Archive for December 7, 2020

Monday, December 7, 2020

Swift Proposal for async/await

SE-0296 (via Doug Gregor):

This design introduces a coroutine model to Swift. Functions can opt into being async, allowing the programmer to compose complex logic involving asynchronous operations using the normal control-flow mechanisms. The compiler is responsible for translating an asynchronous function into an appropriate set of closures and state machines.

This proposal defines the semantics of asynchronous functions. However, it does not provide concurrency: that is covered by a separate proposal to introduce structured concurrency, which associates asynchronous functions with concurrently-executing tasks and provides APIs for creating, querying, and cancelling tasks.

[…]

Because only async code can call other async code, this proposal provides no way to initiate asynchronous code. This is intentional: all asynchronous code runs within the context of a “task”, a notion which is defined in the Structured Concurrency proposal. That proposal provides the ability to define asynchronous entry points to the program via @main […]

Previously:

Update (2020-12-08): Eneko Alonso:

The above two extensions allow launching an async task from a DispatchQueue, with or without a DispatchGroup.

Update (2020-12-24): Ben Cohen:

The async/await proposal is accepted!

The first of a series of Concurrency proposals coming to Swift Evolution. @dgregor79 put together a dependency graph

App Store Best of 2020

Apple (list, MacStories):

The independent developer of Wakeout! brought gentle exercise to home offices and classrooms with light-hearted and inclusive movements designed for everyone. Vast fantasy worlds in games like “Genshin Impact,” “Legends of Runeterra,” “Disco Elysium,” “Dandara Trials of Fear,” and Apple Arcade’s “Sneaky Sasquatch delivered a great escape, while Disney+ offered a sense of unlimited possibility that many craved. Whether it was to facilitate distance learning through Zoom, create daily routines with Fantastical or lull us to sleep with Endel, the App Store Best of 2020 winners helped us live our best lives at home.

Flexibits:

We are incredibly excited and honored that Fantastical has been selected by Apple as the winner of the Best of 2020: Mac App of the Year!

[…]

In the meantime, we hope you’ll enjoy these photos of our App Store App of the Year award as much as we do!

It’s a great app.

John Gruber:

Boo-hiss, though, for awarding Genshin Impact iPhone game of the year. It does look like a beautiful Breath of the Wild-esque game — but it’s a free-to-play gacha game financially. It’s a gambling mechanic, and I wish Apple wouldn’t hold one up as their iPhone game of the year.

Ryan Jones:

Yikes, Wakeout (Winner of Best of 2020):

  1. Requires “Sign In with Apple” 100% just to email retarget you
  2. Requires a trial (oh hey Basecamp!).
  3. Breaks the strictly enforced “total price must be most prominent” rule.

Previously:

Making a Self-Quoting Tweet

Oisín Moran (via Hacker News):

Fundamentally the challenge is just correctly guessing what ID a given tweet is going to get, then appending that onto the URL for our profile and tweeting it.

[…]

Twitter used to use sequential IDs but no longer do. Public-facing sequential IDs have the drawback of making usage of your platform easy to estimate. They are also hard to generate in a distributed fashion while preserving order.

[…]

We see the second was posted 504 ms after the first (from Twitter’s point of view), the machine IDs differ by 13, and both the sequence numbers are 0. We might be able to get away with assuming the sequence number is most commonly 0. This is great news because it was the larger of the two non-timestamp components so greatly reduces the number of checks we’ll have to make. The range for our brute forcing looks like it might be small enough after all!

Previously:

Sandbox Doesn’t Protect Files From stat()

Jeff Johnson (tweet, Hacker News):

I discovered that an application can use the venerable Unix command-line tool “ls” (list directory contents) to bypass both TCC (Transparency, Consent, and Control) and the sandbox, enabling unauthorized access to file metadata in directories that are supposed to be protected.

[…]

It’s been almost a year since I reported it to Apple. This is well beyond the bounds of “responsible disclosure”, which is typically 90 days after reporting an issue to a vendor. I’ve never been paid a penny by the Apple Security Bounty Program and doubt I ever will.

[…]

I chose the example of ~/Library/Safari/LocalStorage because Safari names the files in this directory according to the web sites that you visit! Also note that the output of long format ls -l contains the last modification date of the files. Thus, one possible privacy violation from this technique is to learn the user’s web browsing history.

I sort of discovered this issue by accident a few years ago while tracking down a bug. One of my apps uses Full Disk Access, but there is no API to determine whether that has been granted. Some of my code had been assuming that if it could test whether a particular file in a protected folder existed, it must have Full Disk Access. But it turns out that you can do this even without access.

Apple even sort of documents this, saying for -[NSFileManager fileExistsAtPath:] that:

App Sandbox does not restrict which path values may be passed to this parameter.

It’s not really clear what this means because how could the sandbox prevent you from passing a value? So maybe we’re meant to assume that it works for any value. On the other hand, the documentation goes on to say:

If the file at path is inaccessible to your app, perhaps because one or more parent directories are inaccessible, this method returns NO.

This implies that without access you can’t test whether a file exists. But my experience is that you can. (I’ve not looked into whether there’s a difference between the sandbox and TCC protections.)

In any event, whether or not Apple considers this a bug, I think it’s a real privacy issue. If this is the expected behavior, it should be documented so that apps can be designed with this in mind. Maybe apps that store sensitive data should obscure their filenames.

Secondly, why is Apple still investigating this issue a year later? The engineer who designed this should know whether it’s the intended behavior off the top of their head. So the fact that the report didn’t immediately come back as “not a bug” implies that either it is a bug (and one wonders how such a whopper could remain for so long) or that the report is not being actively investigated. Either way, this is more evidence that Apple is not serious about the bug bounty program.

Previously:

An iOS Zero-click Radio Proximity Exploit Odyssey

Ian Beer (Hacker News, MacRumors):

In this demo I remotely trigger an unauthenticated kernel memory corruption vulnerability which causes all iOS devices in radio-proximity to reboot, with no user interaction. Over the next 30’000 words I’ll cover the entire process to go from this basic demo to successfully exploiting this vulnerability in order to run arbitrary code on any nearby iOS device and steal all the user data.

[…]

So what went so wrong that it was possible? Unfortunately, it’s the same old story. A fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers.

[…]

The inevitable question is: But what about the next silver bullet: memory tagging (MTE)? Won’t it stop this from happening?

My answer would be that Pointer Authentication was also pitched as ending memory corruption exploitation. When push came to shove, to actually ship a legacy codebase like the iOS kernel with Pointer Authentication, the primitives built using it and inserted by the compiler had to be watered down to such an extent that any competent attacker should have been able to modify their exploits to work around them.