Vs. com.apple.security.sandbox - Patroklos Argyroudis, CENSUS S.A.
The iOS sandbox kernel extension implements one of the fundamental security
technologies deployed on Apple's devices (iPhones, iPads, etc.) for limiting
local privilege escalation and post-exploitation. The sandbox utilizes
Apple-specified policies to restrict what operations both system-provided
services and user-installed applications can perform. The sandbox kernel
extension is closed-source both on iOS and macOS; furthermore the iOS
sandbox policies are not available in plain text, but compiled and packed in
the binary of the extension itself. In this talk I will initially
present how the iOS sandbox kernel extension specifies and enforces policies, along with
implementation details that will be useful for the next step. I will then
explain in detail the process of reverse engineering the extension in order
to unpack and decompile all the sandbox policies embedded in it. All the
presented details apply to and have been tested on the latest iOS version
(12.1.3 beta 2 at the time of this writing).