Comment by osy

6 years ago

> While this approach works, continuously changing page permissions is often quite slow. A better solution for performance is to (ab)use memory mappings to map the same physical page twice, with two virtual addresses, one of which is accessible with write permissions and one which enables execute permissions.

Just finished implementing this for UTM :) https://github.com/utmapp/qemu/commits/ios-support

To Apple engineers reading this: please don’t patch this technique (unless you’re going to replace it with real JIT APIs). It’s not a security issue because get-task-allow entitlement is never granted in distribution certificates. And it’s allowing us devs to not have to jailbreak our phones and lose out on the security and privacy of the system.

7 comments

osy

Reply
chrisseaton  6 years ago

It’s not an ‘abuse’ of virtual memory and it doesn’t need patching - virtual memory is designed to map multiple times and this functionality is used for basic things like malloc.

  • osy  6 years ago

    We’re referring to the ability to remap RX memory as RW without the JIT entitlement which is normally needed to map RWX pages. The author calls it an (ab)use because mapping RWX is prohibited by the system but RW+RX in aliased memory which effectively achieves the same purpose is allowed. This ability is what I hope Apple doesn’t patch at a misguided attempt to fix a “security issue” (which I argue is not).

    • saagarjha  6 years ago

      I would argue that being able to run arbitrary code that I have authorized on my hardware is not a security issue, but Apple clearly disagrees :) I would expect Apple to patch ptrace rather than virtual memory remapping, in this case, since there really is no reason that an application that is not spawned by debugserver "needs" to be able to request PT_TRACE_ME. But since this doesn't really affect most users, maybe they'll let us have some fun for once…

VvR-Ox  6 years ago

It is nice of you to tell Apple engineers about it that way but they will probably change it any way.

When Apple sees an opportunity to market their own stuff they will push competition out of business (even if there is no business at all).

"Security issues" is just a convenient excuse for them to shut down promising projects I'm afraid.

  • scarface74  6 years ago

    Yes just like that time they killed third party apps that let you limit your kids use of certain apps.

    There was absolutely no security issue in an app that installed a VPN on your kids phone that recorded everything your kids did and send it back to a random company.

    In the same vein, there was no security issue when Google and Facebook encouraged end users to install a profile that was suppose to be used internally so they could intercept all of your traffic....