安全内存

在El Capitan之前的OS X中，具有root访问权限的用户可以读取已登录用户的纯文本密钥链密码，因为Apple的密钥链实现允许缓存这些凭据，因此不会反复提示用户输入密码。 Apple的安全实用程序获取用户的登录密码，并使用PBKDF2对其进行加密，然后将该主密钥存储在内存中。苹果还使用一组密钥和算法来加密用户密码，但是一旦找到主密钥，攻击者只需遍历其他值即可解锁最终密码。

如果对手可以获得根访问权限（允许他们读取安全对象的内存），则他们可以在内存中扫描以找到正确的密钥顺序，而尝试解密用户登录密钥链的次数相对较少。这为攻击者提供了用户，WiFi，邮件，浏览器，证书，安全说明等的所有明文密码。

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.

If an adversary can obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.

标签

ID编号： T1167

策略： 凭证访问

平台： macOS

所需权限： root

数据源： 过程监控

程序示例

名称	描述
Keydnap （S0276)	Keydnap （S0276)使用keychaindump项目读取安全内存。

Name	Description
Keydnap （S0276)	Keydnap （S0276) uses the keychaindump project to read securityd memory.

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.