{"id":31504,"date":"2021-02-01T16:50:51","date_gmt":"2021-02-01T21:50:51","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=31504"},"modified":"2021-07-06T17:04:05","modified_gmt":"2021-07-06T21:04:05","slug":"imessages-blastdoor-sandbox","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/02\/01\/imessages-blastdoor-sandbox\/","title":{"rendered":"iMessage’s BlastDoor Sandbox"},"content":{"rendered":"

Samuel Groß<\/a> (via Hacker News<\/a>, MacRumors<\/a>):<\/p>\n

One of the major changes in iOS 14 is the introduction of a new, tightly sandboxed “BlastDoor” service which is now responsible for almost all parsing of untrusted data in iMessages (for example, NSKeyedArchiver payloads<\/a>). Furthermore, this service is written in Swift<\/a>, a (mostly) memory safe language which makes it significantly harder to introduce classic memory corruption vulnerabilities into the code base.<\/p>

[…]<\/p>

As can be seen, the majority of the processing of complex, untrusted data has been moved into the new BlastDoor service. Furthermore, this design with its 7+ involved services allows fine-grained sandboxing rules to be applied, for example, only the <\/p>

[…]<\/p>

To limit an attacker’s ability to retry exploits or brute force ASLR, the BlastDoor and imagent<\/code> services are now subject to a newly introduced exponential throttling mechanism enforced by launchd<\/code>, causing the interval between restarts after a crash to double with every subsequent crash (up to an apparent maximum of 20 minutes). With this change, an exploit that relied on repeatedly crashing the attacked service would now likely require in the order of multiple hours to roughly half a day to complete instead of a few minutes.<\/p><\/blockquote>\n\n

John Gruber<\/a> (tweet<\/a>):<\/p>\n

This is a big deal, and from what I understand, a major multi-year undertaking by the iMessage team. Cimpanu’s report makes it sound like it’s an iOS 14 feature, but it’s on MacOS 11, too — it’s an iMessage feature.<\/p><\/blockquote>\n\n

Previously:<\/p>\n