malus-security / ioracle Goto Github PK
View Code? Open in Web Editor NEWAutomated analysis of the iOS access control architecture
License: Other
ioracle's Issues
model the filemode sandbox filter
There is a file related filter in SBPL called filemode. I suspect is has something to do with unix permissions. We need to design experiments to figure out what satisfies this filter. Then we need to model its semantics in a Prolog rule.
extract services and convert to facts
backtracer sometimes needs information about policies or context that could be provided by iOracle.
E.g., resolving a _getpwnam call on "mobile". To know what the result of this call will be, the system needs to have information about the etc/passwd file which could be provided by iOracle. If we can find some other situations like this, we might be onto another way to apply iOracle while collecting much more relevant data to make queries on. This could be a new paper.
Produce Small Step Semantics for Prolog Rule explanation.
Posix ACLs
Design prolog rules to find common solution of two regular expressions.
Investigate warnings appearing when rules are imported
run further tests about sandbox extension reuse to resist revocation
How did the attackers push files to the tmp directory after afcd set up a link to it?
We claim that no root process is sandboxed. Is this true? Make queries.
determine which jailbreaks could have been fixed with changes to the sandbox and explain why.
run further tests to confirm that symlink attack works for afcd extension redirection and find similar situations.
Design and list exact actions performed during dynamic analysis (backup, reboot, take photo, etc.)
Determine if default allow profiles are relevant, and if so, model them.
What if a file is created during dynamic analysis, and we don't have the metadata for the file from static analysis?
Distinguish TTY and character device
Write Evaluation
The ----; in ida doesn't necessarily mean there are 2 parent basic blocks.
The ----; in ida doesn't necessarily mean there are 2 parent basic blocks. It just means the above line doesn't flow down. For the case i saw in syslog i think that there is just one parent block but it is a far cross reference, which we could handle in theory, but i need to fix the code. We should just jump up the location of the far cross reference.
Try using lsof or levin's lsof functionality in his procexp tool.
Distinguish HOME and FRONT_USER_HOME prefix variables
Briefly discuss access control enforcement in the background section, but keep the emphasis on policy analysis.
Further testing of iOS 9 exploit where third party app puts symlink in com.apple.itunes.lock_sync and then afcd makes link to this link. This bypasses restrictions that should stop afcd from making links to places out of Media/
Should we just run backtracer on every function and for r0-r3? Then we could just query for the functions we care about.
This would also make it much easier to query for a parameter such as a file path and then see which function it gets used in. Backtracer should also include code address for easy manual investigation.
I could also do something like
calledFunc(process(...),function(...),address(...),r0("some value"),r1(unknown),r2("some value"),r3(unknown)).
%this way we can use atoms instead of strings to represent sentinel values for when we don't find a valid value for the register.
%most of the time our queries should be aware of which registers are relevant anyway such as only considerring r0 and r1 for a chmod function.
We would need to do some post processing on the register values depending on the data type of the parameters. Fortunately, IDA can infer the parameters for well known functions, and we can use this information to know how to process each parameter. Our prolog facts could also include the data type (e.g., r0(rawValue(0x2382AB32),type("const char*),processed_value("/var/mobile/Media/")).)
understand difference between global-name and local-name filters in mach service sandbox rules
We claim that a process has zero or more capabilities. Does a processes signature identity count as a capability?
Can we use strider (backtracer) to find parameters for functions other than sandbox initialization? Maybe we can find simple calls to chmod and chown.
When debugserver launches neagent, does neagent use debugserver's sandbox?
query for directories getting chowned and see if we can chown a root directory to be owned by mobile
Directory Stick Bit
query to find sandbox profiles that allow a process to grant itself arbitrary sandbox extensions and access any file. quicklookd and afcd can do this.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.