‘BlastDoor’: iMessage’s New Sandbox in iOS 14 and MacOS 11

Catalin Cimpanu, writing for ZDNet Zero Day:

Named BlastDoor, this new iOS security feature was discovered by Samuel Groß, a security researcher with Project Zero, a Google security team tasked with finding vulnerabilities in commonly-used software. […]

While iOS ships with multiple sandbox mechanisms, BlastDoor is a new addition that operates only at the level of the iMessage app. Its role is to take incoming messages and unpack and process their content inside a secure and isolated environment, where any malicious code hidden inside a message can’t interact or harm the underlying operating system or retrieve with user data.

The need for a service like BlastDoor had become obvious after several security researchers had pointed out in the past that the iMessage service was doing a poor job of sanitizing incoming user data. Over the past three years, there had been multiple instances where security researchers or real-world attackers found iMessage remote code execution (RCE) bugs and abused these issues to develop exploits that allowed them to take control over an iPhone just by sending a simple text, photo, or video to someone’s device.

Samuel Groß’s report on Google’s Project Zero blog is chock full of technical details and analysis.

This is a big deal, and from what I understand, a major multi-year undertaking by the iMessage team. Cimpanu’s report makes it sound like it’s an iOS 14 feature, but it’s on MacOS 11, too — it’s an iMessage feature. The basic idea is that parsing untrusted input is always a potential source for bugs. Rather than whack-a-moling these bugs one-by-one as they’re discovered, BlastDoor puts the entire process of parsing input (the text of messages, any file attachments, or even just generating URL previews) into a very sturdy vault. Anything inside the vault has almost no file system access and no network access. Open the attachments inside the vault, and only then pass them on for display.

Very clever. It doesn’t just close a bunch of specific exploits, it should close an entire class of potential exploits. But it’s the sort of thing Apple can’t really announce or promote, so it’s nice to see the effort get some publicity.

Also: “BlastDoor” is a great name for this.

Friday, 29 January 2021