SlideShare a Scribd company logo

[Bucharest] Reversing the Apple Sandbox

OWASP EEE
OWASP EEE

This document discusses reversing the Apple sandbox security mechanism. It provides an overview of reversing the default "container" sandbox profile used for third-party iOS apps. The goal is to better understand Apple's security rules and how they could potentially be bypassed. The methodology involves extracting the builtin binary profile, reversing the binary format to the original sandbox profile language (SBPL) format, and analyzing the security rules defined in the profile. Challenges include reversing the regular expression format and properly handling different node types in the binary action trees that represent the security rules.

Internet
1 of 35
Download to read offline
Reversing the Apple Sandbox OWASP EEE 2015 Razvan Deaconescu razvan.deaconescu@cs.pub.ro
October 9, 2015 Reversing the Apple Sandbox 2 Recent iOS Attacks Jekyll Attacks Celebrity Leaks XcodeGhost
October 9, 2015 Reversing the Apple Sandbox 3 Apple iOS Defense Mechanisms Private/public framework separation Apple Vetting Process Privacy Settings Sandboxing Trusted BSD security layer
October 9, 2015 Reversing the Apple Sandbox 4 Aims Better understanding of Apple security mechanisms Improve security Part of joint research work with TU Darmstadt (CASED) and North Carolina State University
October 9, 2015 Reversing the Apple Sandbox 5 Apple Sandboxing ● Limit attack surface for a given app ● An app is provided a sandbox profile ● Sandbox profiles consist of sandbox profile rules – Scheme-like rules – SBPL format (Sandbox Profile Language) – SBPL format is compiled into binary format ● Little documentation on internals ● Default “container” sandbox profile for 3rd party iOS aps
October 9, 2015 Reversing the Apple Sandbox 6 Reversing Apple Sandbox ● Reverse “container” sandbox profile ● Get an understanding of the rules inside the defaul container – Analyze how they could be bypassed or improved ● Make use of very little documentation on the internals – No official documentation on SBPL operations – No official documentation on the inner workings – No official documentation on the binary format
October 9, 2015 Reversing the Apple Sandbox 7 Sample SBPL File […] (allow ipc-posix-shm (ipc-posix-name "apple.shm.notification_center")) (allow mach-lookup (global-name "com.apple.networkd") (global-name "com.apple.NetworkSharing") (global-name "com.apple.pfd")) (allow mach-per-user-lookup) (system-network) (allow network* (local ip)) […]
October 9, 2015 Reversing the Apple Sandbox 8 How Sandboxing Works ● SBPL consists of rules (operations and filters) ● Each rule is a deny or allow ● Kernel loads profile for an app ● Hooks inside the kernel check the rules inside the profile and allow or deny acces to the app ● Works similarly for iOS and Mac OS X ● Implemented in the sandbox kernel extension (Sandbox.kext)
October 9, 2015 Reversing the Apple Sandbox 9 Creating an Apple Sandbox Profile ● Write an SBPL file ● Use sandbox-exec command or sandbox_init() function load an app using given profile ● Use sandbox_compile() to compile a binary format ● The binary format is used by the app ● sandbox_* functions are fairly undocumented and used internally – Implementation in libsandbox.dylib
October 9, 2015 Reversing the Apple Sandbox 10 Anatomy of the Apple Sandbox Profile ● Each rule consists of an operation, filter and action ● Operation is a class of action (file-read*, network-inbound, process-exec) ● Filter is an argument to the operation (file name, socket address, process ID) – Filters may be regular expressions ● Action may be allow or deny – Flags may be part of it (such as debug)
October 9, 2015 Reversing the Apple Sandbox 11 Need to Know ● What is inside an .sb file? ● Where are the builtin binary sandbox profiles stored? ● What is the format of the binary sandbox profile file? ● How can one reverse the format?
October 9, 2015 Reversing the Apple Sandbox 12 Previous Work ● Dionysus Blazakis (Dion) – The Apple Sandbox (BlackHat 2011) – 5th Chapter in “The iOS Hacker's Handbook” – https://github.com/dionthegod/XNUSandbox/ ● Stefan Esser (Stefan) – “iOS8 Containers, Sandboxes and Entitlements” (Ruxcon 2014) – https://github.com/sektioneins/sandbox_toolkit
