malus-security / sandblaster Goto Github PK
View Code? Open in Web Editor NEWReversing the Apple sandbox
License: Other
Reversing the Apple sandbox
License: Other
SandBlaster stores the ReducedGraph
mainly as two lists: vertices
and edges
. Because of this storing strategy, retrieving the neighbours of a node is done by calling the get_next_vertices
method [1], which iterates the edges
list and returns those edges which start at the vertex given to it as a parameter.
This method of storing the graph is inefficient and, in the future, may cause SandBlaster to run slow when there are large numbers of nodes and edges, as a traversal of this graph (which is necessary when reversing a sandbox profile) is performed in O(num_nodes * num_edges)
time, as opposed to the typical O(num_nodes + num_edges)
of a graph traversal. Up to iOS 10, there are no more than a few thousand nodes and edges in each graph, for which the running time of the traversal is still low. For newer iOS versions, however, these numbers grow and this traversal can significantly increase reversing times.
For this reason, this internal representation needs to be refactored so that the ReducedVertice
class store the node's neighbours list, instead of storing them at the graph level. This would help bring down the traversal complexity to the desired O(num_nodes + num_edges)
.
[1]
sandblaster/reverse-sandbox/operation_node.py
Line 1180 in 2318f0c
This is the command I'm running:
python reverse_sandbox.py -r 11.4.1 -o /tmp/re/sandbox_ops.txt -d /tmp/re/sb /tmp/re/sandbox_bundle
This reverses about 80 profiles out of 177, and then crashes with the following error:
Traceback (most recent call last):
File "reverse_sandbox.py", line 350, in <module>
sys.exit(main())
File "reverse_sandbox.py", line 313, in main
process_profile(f, out_fname, sb_ops, ops_to_reverse, op_table, operation_nodes)
File "reverse_sandbox.py", line 96, in process_profile
g = operation_node.build_operation_node_graph(node, default_node)
File "~/Documents/dev/build/sandblaster/reverse-sandbox/operation_node.py", line 532, in build_operation_node_graph
ong_end_path(g, current_node, parent_node, nodes_to_process)
File "~/Documents/dev/build/sandblaster/reverse-sandbox/operation_node.py", line 481, in ong_end_path
g[node]["decision"] = str(node.non_terminal.match.terminal)
KeyError: <operation_node.OperationNode instance at 0x102c857e8>
I would attempt to fix this myself, but I speak no python...
For reference, I'm using an iPhone6,2 kernel here, and I extracted the sandbox kext with Jonathan Levin's joker
.
The current linter support for Markdown in the GitHub workflow configuration is missing. Add it, following the model of iExtractor-manager.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.