malus-security / sandblaster Goto Github PK

SandBlaster stores the ReducedGraph mainly as two lists: vertices and edges. Because of this storing strategy, retrieving the neighbours of a node is done by calling the get_next_vertices method [1], which iterates the edges list and returns those edges which start at the vertex given to it as a parameter.

This method of storing the graph is inefficient and, in the future, may cause SandBlaster to run slow when there are large numbers of nodes and edges, as a traversal of this graph (which is necessary when reversing a sandbox profile) is performed in O(num_nodes * num_edges) time, as opposed to the typical O(num_nodes + num_edges) of a graph traversal. Up to iOS 10, there are no more than a few thousand nodes and edges in each graph, for which the running time of the traversal is still low. For newer iOS versions, however, these numbers grow and this traversal can significantly increase reversing times.

For this reason, this internal representation needs to be refactored so that the ReducedVertice class store the node's neighbours list, instead of storing them at the graph level. This would help bring down the traversal complexity to the desired O(num_nodes + num_edges).

[1]

This is the command I'm running:

python reverse_sandbox.py -r 11.4.1 -o /tmp/re/sandbox_ops.txt -d /tmp/re/sb /tmp/re/sandbox_bundle

This reverses about 80 profiles out of 177, and then crashes with the following error:

Traceback (most recent call last):
  File "reverse_sandbox.py", line 350, in <module>
    sys.exit(main())
  File "reverse_sandbox.py", line 313, in main
    process_profile(f, out_fname, sb_ops, ops_to_reverse, op_table, operation_nodes)
  File "reverse_sandbox.py", line 96, in process_profile
    g = operation_node.build_operation_node_graph(node, default_node)
  File "~/Documents/dev/build/sandblaster/reverse-sandbox/operation_node.py", line 532, in build_operation_node_graph
    ong_end_path(g, current_node, parent_node, nodes_to_process)
  File "~/Documents/dev/build/sandblaster/reverse-sandbox/operation_node.py", line 481, in ong_end_path
    g[node]["decision"] = str(node.non_terminal.match.terminal)
KeyError: <operation_node.OperationNode instance at 0x102c857e8>

I would attempt to fix this myself, but I speak no python...

For reference, I'm using an iPhone6,2 kernel here, and I extracted the sandbox kext with Jonathan Levin's joker.

Info: https://github.com/Proteas/ios13-sandbox-profile-format

The current linter support for Markdown in the GitHub workflow configuration is missing. Add it, following the model of iExtractor-manager.