Reversing the Apple Sandbox OWASP EEE 2015 Razvan Deaconescu razvan.deaconescu@cs.pub.ro. October 9, 2015 Reversing the Apple Sandbox 2 Recent iOS Attacks Jekyll Attacks Celebrity Leaks XcodeGhost. October 9, 2015 Reversing the Apple Sandbox 3. Works similarly for iOS and Mac OS X Implemented in the sandbox kernel extension.
Processing The following revision refers to this bug: commit Author: Date: Tue May 13 00: Initial implementation of the Mac Bootstrap Sandbox. This adds the implementation for the second-layer sandbox, with tests, but it does not wire it up for use in Chrome. Design document: BUG= TEST=Covered by unit tests, manually verified on 10.6.8, 10.7.5, 10.8.5, and 10.9.2. Review URL: git-svn-id: svn://svn.chromium.org/chrome/trunk/src@2d316-1c4b-4281-b951-d872f2087c98. Processing - 2014-05-13T00:51Z Changed paths: A A A A A A M D A A A A Initial implementation of the Mac Bootstrap Sandbox. This adds the implementation for the second-layer sandbox, with tests, but it does not wire it up for use in Chrome.
- After doing a clean install of Lion in my Macbook Pro (I think it's mid 2009), I am getting some strange messages in Console. They are related to sandbox and applications such as Preview or Safari.
- Two girls play in the sandbox at the playground.
Design document: BUG= TEST=Covered by unit tests, manually verified on 10.6.8, 10.7.5, 10.8.5, and 10.9.2. Processing - 2014-05-29T19:31Z Changed paths: M M M Do not destroy Mach messages that are forwarded out of the the bootstrap sandbox. For the process hosting the sandbox, doing so could result in over-unrefing send rights. It's not necessary to destroy forwarded messages because any rights copied into the process will be copied out on send, using move semantics.
BUG= R= Review URL. Processing The following revision refers to this bug: commit Author: Date: Thu May 29 19: Do not destroy Mach messages that are forwarded out of the the bootstrap sandbox. For the process hosting the sandbox, doing so could result in over-unrefing send rights. It's not necessary to destroy forwarded messages because any rights copied into the process will be copied out on send, using move semantics. BUG= R= Review URL: git-svn-id: svn://svn.chromium.org/chrome/trunk/src@2d316-1c4b-4281-b951-d872f2087c98. Processing The following revision refers to this bug: commit Author: Date: Tue Jun 03 10: Do not double-unref send rights when using POLICYSUBSTITUEPORT.
By destroying the reply message, the already-copied-out right will be unrefed again, leading to an over-release of send rights. This also requires that Rule(POLICYSUBSTITUTEPORT) users provide a send right that can be duplicated with MACHMSGTYPECOPYSEND, rather than using MAKESEND. BUG= R= Review URL: git-svn-id: svn://svn.chromium.org/chrome/trunk/src@2d316-1c4b-4281-b951-d872f2087c98. Processing - 2014-06-03T10:28Z Changed paths: M M M M M Do not double-unref send rights when using POLICYSUBSTITUEPORT.
By destroying the reply message, the already-copied-out right will be unrefed again, leading to an over-release of send rights. This also requires that Rule(POLICYSUBSTITUTEPORT) users provide a send right that can be duplicated with MACHMSGTYPECOPYSEND, rather than using MAKESEND. BUG= R= Review URL.
Processing The following revision refers to this bug: commit Author: Date: Tue Jun 10 14: Initialize the bootstrap sandbox in the browser process. This wires up the ChildProcessLauncher and SandboxedProcessLauncherDelegate. No restrictive policies are currently registered or enforced, i.e. Renderers should not be locked down. However, to keep NPAPI plugins working, an allow-by- default policy exists.
Layer Two Protocols
BUG= R= Review URL: git-svn-id: svn://svn.chromium.org/chrome/trunk/src@2d316-1c4b-4281-b951-d872f2087c98. Processing - 2014-06-10T14:37Z Changed paths: M A M A M M M M M M M M M M M Initialize the bootstrap sandbox in the browser process. This wires up the ChildProcessLauncher and SandboxedProcessLauncherDelegate. No restrictive policies are currently registered or enforced, i.e. Renderers should not be locked down.
However, to keep NPAPI plugins working, an allow-by- default policy exists. BUG= R= Review URL.
Processing The following revision refers to this bug: commit Author: Date: Thu Jun 19 23: Alter the design of the bootstrap sandbox to only take over the bootstrap port of children when necessary. Rather than replacing the bootstrap port outright in the browser process, this change merely registers the sandboxed bootstrap port with launchd.
