> While this approach works, continuously changing page permissions is often quite slow. A better solution for performance is to (ab)use memory mappings to map the same physical page twice, with two virtual addresses, one of which is accessible with write permissions and one which enables execute permissions.
To Apple engineers reading this: please don’t patch this technique (unless you’re going to replace it with real JIT APIs). It’s not a security issue because get-task-allow entitlement is never granted in distribution certificates. And it’s allowing us devs to not have to jailbreak our phones and lose out on the security and privacy of the system.
It’s not an ‘abuse’ of virtual memory and it doesn’t need patching - virtual memory is designed to map multiple times and this functionality is used for basic things like malloc.
We’re referring to the ability to remap RX memory as RW without the JIT entitlement which is normally needed to map RWX pages. The author calls it an (ab)use because mapping RWX is prohibited by the system but RW+RX in aliased memory which effectively achieves the same purpose is allowed. This ability is what I hope Apple doesn’t patch at a misguided attempt to fix a “security issue” (which I argue is not).
Yes just like that time they killed third party apps that let you limit your kids use of certain apps.
There was absolutely no security issue in an app that installed a VPN on your kids phone that recorded everything your kids did and send it back to a random company.
In the same vein, there was no security issue when Google and Facebook encouraged end users to install a profile that was suppose to be used internally so they could intercept all of your traffic....
I noticed the author had some comments on this approach on an HN thread the day before, "QEMU for iOS". Probably the previous discussions stirred some creative juices and they figured it's a good topic to elaborate upon in blog post form.
Somewhat, the story for this is a bit complicated :) I'm sure the ptrace trick was already well known by the jailbreaking community long before I discovered it independently, but I used that to port TinyCC to iOS: https://github.com/saagarjha/tinycc/tree/ios. (This was after Apple allowed people to sideload apps on their devices, so I was planning on making an app that would let you write C on your phone. I made an early demo and even an app icon, but lost motivation after I couldn't figure out how to make my app appear in sidebar of the Files app, go figure.) Emulators started implementing it at some point, and after not being able to do anything useful with it I just stuck around whispering it to anyone who'd listen. At some point I realized that a Mach exception handler might help solve the freezing issue described in the post, and UTM was the first app where I actually implemented it to see if it would work (though I suggested it to Dolphin earlier: https://github.com/dolphin-emu/dolphin/pull/8492#issuecommen...). Since I ended writing essentially the same thing for PPSSPP (https://github.com/saagarjha/ppsspp) and I knew that there were other emulators that had the same issue, I figured I'd just write it up and point people at that instead of trying to send patches to all of them. I'm kind of lazy ;)
> While this approach works, continuously changing page permissions is often quite slow. A better solution for performance is to (ab)use memory mappings to map the same physical page twice, with two virtual addresses, one of which is accessible with write permissions and one which enables execute permissions.
Just finished implementing this for UTM :) https://github.com/utmapp/qemu/commits/ios-support
To Apple engineers reading this: please don’t patch this technique (unless you’re going to replace it with real JIT APIs). It’s not a security issue because get-task-allow entitlement is never granted in distribution certificates. And it’s allowing us devs to not have to jailbreak our phones and lose out on the security and privacy of the system.
It’s not an ‘abuse’ of virtual memory and it doesn’t need patching - virtual memory is designed to map multiple times and this functionality is used for basic things like malloc.
We’re referring to the ability to remap RX memory as RW without the JIT entitlement which is normally needed to map RWX pages. The author calls it an (ab)use because mapping RWX is prohibited by the system but RW+RX in aliased memory which effectively achieves the same purpose is allowed. This ability is what I hope Apple doesn’t patch at a misguided attempt to fix a “security issue” (which I argue is not).
1 reply →
It is nice of you to tell Apple engineers about it that way but they will probably change it any way.
When Apple sees an opportunity to market their own stuff they will push competition out of business (even if there is no business at all).
"Security issues" is just a convenient excuse for them to shut down promising projects I'm afraid.
Yes just like that time they killed third party apps that let you limit your kids use of certain apps.
There was absolutely no security issue in an app that installed a VPN on your kids phone that recorded everything your kids did and send it back to a random company.
In the same vein, there was no security issue when Google and Facebook encouraged end users to install a profile that was suppose to be used internally so they could intercept all of your traffic....
2 replies →
This appears to be an expanded description of a long-known technique, described by the author on HN years ago: https://github.com/utmapp/UTM/blob/ac89c106ecf9c765ea47bfe04...
I noticed the author had some comments on this approach on an HN thread the day before, "QEMU for iOS". Probably the previous discussions stirred some creative juices and they figured it's a good topic to elaborate upon in blog post form.
Somewhat, the story for this is a bit complicated :) I'm sure the ptrace trick was already well known by the jailbreaking community long before I discovered it independently, but I used that to port TinyCC to iOS: https://github.com/saagarjha/tinycc/tree/ios. (This was after Apple allowed people to sideload apps on their devices, so I was planning on making an app that would let you write C on your phone. I made an early demo and even an app icon, but lost motivation after I couldn't figure out how to make my app appear in sidebar of the Files app, go figure.) Emulators started implementing it at some point, and after not being able to do anything useful with it I just stuck around whispering it to anyone who'd listen. At some point I realized that a Mach exception handler might help solve the freezing issue described in the post, and UTM was the first app where I actually implemented it to see if it would work (though I suggested it to Dolphin earlier: https://github.com/dolphin-emu/dolphin/pull/8492#issuecommen...). Since I ended writing essentially the same thing for PPSSPP (https://github.com/saagarjha/ppsspp) and I knew that there were other emulators that had the same issue, I figured I'd just write it up and point people at that instead of trying to send patches to all of them. I'm kind of lazy ;)
3 replies →