October 9, 2015 Reversing the Apple Sandbox 13 Methodology Overview ● Get complete list of operations and filters ● Get a good understanding of the sandbox workflow (create/compile, apply) ● Extract builtin binary sandbox profiles ● Thorough understanding of the binary format ● Reverse a binary format sandbox profile file to its initial SBPL format
October 9, 2015 Reversing the Apple Sandbox 14 Building Blocks ● Compile SBPL format file to binary format ● Use sandbox profile ● The intermediary “even more Scheme-like” format ● Well documented by Dion, though one needs multiple read throughs to have a good picture
October 9, 2015 Reversing the Apple Sandbox 15 Full List of Filters and Operations ● List of operations provided by Dion and Stefan ● Methodology: look into Sandbox.kext – Updated methodology: extract strings from libsandbox.dylib and look for “%operations” ● No methodology for filters in previous work – As with operations, use strings in libsandbox.dylib
October 9, 2015 Reversing the Apple Sandbox 16 Intermediary Format Show samples
October 9, 2015 Reversing the Apple Sandbox 17 Intermediary Format ● Slightly updated TinyScheme interpreter inside libsandbox.dylib ● SBLP → Intermediary Format → Binary Format ● By “hooking” into the interpreter one can dump the intermediary format $ cat osx_sbpl_stub.scm osx_sbpl_init.scm osx_sbpl_v1.scm require-in-require-allow-deny.sb display_rules.scm | ./as
October 9, 2015 Reversing the Apple Sandbox 18 Extract Builtin Binary Sandbox Profiles ● Located in the sandboxd executable file ● Start from the profile string (i.e. “container”) ● Do “offset-based computing” and locate start of binary profile and region length ● Nice implementation by Stefan – https://github.com/sektioneins/sandbox_toolkit/tree/ master/extract_sbprofiles – Stefan's implementation wasn't available at the time I started this :-(
October 9, 2015 Reversing the Apple Sandbox 19 The Apple Sandbox Binary Format ● Initial work by Dion (for iOS v5) ● Updated work by Stefan (for iOS v8) – All work by Dion – Insight on regular expressions format and the operations list ● Methodology: create SBPL format files, compile and check
October 9, 2015 Reversing the Apple Sandbox 20 Binary Format Header ● Header version (2 bytes) ● Offset to regular expression section (2 bytes) ● Number of regular expressions (2 bytes) ● Table of offsets (NUM_OPERATIONS * 2 bytes) – Offset to action nodes for each operation ● All offsets multipied by 8
October 9, 2015 Reversing the Apple Sandbox 21 Sample Regular Expression File (version 1) (allow default) (deny file-read-data (regex #"^/[ab]$") (regex #"^/(a)?bc$") (regex #"^/(ab)?cd$") (regex #"^/(ab|cd)$") (regex #"^/.a$")) 00000210: 4300 4f00 5d00 6f00 5a00 0000 0000 0003 C.O.].o.Z....... 00000220: 5400 2f49 002f 3a00 2f29 002f 1500 1902 T./I./:./)./.... 00000230: 2f09 0261 2915 0019 022f 2f22 0002 6102 /..a)....//"..a. 00000240: 6229 1500 0263 0264 0a1f 0019 022f 2f33 b)...c.d.....//3 00000250: 0002 6102 6202 6302 6429 1500 1902 2f2f ..a.b.c.d)....// 00000260: 4200 0261 0262 0263 2915 0019 022f 2b61 B..a.b.c)..../+a 00000270: 6162 6229 1500
October 9, 2015 Reversing the Apple Sandbox 22 Liniarized Regular Expression ● regex → NFA (Non-deterministic Finite Automaton) ● NFA is “binarized” ● Representation for: characters, special characters (., ^, $), character sets, jumps ● Documented by Stefan (though some parts are missing) – Dion had done it, but encoding is different (as noticed by Stefan)
October 9, 2015 Reversing the Apple Sandbox 23 Regex Reversing Steps ● Create NFA from binary representation as a graph – Intermediary representation where vertice is a character and edges are possible “links” ● Use state removal algorithm – Leave initial and final states for last – Take care of * and + regex operand – Take care of ? Operand – Take care of complex expressions using ( and )
October 9, 2015 Reversing the Apple Sandbox 24 Idea for State Removal Algorithm a b ab c c d (ad)*
