SandBlaster: Reversing the Apple Sandbox
In order to limit the damage of malware on Mac OS X and iOS, Apple uses sandboxing, a kernel-level security layer that provides tight constraints for system calls. Particularly used for Apple iOS, sandboxing prevents apps from executing potentially dangerous actions, by defining rules in a sandbox profile. Investigating Apple's built-in sandbox profiles is difficult as they are compiled and stored in binary format. We present SandBlaster, a software bundle that is able to reverse/decompile Apple binary sandbox profiles to their original human readable SBPL (SandBox Profile Language) format. We use SandBlaster to reverse all built-in Apple iOS binary sandbox profiles for iOS 7, 8 and 9. Our tool is, to the best of our knowledge, the first to provide a full reversing of the Apple sandbox, shedding light into the inner workings of Apple sandbox profiles and providing essential support for security researchers and professionals interested in Apple security mechanisms.
READ FULL TEXT