Catalin Cimpanu, writing for ZDNet Zero Day:

Named BlastDoor, this new iOS security feature was discovered by
Samuel Groß, a security researcher with Project Zero, a Google
security team tasked with finding vulnerabilities in commonly-used
software. […]

While iOS ships with multiple sandbox mechanisms, BlastDoor is a
new addition that operates only at the level of the iMessage app.
Its role is to take incoming messages and unpack and process their
content inside a secure and isolated environment, where any
malicious code hidden inside a message can’t interact or harm the
underlying operating system or retrieve with user data.

The need for a service like BlastDoor had become obvious after
several security researchers had pointed out in the past that the
iMessage service was doing a poor job of sanitizing incoming user
data. Over the past three years, there had been multiple
instances where security researchers or real-world attackers
found iMessage remote code execution (RCE) bugs and abused these
issues to develop exploits that allowed them to take control over
an iPhone just by sending a simple text, photo, or video to
someone’s device.

Samuel Groß’s report on Google’s Project Zero blog is chock full of technical details and analysis.

This is a big deal, and from what I understand, a major multi-year undertaking by the iMessage team. Cimpanu’s report makes it sounds like it’s an iOS 14 feature, but it’s on MacOS 11, too — it’s an iMessage feature. The basic idea is that parsing untrusted input is always a potential source for bugs. Rather than whack-a-moling these bugs one-by-one as they’re discovered, BlastDoor puts the entire process of parsing input (the text of messages, any file attachments, or even just generating URL previews) into a very sturdy vault. Anything inside the vault has almost no file system access and no network access. Open the attachments inside the vault, and only then pass them on for display.

Very clever. It doesn’t just close a bunch of specific exploits, it should close an entire class of potential exploits. But it’s the sort of thing Apple can’t really announce or promote, so it’s nice to see the effort get some publicity.

Also: “BlastDoor” is a great name for this.


You may also like