October 9, 2015 Reversing the Apple Sandbox 25 TODOs for Regex Reversing ● Robust reversing when operation uses multiple regular expressions – They are part of a single binary representation but need to “split” them apart ● Remove builtin regular expressions in binary format – Sandbox compiler by default adds certain regular expressions to deny access to certain services irrespective of the initial file
October 9, 2015 Reversing the Apple Sandbox 26 Reminder: Binary Format Header ● Header version (2 bytes) ● Offset to regular expression section (2 bytes) ● Number of regular expressions (2 bytes) ● Table of offsets (NUM_OPERATIONS * 2 bytes) – Offset to action nodes for each operation ● All offsets multipied by 8
October 9, 2015 Reversing the Apple Sandbox 27 Operation Offsets ● Each operation gets and offset to an action node – There will always be at least one offset per operation ● Two types of action nodes (dubbed “operation nodes” by Dion and Stefan) – Terminal nodes: allow or deny ● Dubbed result nodes by Stefan – Non-terminal nodes: do further processing ● Dubbed decision nodes by Stefan
October 9, 2015 Reversing the Apple Sandbox 28 Terminal Action Nodes ● Padding (1 byte) ● Action (deny/allow) (2 bytes) – Flags: debug
October 9, 2015 Reversing the Apple Sandbox 29 Non-Terminal Action Nodes ● Filter type (1 byte) ● Filter argument (2 bytes) ● In case of match, offset to next action node (2 bytes) ● In case of unmatch, offset to next action node (2 bytes)
October 9, 2015 Reversing the Apple Sandbox 30 Reversing Filters ● Not fully done/documented by Stefan ● Extract all filters ● Create SBPL file with all of them and compile – Match filter IDs and filter arguments to actual filters
October 9, 2015 Reversing the Apple Sandbox 31 Match/Unmatch Options in Action Nodes ● Match is terminal, unmatch terminal – Current operation filter is denied/allowed – Terminate processing of operation ● Match is non-terminal, unmatch is terminal – Link current action to previous action ● Match is terminal, unmatch is non-terminal – Current operation filter is denied/allowed – If no match, link unmatch action to previous action ● Match is non-terminal, unmatch is non-terminal – “Split” in decision making, link both current and unmatch action to previous action
October 9, 2015 Reversing the Apple Sandbox 32 require-all/require-any (version 1) (deny default) (allow file-read* (require-all (file-mode #o0004) (require-any (require-all (literal "/etc") (require-any (regex #"/a.*$") (vnode-type REGULAR-FILE))) (subpath "/Library/Filesystems/NetFSPlugins") (subpath "/System") (subpath "/private/var/db/dyld") (subpath "/usr/lib") (subpath "/usr/share")))) 0: (1e) non-terminal: (0e 0001 002a 0029) 1: (1f) non-terminal: (04 0004 0020 0029) 2: (20) non-terminal: (01 0047 002a 0021) 3: (21) non-terminal: (01 0043 002a 0022) 4: (22) non-terminal: (01 0041 002a 0023) 5: (23) non-terminal: (01 003c 002a 0024) 6: (24) non-terminal: (01 003a 0025 0027) 7: (25) non-terminal: (81 0001 002a 0026) 8: (26) non-terminal: (1d 0001 002a 0027) 9: (27) non-terminal: (01 0034 002a 0029) 10: (28) non-terminal: (81 0000 0029 002a) 11: (29) terminal: deny 12: (2a) terminal: allow
October 9, 2015 Reversing the Apple Sandbox 33 TODOs for Reversing Action Nodes ● Handle require-not ● Remove default action nodes rules – Operations not in initial SBPL file use implicit rules (deny, allow and others) – These rules need not be present in the reversed SBPL file ● Handle terminal flags (debug)
October 9, 2015 Reversing the Apple Sandbox 34 Current State of Things ● Draft reverse of builtin iOS “container” sandbox profile – See demo ● Scripts to do small little things – README and instructions for advanced user ● Need to make scripts more generic and usable ● Research paper under way ● Will most likely publish tools as open source
October 9, 2015 Reversing the Apple Sandbox 35 Lessons Learnt ● Reversing is fun and time consuming ● Previous work has been very helpful – Though I only figured some things out later ● Graphs are really useful IRL! ● You'll never know what you need to know when doing reversing: graphs, NFAs, regex, algorithms, functional programming

