POSTED BY: Patroklos Argyroudis / 18.04.2019

Vs com.apple.security.sandbox (CanSecWest 2019)

On March 20th 2019 I presented at the 2019 CanSecWest conference a talk on reverse engineering the Apple iOS sandbox kernel extension entitled Vs com.apple.security.sandbox. I really enjoyed the conference, traveling to Vancouver, and meeting a lot of people interested in my research.

The abstract of the talk follows:

The iOS sandbox kernel extension implements one of the fundamental security technologies deployed on Apple's devices (iPhones, iPads, etc.) for limiting local privilege escalation and post-exploitation. The sandbox utilizes Apple specified policies to restrict what operations both system-provided services and user-installed applications can perform. The sandbox kernel extension is closed-source both on iOS and macOS; furthermore the iOS sandbox policies are not available in plain text, but compiled and packed in the binary of the extension itself. In this talk I will initially present how the iOS sandbox kernel extension specifies and enforces policies, along with implementation details that will be useful for the next step. I will then explain in detail the process of reverse engineering the extension in order to unpack and decompile all the sandbox policies embedded in it. All the presented details apply to and have been tested on the latest iOS version (12.1.3 beta 2 at the time of this writing).

You can find the public version of my slide deck here.

I would like to thank the organizers of the CanSecWest conference for putting together such a great event.