the Mac App Store In a signed Apple Installer package

139 Repackaging Problem

140 Repackaging Problem Affected ZIP Disk Images (DMGs) ISO Images Other archive formats

141 Repackaging Problem Affected ZIP Disk Images (DMGs) ISO Images Other archive formats Maybe affected 3rd-party installers

142 Repackaging Problem

143 Repackaging Problem Need your help

144 Repackaging Problem Need your help We need to protect customers

145 Containers ZIP, DMG, ISO App External Resources

146 Signing Disk Images App External Resources

147 Signing Disk Images Using macos or later App External Resources

148 Signing Disk Images Using macos or later Use the codesign tool App External Resources

149 Signing Disk Images Using macos or later Use the codesign tool Signatures are embedded App External Resources

150 Signing Disk Images Using macos or later Use the codesign tool Signatures are embedded Backwards-compatible with older OS releases App External Resources

151 Signing Disk Images Using macos or later Use the codesign tool Signatures are embedded Backwards-compatible with older OS releases App External Resources For assistance, come to the Security Labs

152 Packaging Advice Do these Avoid the problem Put resources inside App Bundle App

153 Packaging Advice Do these Avoid the problem Put resources inside App Bundle App Internal Resources

154 Packaging Advice Do these

155 Packaging Advice Do these Distributing an App Bundle? Deliver via the Mac App Store Sign the App - Package in a Zip Archive - Verify signature before release Signed Apple Installer package

156 Packaging Advice Do these

157 Packaging Advice Do these For a container with Apps and resources Signed Disk Image Sign any content in the container Sign the disk image App External Resources Verify signatures before release

158 Packaging Advice

159 Packaging Advice Do These Adding personalization or licensing information Use extended attribute on bundle root see TN2206 Sign a personalized Disk Image

160 Packaging Advice Do These Do Not Do This Adding personalization or licensing information Use extended attribute on bundle root see TN2206 Modify your app after signing Deliver an app with a broken signature Use an ISO image Sign a personalized Disk Image

161 NEW Gatekeeper Enhancement Protecting customers

162 Gatekeeper Path Randomization NEW

163 Gatekeeper Path Randomization NEW Supplements existing Gatekeeper protections

164 Gatekeeper Path Randomization NEW Supplements existing Gatekeeper protections No change for Mac App Store apps

165 Gatekeeper Path Randomization NEW Supplements existing Gatekeeper protections No change for Mac App Store apps No change for previously run apps

166 Gatekeeper Path Randomization NEW Supplements existing Gatekeeper protections No change for Mac App Store apps No change for previously run apps Applies to newly downloaded apps

167 Gatekeeper Path Randomization NEW Supplements existing Gatekeeper protections No change for Mac App Store apps No change for previously run apps Applies to newly downloaded apps Applies to apps on unsigned Disk Images

168 Gatekeeper Path Randomization In a folder or Disk Image Your App Extra Resources

169 Gatekeeper Path Randomization When app is running Your App

170 Gatekeeper Path Randomization When app is running Your App

171 Gatekeeper Path Randomization When app is running? Your App

172 Gatekeeper Path Randomization Does not apply

173 Gatekeeper Path Randomization Does not apply User moves just the app bundle Must only move a single app bundle

174 Gatekeeper Path Randomization Does not apply User moves just the app bundle Must only move a single app bundle Signed Disk Images

175 Gatekeeper Path Randomization Does not apply User moves just the app bundle Must only move a single app bundle Signed Disk Images Signed Apple installer package

176 Gatekeeper Path Randomization Does not apply User moves just the app bundle Must only move a single app bundle Signed Disk Images Signed Apple installer package Apps from the Mac App Store

177 Summary Sign what you deliver Check the signatures are valid

178 More Information

179 Labs Security & Privacy Lab 1 Frameworks Lab C Wednesday 9:00AM Security & Privacy Lab 2 Frameworks Lab B Thursday 9:00AM

180