Recommended

Documentation Inference for Exceptions
Documentation Inference for ExceptionsDocumentation Inference for Exceptions
Documentation Inference for Exceptions
Ray Buse
 
Tactics to beat the google de indexing
Tactics to beat the google de indexingTactics to beat the google de indexing
Tactics to beat the google de indexing
Smart Social Brand
 
[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification
OWASP EEE
 
Publico24 - DIGITAL PUBLISHING REINVENTED
Publico24 - DIGITAL PUBLISHING REINVENTEDPublico24 - DIGITAL PUBLISHING REINVENTED
Publico24 - DIGITAL PUBLISHING REINVENTED
Publico24
 
[Russia] Building better product security
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product security
OWASP EEE
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
OWASP EEE
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
OWASP EEE
 
[Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!
OWASP EEE
 

Recommended

Documentation Inference for Exceptions
Documentation Inference for ExceptionsDocumentation Inference for Exceptions
Documentation Inference for Exceptions
Ray Buse
 
Tactics to beat the google de indexing
Tactics to beat the google de indexingTactics to beat the google de indexing
Tactics to beat the google de indexing
Smart Social Brand
 
[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification
OWASP EEE
 
Publico24 - DIGITAL PUBLISHING REINVENTED
Publico24 - DIGITAL PUBLISHING REINVENTEDPublico24 - DIGITAL PUBLISHING REINVENTED
Publico24 - DIGITAL PUBLISHING REINVENTED
Publico24
 
[Russia] Building better product security
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product security
OWASP EEE
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
OWASP EEE
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
OWASP EEE
 
[Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!
OWASP EEE
 
Power Up Your Build - Omer van Kloeten @ Wix 2018-04
Power Up Your Build - Omer van Kloeten @ Wix 2018-04Power Up Your Build - Omer van Kloeten @ Wix 2018-04
Power Up Your Build - Omer van Kloeten @ Wix 2018-04
Omer van Kloeten
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_final
NAVER D2
 
End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024
Lars Albertsson
 
Ios fundamentals with ObjectiveC
Ios fundamentals with ObjectiveCIos fundamentals with ObjectiveC
Ios fundamentals with ObjectiveC
Madusha Perera
 
From Android NDK To AOSP
From Android NDK To AOSPFrom Android NDK To AOSP
From Android NDK To AOSP
Min-Yih Hsu
 
Modern Web Applications with Sightly
Modern Web Applications with SightlyModern Web Applications with Sightly
Modern Web Applications with Sightly
Radu Cotescu
 
Performance #5 cpu and battery
Performance #5 cpu and batteryPerformance #5 cpu and battery
Performance #5 cpu and battery
Vitali Pekelis
 
Kamailio World 2018 - Workshop: kamailio-tests
Kamailio World 2018 - Workshop: kamailio-testsKamailio World 2018 - Workshop: kamailio-tests
Kamailio World 2018 - Workshop: kamailio-tests
Giacomo Vacca
 
Solo iterative process
Solo iterative processSolo iterative process
Solo iterative process
drewz lin
 
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Threestackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
NETWAYS
 
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
Macpaul Lin
 
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes][HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
Wong Hoi Sing Edison
 
Chapter1
Chapter1Chapter1
Chapter1
teknik komputer ui
 
Simple build tool
Simple build toolSimple build tool
Simple build tool
Knoldus Inc.
 
Scala laboratory. Globus. iteration #1
Scala laboratory. Globus. iteration #1Scala laboratory. Globus. iteration #1
Scala laboratory. Globus. iteration #1
Vasil Remeniuk
 
How automated cloud infrastructure setups can help with Continuous Delivery
How automated cloud infrastructure setups can help with Continuous DeliveryHow automated cloud infrastructure setups can help with Continuous Delivery
How automated cloud infrastructure setups can help with Continuous Delivery
Edmund Siegfried Haselwanter
 
Ansiblefest 2018 Network automation journey at roblox
Ansiblefest 2018 Network automation journey at robloxAnsiblefest 2018 Network automation journey at roblox
Ansiblefest 2018 Network automation journey at roblox
Damien Garros
 
(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_net(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_net
Nico Ludwig
 
How to run_moses 2
How to run_moses 2How to run_moses 2
How to run_moses 2
Mahmoud Eid
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
[Austria] ZigBee exploited
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
OWASP EEE
 
[Austria] Security by Design
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by Design
OWASP EEE
 

More Related Content

Similar to [Bucharest] Reversing the Apple Sandbox

Power Up Your Build - Omer van Kloeten @ Wix 2018-04
Power Up Your Build - Omer van Kloeten @ Wix 2018-04Power Up Your Build - Omer van Kloeten @ Wix 2018-04
Power Up Your Build - Omer van Kloeten @ Wix 2018-04
Omer van Kloeten
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_final
NAVER D2
 
End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024
Lars Albertsson
 
Ios fundamentals with ObjectiveC
Ios fundamentals with ObjectiveCIos fundamentals with ObjectiveC
Ios fundamentals with ObjectiveC
Madusha Perera
 
From Android NDK To AOSP
From Android NDK To AOSPFrom Android NDK To AOSP
From Android NDK To AOSP
Min-Yih Hsu
 
Modern Web Applications with Sightly
Modern Web Applications with SightlyModern Web Applications with Sightly
Modern Web Applications with Sightly
Radu Cotescu
 
