Pulling some Sand out of the Box

The purpose of electronic devices is to ease and improve the quality of life as well as aid in the evolution of mankind. Apparently harmless, these electricity driven beings can become dangerous if a threat actor finds a way to charm them. The main entry point for such attacks are 3rd party applications. Leveraging the fact that a developer's code may run on an arbitrary device, an evil human can circumvent the producer's security checks and proceed to do harm as he pleases.

Apple decided to develop its own solution to add another layer of protection against unwanted software on their users' devices. They created "The Apple Sandbox" of which purpose is to confine a 3rd party application as much as possible while still functioning properly. They achieved this by using a mandatory access control framework (MACF) derived from FreeBSD and additional kernel extensions providing little access for user space utilities in order to get some information while still using code in ring 3.

This talk aims to present a methodology for analysis alongside a method of inspecting the sandboxing process at the kernel level, leveraging VMware debug stub functionality and the lldb API and integration with Python.