SandBlaster: Reversing the Apple Sandbox
Abstract
In order to limit the damage of malware on Mac OS X and iOS, Apple uses sandboxing, a kernel-level security layer that provides tight constraints for system calls. Particularly used for Apple iOS, sandboxing prevents apps from executing potentially dangerous actions, by defining rules in a sandbox profile. Investigating Apple's built-in sandbox profiles is difficult as they are compiled and stored in binary format. We present SandBlaster, a software bundle that is able to reverse/decompile Apple binary sandbox profiles to their original human readable SBPL (SandBox Profile Language) format. We use SandBlaster to reverse all built-in Apple iOS binary sandbox profiles for iOS 7, 8 and 9. Our tool is, to the best of our knowledge, the first to provide a full reversing of the Apple sandbox, shedding light into the inner workings of Apple sandbox profiles and providing essential support for security researchers and professionals interested in Apple security mechanisms.
- Publication:
-
arXiv e-prints
- Pub Date:
- August 2016
- DOI:
- 10.48550/arXiv.1608.04303
- arXiv:
- arXiv:1608.04303
- Bibcode:
- 2016arXiv160804303D
- Keywords:
-
- Computer Science - Cryptography and Security;
- Computer Science - Operating Systems;
- D.4.6
- E-Print:
- 25 pages, 9 figures, 14 listings This report is an auxiliary document to the paper "SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles", to be presented at the ACM Conference on Computer and Communications Security (CCS) 2016