Duo Labs: Deciphering the Messages of Apple’s T2 Coprocessor

In 2018, we released two whitepapers exploring Apple’s T2 coprocessor. The first paper explored the new system architecture of the late 2017 iMac Pro and 2018 MacBook Pro and how the inclusion of the T2 coprocessor enabled the secure boot and encrypted storage capabilities of this new platform. The second paper performed a deep-dive into the Secure Boot process and raised the concern that the T2 coprocessor, running a full version of BridgeOS, may expose a large attack surface. In this article, we explore the exposed services, identify the communications transport and decipher the protocols macOS uses to communicate with the T2 coprocessor. It will shock nobody that the T2 coprocessor communicates with macOS using Apple’s XPC interprocess communication mechanism. However, since the low-level workings of this communication mechanism are documented sparsely or not at all, this article aims to record not only the standard message format, but also how the T2’s use of XPC messaging appears to differ from conventional use of XPC. Building upon this understanding of the low-level communication channel, we demonstrate how one may analyze the network traffic between a macOS client and a T2 server and use this to exercise additional T2 functionality. […]

https://github.com/duo-labs/apple-t2-xpc

https://duo.com/labs/research/apple-t2-xpc

 

Duo on Apple firmware security (and new EFIgy release)

Nice article on latest Apple changes to firmware security, T2 processor, Secure Boot, etc, are discussed here. Maybe one day Apple will create a similar whitepaper.

https://duo.com/blog/apple-imac-pro-and-secure-storage

http://efigy.io/

more from Duo on Apple EFI security

Nice, in addition to an upcoming new EFI tool, it appears Duo has some defensive advise, using OSQuery, Puppet, and Chef. Click on the first tweet below for an image from their upcoming presentation.

 

Note that Teddy Reed is giving a presentation on OSQuery in November at Usenix LISA:

Pepjin’s Apple EFI version spreadsheet:

https://docs.google.com/spreadsheets/d/1qGRVF1aRokQgm_LuTsFUN2Knrh0Sd3Gp0ziC_VIWqoM/edit#gid=0

Duo Security research on OEM insecurity

Wired has an article about some new research by Duo Security, on how OEMs build insecure laptops.

https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters
https://www.wired.com/2016/05/2036876/

It is a nice article, but only scratches the surface. OS-level OEM bloatware is fixable. Firwmare-level OEM bloatware is often not fixable. And in recent years, operating systems are tied to the firmware more than ever, Microsoft Windows has install binaries embedded in ACPI tables. So, read the article and realize that the situation is much worse than it mentions. 😦