Performance #5 cpu and battery
Performance #5 cpu and batteryPerformance #5 cpu and battery
Performance #5 cpu and battery
Vitali Pekelis
 
Kamailio World 2018 - Workshop: kamailio-tests
Kamailio World 2018 - Workshop: kamailio-testsKamailio World 2018 - Workshop: kamailio-tests
Kamailio World 2018 - Workshop: kamailio-tests
Giacomo Vacca
 
Solo iterative process
Solo iterative processSolo iterative process
Solo iterative process
drewz lin
 
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Threestackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
NETWAYS
 
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
Macpaul Lin
 
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes][HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
Wong Hoi Sing Edison
 
Chapter1
Chapter1Chapter1
Chapter1
teknik komputer ui
 
Simple build tool
Simple build toolSimple build tool
Simple build tool
Knoldus Inc.
 
Scala laboratory. Globus. iteration #1
Scala laboratory. Globus. iteration #1Scala laboratory. Globus. iteration #1
Scala laboratory. Globus. iteration #1
Vasil Remeniuk
 
How automated cloud infrastructure setups can help with Continuous Delivery
How automated cloud infrastructure setups can help with Continuous DeliveryHow automated cloud infrastructure setups can help with Continuous Delivery
How automated cloud infrastructure setups can help with Continuous Delivery
Edmund Siegfried Haselwanter
 
Ansiblefest 2018 Network automation journey at roblox
Ansiblefest 2018 Network automation journey at robloxAnsiblefest 2018 Network automation journey at roblox
Ansiblefest 2018 Network automation journey at roblox
Damien Garros
 
(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_net(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_net
Nico Ludwig
 
How to run_moses 2
How to run_moses 2How to run_moses 2
How to run_moses 2
Mahmoud Eid
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 

Similar to [Bucharest] Reversing the Apple Sandbox (20)

Power Up Your Build - Omer van Kloeten @ Wix 2018-04
Power Up Your Build - Omer van Kloeten @ Wix 2018-04Power Up Your Build - Omer van Kloeten @ Wix 2018-04
Power Up Your Build - Omer van Kloeten @ Wix 2018-04
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_final
 
End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024
 
Ios fundamentals with ObjectiveC
Ios fundamentals with ObjectiveCIos fundamentals with ObjectiveC
Ios fundamentals with ObjectiveC
 
From Android NDK To AOSP
From Android NDK To AOSPFrom Android NDK To AOSP
From Android NDK To AOSP
 
Modern Web Applications with Sightly
Modern Web Applications with SightlyModern Web Applications with Sightly
Modern Web Applications with Sightly
 
Performance #5 cpu and battery
Performance #5 cpu and batteryPerformance #5 cpu and battery
Performance #5 cpu and battery
 
Kamailio World 2018 - Workshop: kamailio-tests
Kamailio World 2018 - Workshop: kamailio-testsKamailio World 2018 - Workshop: kamailio-tests
Kamailio World 2018 - Workshop: kamailio-tests
 
Solo iterative process
Solo iterative processSolo iterative process
Solo iterative process
 
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Threestackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
 
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
 
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes][HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
 
Chapter1
Chapter1Chapter1
Chapter1
 
Simple build tool
Simple build toolSimple build tool
Simple build tool
 
Scala laboratory. Globus. iteration #1
Scala laboratory. Globus. iteration #1Scala laboratory. Globus. iteration #1
Scala laboratory. Globus. iteration #1
 
How automated cloud infrastructure setups can help with Continuous Delivery
How automated cloud infrastructure setups can help with Continuous DeliveryHow automated cloud infrastructure setups can help with Continuous Delivery
How automated cloud infrastructure setups can help with Continuous Delivery
 
Ansiblefest 2018 Network automation journey at roblox
Ansiblefest 2018 Network automation journey at robloxAnsiblefest 2018 Network automation journey at roblox
Ansiblefest 2018 Network automation journey at roblox
 
(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_net(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_net
 
How to run_moses 2
How to run_moses 2How to run_moses 2
How to run_moses 2
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
 

More from OWASP EEE

[Austria] ZigBee exploited
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
OWASP EEE
 
[Austria] Security by Design
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by Design
OWASP EEE
 
[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan
OWASP EEE
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
OWASP EEE
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
OWASP EEE
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
OWASP EEE
 
[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system
OWASP EEE
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities
OWASP EEE
 
[Russia] MySQL OOB injections
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injections
OWASP EEE
 
[Russia] Bugs -> max, time <= T
[Russia] Bugs -> max, time <= T[Russia] Bugs -> max, time <= T
[Russia] Bugs -> max, time <= T
OWASP EEE
 
