Skip to content

Assumptions and Limitations

Jump to bottom
Luke Deshotels edited this page Dec 9, 2016 · 7 revisions

Assumptions

  • All the mach-services we find are active
  • All processes are equally exploitable
  • Sandboxes profiles are assigned based on the following features
    • Executable is a keyboard extension
    • Executable's filepath matches './mobile/Containers/Bundle.' ..* Executable has com.apple.private.security.container-required entitlement key ..* Executable has seatbelt-profiles entitlement key ..* Executable references sandbox_init or apply_container in its binary
  • Our jailbreak did not modify the access control architecture
  • A process does not call a library function if it does not contain a string with the name of the function. We also assume that the presence of such a string implies that the library function will be called.
  • All Apple developed executable identifiers match ‘^com.apple..*’.
  • The executable we analyze will all run on the device at some point / they are not just dead code
  • A process can be compromised by reading a file that has been written to by another compromised process
  • The following processes can be treated as entry points for attackers ..* Third party apps ..* Third party app extensions ..* Afcd ..* Siri? ..* etc.

Scope Limits

  • Optional access control features
    • Network
    • Drivers
    • Frameworks
    • Access Control Lists
    • User data
  • iOS versions
    • iOS 9.0.2
  • Set up two modes (with jailbreak and with firmware filesystem)
Clone this wiki locally