SandBlaster: Reversing the Apple Sandbox
This enables security researchers and professionals to investigate Apple's sandboxing mechanisms, addressing a specific need in Apple security analysis.
The authors tackled the problem of analyzing Apple's compiled sandbox profiles by developing SandBlaster, a tool that successfully reverses binary profiles to human-readable SBPL format for iOS 7, 8, and 9, providing the first full reversal of these profiles.
In order to limit the damage of malware on Mac OS X and iOS, Apple uses sandboxing, a kernel-level security layer that provides tight constraints for system calls. Particularly used for Apple iOS, sandboxing prevents apps from executing potentially dangerous actions, by defining rules in a sandbox profile. Investigating Apple's built-in sandbox profiles is difficult as they are compiled and stored in binary format. We present SandBlaster, a software bundle that is able to reverse/decompile Apple binary sandbox profiles to their original human readable SBPL (SandBox Profile Language) format. We use SandBlaster to reverse all built-in Apple iOS binary sandbox profiles for iOS 7, 8 and 9. Our tool is, to the best of our knowledge, the first to provide a full reversing of the Apple sandbox, shedding light into the inner workings of Apple sandbox profiles and providing essential support for security researchers and professionals interested in Apple security mechanisms.