Skip to content

Assumptions and Limitations

Jump to bottom
Luke Deshotels edited this page Dec 9, 2016 · 7 revisions

Assumptions

  • We are not missing any important sandbox-extensions that modify a process's privileges (This is an important but scary assumption, and we should really deal with it before writing the paper. We will need to know which sandbox-extensions each process is likely to get.)
  • All the mach-services we find are active
  • All processes are equally exploitable
  • Sandboxes profiles are assigned based on the following features
    • Executable is a keyboard extension
    • Executable's filepath matches './mobile/Containers/Bundle.'
    • Executable has com.apple.private.security.container-required entitlement key
    • Executable has seatbelt-profiles entitlement key
    • Executable references sandbox_init or apply_container in its binary
  • Our jailbreak did not modify the access control architecture
  • A process does not call a library function if it does not contain a string with the name of the function. We also assume that the presence of such a string implies that the library function will be called.
  • All Apple developed executable identifiers match ‘^com.apple..*’.
  • The executable we analyze will all run on the device at some point / they are not just dead code
  • A process can be compromised by reading a file that has been written to by another compromised process
  • The following processes can be treated as entry points for attackers
    • Third party apps
    • Third party app extensions
    • Afcd
    • Siri?
    • etc.

Scope Limits

  • Optional access control features
    • Network
    • Drivers
    • Frameworks
    • Access Control Lists
    • User data
  • iOS versions
    • iOS 9.0.2
  • Set up two modes (with jailbreak and with firmware filesystem)
Clone this wiki locally