I've got to say, it's a bit disappoint. By my understanding NSSecureCoding classes should be immune to substitution attacks, but that doesn't seem to be the case with containers. I mean, not if I don't check the expected types, but that's on me, not cocoa. It's nice to know, though, as this could possibly introduce security issues in an app. Thanks a lot!
Subject: Re: NSSecureCoding with containers (or, is NSArray lying?) From: r...@rols.org Date: Thu, 16 Jul 2015 10:44:55 +0800 CC: cocoa-dev@lists.apple.com To: andre.frate...@hotmail.com The list of things which the collection classes decode automagically is pretty small, limited I think to the primitives in XML/Binary document. But yes you can craft a document with an NSArray in it and subtypes and that will be decoded into strings and numbers. That means if you use NSArray() or other collection classes directly in your coding, you need to check what you got back. They are ‘securely’ decoded to the extent that Apple believes decoding them will not result in a buffer overflow etc, that’s all you get by default. Having found the guide I was looking for (“Working with Custom Classes” in the ‘Daemon and Services’ programming guide) you can see what NSSecureCoding was designed for and it’s not a stretch to understand why foundation classes were automatically whitelisted. So your alternative, if you know what you want, is not to do that but to encode/decode the data yourself according to the rules you have. Just because you have an array in your object doesn’t mean you have to use the default array encoder, you can encode it as ‘count’ plus ‘object_0’, ‘object_1’ etc etc and you can specify the exact class for that object when you read it back in. If you implement your own logic all the way down you can make it as secure as you like, just don’t use the collection classes automatic encode/decode support. On 16 Jul 2015, at 10:17, André Francisco <andre.frate...@hotmail.com> wrote:(I'm new to the mailing list and I'm not sure whether I should reply just to Roland or everyone. Please correct me if I'm doing this wrong. I'm replying to both) This seems far from ideal, and I'm actually surprised about NSArray's behaviour. The fact that it decodes a set of classes known to implement NSSecureCoding is wrong, IMO, for two reasons. Actually three, but I forgot about the last one while typing :) 1) The fact that the contained class implements NSSecureCoding does not mean that I'm expecting it. By what I understand from what you are saying, I can encode an array of NSString's and get NSNumber's back (ie., a substitution attack). It's not just about NSString being securely encoded, I must be expecting strings. This can easily crash an app if I get a type that I'm not expecting, even if it implements NSSecureCoding. 2) It limits the classes which can be stored. I guess this could be easily fixed with inspection. Does the class that I'm decoding implement NSSecureCoding? The result would pretty much be the same, just not limited to Apple's subset. I could encode arrays of my own objects. Anyway, based on all my research, SO comments, and especially this conversation, I have been becoming more and more convinced that there doesn't exists a real solution. NSSecureCoding doesn't seem so secure anymore :\ > Subject: Re: NSSecureCoding with containers (or, is NSArray lying?) > From: r...@rols.org > Date: Thu, 16 Jul 2015 09:49:24 +0800 > CC: cocoa-dev@lists.apple.com > To: andre.frate...@hotmail.com > > > > On 16 Jul 2015, at 08:30, André Francisco <andre.frate...@hotmail.com> > > wrote: > > > > Hi all, > > I posted a question at SO > > (http://stackoverflow.com/questions/31307331/how-to-use-nssecurecoding-with-id-objects) > > and despite the bounty it still didn't get any answers. I am not confident > > that it will either. > > The problem is when implementing NSSecureCoding with a collection (or > > container) given that the type of contained objects is not known. I would > > assume that secure coding is not possible in this situation. However, > > classes such as NSArray do implement NSSecureCoding, so as I stated > > earlier, either there's a work around or NSArray is lying. > > I've been putting some effort into this issue in the last few days, so far > > with no success. But it's been boggling me. So which one is it, can > > containers/collections implement actual secure coding? > > Best to you all,André. > > _______________________________________________ > > > I’m sure there used to be an SDK guide about this but I can’t find it and > Google can’t find it. It included a section on how container types worked > with NSSecureCoding. It was in the XPC section I thought. > > Anyway they do work. Try it. Make an NSArray of normal stuff, like NSString, > NSNumber, encode it, decode it with decodeObjectForClasses, with no classes. > You’ll fail on the array. Add the NSArray to the list of allowed classes and > .. it works. So, you think, NSArray will blindly decode anything so it’s > no-longer secure. > > Add an object of a custom class which implements secure coding into the > array, and it will start failing again. NSArray, and the other collection > types, allow elements of known secure system types, like NSString, but fail > at anything outside that. You have to add all the custom classes you will > have in any of the collections at any level into your > decodeObjectWithClasses() list before the collection classes will work. > > Hence, as long as you know all the possible things which could be encoded in > your list and they all support secure coding and you list them all in your > decode code, you’re fine. That’s really the point, your code says what > objects it expects/will accept and that enforces the secure aspect all the > way down as you can’t have a class you didn’t expect and every one of the > classes you do expect will be securely decoded. _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