When a sandboxed child is being launched with base::LaunchProcess, a new LaunchOptions can specify a bootstrap name to look up and use as a replacement bootstrap port. The bootstrap port in the new child is replaced after fork but before exec. The kernel clears the IPC space during both of these system calls, so no other references to the original bootstrap port will exist after replacing the port with the sandboxed one and execing. This change also partially reverts, which introduced a permissive policy for NPAPI plugins. Since those plugins are no longer affected by the bootstrap sandbox, it can be removed. BUG=, R=, Review URL: git-svn-id: svn://svn.chromium.org/chrome/trunk/src@2d316-1c4b-4281-b951-d872f2087c98.
Processing - 2014-06-19T23:83Z Changed paths: M M M M M M M M M M M M M M M M M Alter the design of the bootstrap sandbox to only take over the bootstrap port of children when necessary. Rather than replacing the bootstrap port outright in the browser process, this change merely registers the sandboxed bootstrap port with launchd. When a sandboxed child is being launched with base::LaunchProcess, a new LaunchOptions can specify a bootstrap name to look up and use as a replacement bootstrap port. The bootstrap port in the new child is replaced after fork but before exec.
The kernel clears the IPC space during both of these system calls, so no other references to the original bootstrap port will exist after replacing the port with the sandboxed one and execing. This change also partially reverts, which introduced a permissive policy for NPAPI plugins. Since those plugins are no longer affected by the bootstrap sandbox, it can be removed. BUG=, R=, Review URL. Processing Labels: merge-merged-2060 The following revision refers to this bug: commit Author: Date: Fri Jun 20 03: Merge 278530 'Alter the design of the bootstrap sandbox to only.' Merging into tonight's branch to test, as it didn't make branch cut Alter the design of the bootstrap sandbox to only take over the bootstrap port of children when necessary.
The Bootstrap Sandbox: A Layer Two Sandbox For Mac Download
Rather than replacing the bootstrap port outright in the browser process, this change merely registers the sandboxed bootstrap port with launchd. When a sandboxed child is being launched with base::LaunchProcess, a new LaunchOptions can specify a bootstrap name to look up and use as a replacement bootstrap port. The bootstrap port in the new child is replaced after fork but before exec. The kernel clears the IPC space during both of these system calls, so no other references to the original bootstrap port will exist after replacing the port with the sandboxed one and execing.
This change also partially reverts, which introduced a permissive policy for NPAPI plugins. Since those plugins are no longer affected by the bootstrap sandbox, it can be removed. BUG=R=Review URL: TBR= Review URL: git-svn-id: svn://svn.chromium.org/chrome/branches/2060/src@2d316-1c4b-4281-b951-d872f2087c98. Processing - 2014-06-20T03:68Z Changed paths: M M M M M M M M M M M M M M M M M Merge 278530 'Alter the design of the bootstrap sandbox to only.'
Merging into tonight's branch to test, as it didn't make branch cut Alter the design of the bootstrap sandbox to only take over the bootstrap port of children when necessary. Rather than replacing the bootstrap port outright in the browser process, this change merely registers the sandboxed bootstrap port with launchd. When a sandboxed child is being launched with base::LaunchProcess, a new LaunchOptions can specify a bootstrap name to look up and use as a replacement bootstrap port. The bootstrap port in the new child is replaced after fork but before exec.
The kernel clears the IPC space during both of these system calls, so no other references to the original bootstrap port will exist after replacing the port with the sandboxed one and execing. This change also partially reverts, which introduced a permissive policy for NPAPI plugins. Since those plugins are no longer affected by the bootstrap sandbox, it can be removed.
BUG=R=Review URL: TBR= Review URL. Processing The following revision refers to this bug: commit Author: Date: Mon Jun 23 03: Revert of Define a bootstrap sandbox policy for renderer processes and enable it. Reason for revert: I suspect this is breaking ESCDoesNotLeaveFullscreenDOM. It's the only CL in that build that touches Mac, (none of them seem related to fullscreen behavior). Original issue's description: Define a bootstrap sandbox policy for renderer processes and enable it. BUG= R=Committed: TBR=, NOTREECHECKS=true NOTRY=true BUG= Review URL: git-svn-id: svn://svn.chromium.org/chrome/trunk/src@2d316-1c4b-4281-b951-d872f2087c98. Processing - 2014-06-23T03:12Z Changed paths: M M M M Revert of Define a bootstrap sandbox policy for renderer processes and enable it.
Reason for revert: I suspect this is breaking ESCDoesNotLeaveFullscreenDOM. It's the only CL in that build that touches Mac, (none of them seem related to fullscreen behavior). Original issue's description: Define a bootstrap sandbox policy for renderer processes and enable it. BUG= R=Committed: TBR=, NOTREECHECKS=true NOTRY=true BUG= Review URL.