Possible unsecure usage of C Functions

Question

Created Jul ’23

Replies 2

Boosts 0

Participants 3

Hi,

like in https://developer.apple.com/forums/thread/658048?answerId=629026022#629026022 we got a report from a pentest that we use unsecure functions like _memcpy, _fopen, _malloc or strcpy. The recommendation is to replace these with their secure counterpart (e.g. calloc, memcpy_s).

We do not use direct C calls in our code - so we cannot replace them. But even frameworks written in Swift which are only importing LocalAuthentication, CommonCrypto and Foundation as dependencies were flagged unsecure.

During my research I encountered that SecRandomCopyBytes might be responsible: https://opensource.apple.com/source/Security/Security-55471/sec/Security/SecFramework.c.auto.html.

I have three questions regarding this issue:

Is the implementation in SecFramework.c the current one?
Can you give assurance that the usage in Apple implementations are secure?
I believe the pentester ran a grep command to find which binaries are possibly affected. But that approach doesn't help me in this case. Is there a way how I can find out which dependencies use these C functions?

Cheers

Boost

Answer 1

endecotp OP

Jul ’23

Can you give assurance that the usage in Apple implementations are secure?

Read Apple's license agreements - you'll find no assurances about anything, as is the industry norm.

I believe the pentester ran a grep command to find which binaries are possibly affected.

Right. I guess there's a whole range of people offering these services out there. Some will be e.g. ex-NSA people but you can't afford them. Then there are some kids who run a few greps over your binaries and produce a semi-automatic report. You can afford those but they don't tell you much. Really you need for the people who prepared the report to answer these questions for you, rather than just giving you the output of the grep and sending you here.

FWIW, IMO, you should ignore these reports when they are in Apple's code.

What is your threat model?

0

Answer 2

DTS Engineer OP

Apple

Jul ’23

Is the implementation in SecFramework.c the current one?

The Darwin code is generally aligned with a specific macOS release which is generally aligned with a corresponding iOS release but we don’t guarantee that. Sometimes things get out of sync, and in some cases there’s code in the OS that’s not published in Darwin.

Can you give assurance that the usage in Apple implementations are secure?

No.

I believe the pentester ran a grep command to find which binaries are possibly affected. But that approach doesn't help me in this case. Is there a way how I can find out which dependencies use these C functions?

I recommend that you discuss this with your vendor.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0