Title: Strawhorse: Attacking the MacOS and iOS Software Development Kit
Release Date: 2015-03-10
Document Date: 2012-02-10
Description: This NSA summary of a talk presented at the 2012 TCB Jamboree describes a Sandia National Laboratories approach to attacking Apple technology using compromised developer tools: see the Intercept article iSpy: The CIA Campaign to Steal Apple’s Secrets, 10 March 2015.
Document:  (S//NF) Strawhorse: Attacking the MacOS and iOS Software Development Kit
(S) Presenter: Sandia National Laboratories
(S//NF) Ken Thompson's gcc attack (described in his 1984 Turing award acceptance speech) motivates the
StrawMan work: what can be done of benefit to the US Intelligence Community (IC) if one can make an
arbitrary modification to a system compiler or Software Development Kit (SDK)? A (whacked) SDK can
provide a subtle injection vector onto standalone developer networks, or it can modify any binary compiled
by that SDK. In the past, we have watermarked binaries for attribution, used binaries as an exfiltration
mechanism, and inserted Trojans into compiled binaries.
(S//NF) In this talk, we discuss our explorations of the Xcode (4.1) SDK. Xcode is used to compile MacOS X
applications and kernel extensions as well as iOS applications. We describe how we use (our whacked)
Xcode to do the following things: -Entice all MacOS applications to create a remote backdoor on execution
-Modify a dynamic dependency of securityd to load our own library - which rewrites securityd so that no
prompt appears when exporting a developer's private key -Embed the developer's private key in all iOS
applications -Force all iOS applications to send embedded data to a listening post -Convince all (new)
kernel extensions to disable ASLR
(S//NF) We also describe how we modified both the MacOS X updater to install an extra kernel extension (a
keylogger) and the Xcode installer to include our SDK whacks.