[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable input
OWASP EEE
 
[Lithuania] I am the cavalry
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalry
OWASP EEE
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps
OWASP EEE
 
[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling
OWASP EEE
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
OWASP EEE
 
[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...
OWASP EEE
 
[Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!
OWASP EEE
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
OWASP EEE
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
OWASP EEE
 

More from OWASP EEE (20)

[Austria] ZigBee exploited
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
 
[Austria] Security by Design
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by Design
 
[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
 
[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities
 
[Russia] MySQL OOB injections
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injections
 
[Russia] Bugs -> max, time <= T
[Russia] Bugs -> max, time <= T[Russia] Bugs -> max, time <= T
[Russia] Bugs -> max, time <= T
 
[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable input
 
[Lithuania] I am the cavalry
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalry
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps
 
[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
 
[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...
 
[Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
 

Recently uploaded

HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 

Recently uploaded (11)

HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 

[Bucharest] Reversing the Apple Sandbox

  • 1. Reversing the Apple Sandbox OWASP EEE 2015 Razvan Deaconescu razvan.deaconescu@cs.pub.ro
  • 2. October 9, 2015 Reversing the Apple Sandbox 2 Recent iOS Attacks Jekyll Attacks Celebrity Leaks XcodeGhost
  • 3. October 9, 2015 Reversing the Apple Sandbox 3 Apple iOS Defense Mechanisms Private/public framework separation Apple Vetting Process Privacy Settings Sandboxing Trusted BSD security layer
  • 4. October 9, 2015 Reversing the Apple Sandbox 4 Aims Better understanding of Apple security mechanisms Improve security Part of joint research work with TU Darmstadt (CASED) and North Carolina State University
  • 5. October 9, 2015 Reversing the Apple Sandbox 5 Apple Sandboxing ● Limit attack surface for a given app ● An app is provided a sandbox profile ● Sandbox profiles consist of sandbox profile rules – Scheme-like rules – SBPL format (Sandbox Profile Language) – SBPL format is compiled into binary format ● Little documentation on internals ● Default “container” sandbox profile for 3rd party iOS aps
  • 6. October 9, 2015 Reversing the Apple Sandbox 6 Reversing Apple Sandbox ● Reverse “container” sandbox profile ● Get an understanding of the rules inside the defaul container – Analyze how they could be bypassed or improved ● Make use of very little documentation on the internals – No official documentation on SBPL operations – No official documentation on the inner workings – No official documentation on the binary format
  • 7. October 9, 2015 Reversing the Apple Sandbox 7 Sample SBPL File […] (allow ipc-posix-shm (ipc-posix-name "apple.shm.notification_center")) (allow mach-lookup (global-name "com.apple.networkd") (global-name "com.apple.NetworkSharing") (global-name "com.apple.pfd")) (allow mach-per-user-lookup) (system-network) (allow network* (local ip)) […]
  • 8. October 9, 2015 Reversing the Apple Sandbox 8 How Sandboxing Works ● SBPL consists of rules (operations and filters) ● Each rule is a deny or allow ● Kernel loads profile for an app ● Hooks inside the kernel check the rules inside the profile and allow or deny acces to the app ● Works similarly for iOS and Mac OS X ● Implemented in the sandbox kernel extension (Sandbox.kext)
  • 9. October 9, 2015 Reversing the Apple Sandbox 9 Creating an Apple Sandbox Profile ● Write an SBPL file ● Use sandbox-exec command or sandbox_init() function load an app using given profile ● Use sandbox_compile() to compile a binary format ● The binary format is used by the app ● sandbox_* functions are fairly undocumented and used internally – Implementation in libsandbox.dylib
  • 10. October 9, 2015 Reversing the Apple Sandbox 10 Anatomy of the Apple Sandbox Profile ● Each rule consists of an operation, filter and action ● Operation is a class of action (file-read*, network-inbound, process-exec) ● Filter is an argument to the operation (file name, socket address, process ID) – Filters may be regular expressions ● Action may be allow or deny – Flags may be part of it (such as debug)
  • 11. October 9, 2015 Reversing the Apple Sandbox 11 Need to Know ● What is inside an .sb file? ● Where are the builtin binary sandbox profiles stored? ● What is the format of the binary sandbox profile file? ● How can one reverse the format?
  • 12. October 9, 2015 Reversing the Apple Sandbox 12 Previous Work ● Dionysus Blazakis (Dion) – The Apple Sandbox (BlackHat 2011) – 5th Chapter in “The iOS Hacker's Handbook” – https://github.com/dionthegod/XNUSandbox/ ● Stefan Esser (Stefan) – “iOS8 Containers, Sandboxes and Entitlements” (Ruxcon 2014) – https://github.com/sektioneins/sandbox_toolkit
  • 13. October 9, 2015 Reversing the Apple Sandbox 13 Methodology Overview ● Get complete list of operations and filters ● Get a good understanding of the sandbox workflow (create/compile, apply) ● Extract builtin binary sandbox profiles ● Thorough understanding of the binary format ● Reverse a binary format sandbox profile file to its initial SBPL format
  • 14. October 9, 2015 Reversing the Apple Sandbox 14 Building Blocks ● Compile SBPL format file to binary format ● Use sandbox profile ● The intermediary “even more Scheme-like” format ● Well documented by Dion, though one needs multiple read throughs to have a good picture
  • 15. October 9, 2015 Reversing the Apple Sandbox 15 Full List of Filters and Operations ● List of operations provided by Dion and Stefan ● Methodology: look into Sandbox.kext – Updated methodology: extract strings from libsandbox.dylib and look for “%operations” ● No methodology for filters in previous work – As with operations, use strings in libsandbox.dylib
  • 16. October 9, 2015 Reversing the Apple Sandbox 16 Intermediary Format Show samples
  • 17. October 9, 2015 Reversing the Apple Sandbox 17 Intermediary Format ● Slightly updated TinyScheme interpreter inside libsandbox.dylib ● SBLP → Intermediary Format → Binary Format ● By “hooking” into the interpreter one can dump the intermediary format $ cat osx_sbpl_stub.scm osx_sbpl_init.scm osx_sbpl_v1.scm require-in-require-allow-deny.sb display_rules.scm | ./as
  • 18. October 9, 2015 Reversing the Apple Sandbox 18 Extract Builtin Binary Sandbox Profiles ● Located in the sandboxd executable file ● Start from the profile string (i.e. “container”) ● Do “offset-based computing” and locate start of binary profile and region length ● Nice implementation by Stefan – https://github.com/sektioneins/sandbox_toolkit/tree/ master/extract_sbprofiles – Stefan's implementation wasn't available at the time I started this :-(
  • 19. October 9, 2015 Reversing the Apple Sandbox 19 The Apple Sandbox Binary Format ● Initial work by Dion (for iOS v5) ● Updated work by Stefan (for iOS v8) – All work by Dion – Insight on regular expressions format and the operations list ● Methodology: create SBPL format files, compile and check
  • 20. October 9, 2015 Reversing the Apple Sandbox 20 Binary Format Header ● Header version (2 bytes) ● Offset to regular expression section (2 bytes) ● Number of regular expressions (2 bytes) ● Table of offsets (NUM_OPERATIONS * 2 bytes) – Offset to action nodes for each operation ● All offsets multipied by 8
  • 21. October 9, 2015 Reversing the Apple Sandbox 21 Sample Regular Expression File (version 1) (allow default) (deny file-read-data (regex #"^/[ab]$") (regex #"^/(a)?bc$") (regex #"^/(ab)?cd$") (regex #"^/(ab|cd)$") (regex #"^/.a$")) 00000210: 4300 4f00 5d00 6f00 5a00 0000 0000 0003 C.O.].o.Z....... 00000220: 5400 2f49 002f 3a00 2f29 002f 1500 1902 T./I./:./)./.... 00000230: 2f09 0261 2915 0019 022f 2f22 0002 6102 /..a)....//"..a. 00000240: 6229 1500 0263 0264 0a1f 0019 022f 2f33 b)...c.d.....//3 00000250: 0002 6102 6202 6302 6429 1500 1902 2f2f ..a.b.c.d)....// 00000260: 4200 0261 0262 0263 2915 0019 022f 2b61 B..a.b.c)..../+a 00000270: 6162 6229 1500
  • 22. October 9, 2015 Reversing the Apple Sandbox 22 Liniarized Regular Expression ● regex → NFA (Non-deterministic Finite Automaton) ● NFA is “binarized” ● Representation for: characters, special characters (., ^, $), character sets, jumps ● Documented by Stefan (though some parts are missing) – Dion had done it, but encoding is different (as noticed by Stefan)
  • 23. October 9, 2015 Reversing the Apple Sandbox 23 Regex Reversing Steps ● Create NFA from binary representation as a graph – Intermediary representation where vertice is a character and edges are possible “links” ● Use state removal algorithm – Leave initial and final states for last – Take care of * and + regex operand – Take care of ? Operand – Take care of complex expressions using ( and )
  • 24. October 9, 2015 Reversing the Apple Sandbox 24 Idea for State Removal Algorithm a b ab c c d (ad)*
  • 25. October 9, 2015 Reversing the Apple Sandbox 25 TODOs for Regex Reversing ● Robust reversing when operation uses multiple regular expressions – They are part of a single binary representation but need to “split” them apart ● Remove builtin regular expressions in binary format – Sandbox compiler by default adds certain regular expressions to deny access to certain services irrespective of the initial file
  • 26. October 9, 2015 Reversing the Apple Sandbox 26 Reminder: Binary Format Header ● Header version (2 bytes) ● Offset to regular expression section (2 bytes) ● Number of regular expressions (2 bytes) ● Table of offsets (NUM_OPERATIONS * 2 bytes) – Offset to action nodes for each operation ● All offsets multipied by 8
  • 27. October 9, 2015 Reversing the Apple Sandbox 27 Operation Offsets ● Each operation gets and offset to an action node – There will always be at least one offset per operation ● Two types of action nodes (dubbed “operation nodes” by Dion and Stefan) – Terminal nodes: allow or deny ● Dubbed result nodes by Stefan – Non-terminal nodes: do further processing ● Dubbed decision nodes by Stefan
  • 28. October 9, 2015 Reversing the Apple Sandbox 28 Terminal Action Nodes ● Padding (1 byte) ● Action (deny/allow) (2 bytes) – Flags: debug
  • 29. October 9, 2015 Reversing the Apple Sandbox 29 Non-Terminal Action Nodes ● Filter type (1 byte) ● Filter argument (2 bytes) ● In case of match, offset to next action node (2 bytes) ● In case of unmatch, offset to next action node (2 bytes)
  • 30. October 9, 2015 Reversing the Apple Sandbox 30 Reversing Filters ● Not fully done/documented by Stefan ● Extract all filters ● Create SBPL file with all of them and compile – Match filter IDs and filter arguments to actual filters
  • 31. October 9, 2015 Reversing the Apple Sandbox 31 Match/Unmatch Options in Action Nodes ● Match is terminal, unmatch terminal – Current operation filter is denied/allowed – Terminate processing of operation ● Match is non-terminal, unmatch is terminal – Link current action to previous action ● Match is terminal, unmatch is non-terminal – Current operation filter is denied/allowed – If no match, link unmatch action to previous action ● Match is non-terminal, unmatch is non-terminal – “Split” in decision making, link both current and unmatch action to previous action
  • 32. October 9, 2015 Reversing the Apple Sandbox 32 require-all/require-any (version 1) (deny default) (allow file-read* (require-all (file-mode #o0004) (require-any (require-all (literal "/etc") (require-any (regex #"/a.*$") (vnode-type REGULAR-FILE))) (subpath "/Library/Filesystems/NetFSPlugins") (subpath "/System") (subpath "/private/var/db/dyld") (subpath "/usr/lib") (subpath "/usr/share")))) 0: (1e) non-terminal: (0e 0001 002a 0029) 1: (1f) non-terminal: (04 0004 0020 0029) 2: (20) non-terminal: (01 0047 002a 0021) 3: (21) non-terminal: (01 0043 002a 0022) 4: (22) non-terminal: (01 0041 002a 0023) 5: (23) non-terminal: (01 003c 002a 0024) 6: (24) non-terminal: (01 003a 0025 0027) 7: (25) non-terminal: (81 0001 002a 0026) 8: (26) non-terminal: (1d 0001 002a 0027) 9: (27) non-terminal: (01 0034 002a 0029) 10: (28) non-terminal: (81 0000 0029 002a) 11: (29) terminal: deny 12: (2a) terminal: allow
  • 33. October 9, 2015 Reversing the Apple Sandbox 33 TODOs for Reversing Action Nodes ● Handle require-not ● Remove default action nodes rules – Operations not in initial SBPL file use implicit rules (deny, allow and others) – These rules need not be present in the reversed SBPL file ● Handle terminal flags (debug)
  • 34. October 9, 2015 Reversing the Apple Sandbox 34 Current State of Things ● Draft reverse of builtin iOS “container” sandbox profile – See demo ● Scripts to do small little things – README and instructions for advanced user ● Need to make scripts more generic and usable ● Research paper under way ● Will most likely publish tools as open source
  • 35. October 9, 2015 Reversing the Apple Sandbox 35 Lessons Learnt ● Reversing is fun and time consuming ● Previous work has been very helpful – Though I only figured some things out later ● Graphs are really useful IRL! ● You'll never know what you need to know when doing reversing: graphs, NFAs, regex, algorithms, functional programming