> While this approach works, continuously changing page permissions is often quite slow. A better solution for performance is to (ab)use memory mappings to map the same physical page twice, with two virtual addresses, one of which is accessible with write permissions and one which enables execute permissions.
To Apple engineers reading this: please don’t patch this technique (unless you’re going to replace it with real JIT APIs). It’s not a security issue because get-task-allow entitlement is never granted in distribution certificates. And it’s allowing us devs to not have to jailbreak our phones and lose out on the security and privacy of the system.
It’s not an ‘abuse’ of virtual memory and it doesn’t need patching - virtual memory is designed to map multiple times and this functionality is used for basic things like malloc.
We’re referring to the ability to remap RX memory as RW without the JIT entitlement which is normally needed to map RWX pages. The author calls it an (ab)use because mapping RWX is prohibited by the system but RW+RX in aliased memory which effectively achieves the same purpose is allowed. This ability is what I hope Apple doesn’t patch at a misguided attempt to fix a “security issue” (which I argue is not).
I would argue that being able to run arbitrary code that I have authorized on my hardware is not a security issue, but Apple clearly disagrees :) I would expect Apple to patch ptrace rather than virtual memory remapping, in this case, since there really is no reason that an application that is not spawned by debugserver "needs" to be able to request PT_TRACE_ME. But since this doesn't really affect most users, maybe they'll let us have some fun for once…
Yes just like that time they killed third party apps that let you limit your kids use of certain apps.
There was absolutely no security issue in an app that installed a VPN on your kids phone that recorded everything your kids did and send it back to a random company.
In the same vein, there was no security issue when Google and Facebook encouraged end users to install a profile that was suppose to be used internally so they could intercept all of your traffic....
This isn’t “whatsboutism”. The entire thesis of the parent post was that Apple did things to push third parties out of business under the guise of security when it really wasn’t about security.
I noticed the author had some comments on this approach on an HN thread the day before, "QEMU for iOS". Probably the previous discussions stirred some creative juices and they figured it's a good topic to elaborate upon in blog post form.
Somewhat, the story for this is a bit complicated :) I'm sure the ptrace trick was already well known by the jailbreaking community long before I discovered it independently, but I used that to port TinyCC to iOS: https://github.com/saagarjha/tinycc/tree/ios. (This was after Apple allowed people to sideload apps on their devices, so I was planning on making an app that would let you write C on your phone. I made an early demo and even an app icon, but lost motivation after I couldn't figure out how to make my app appear in sidebar of the Files app, go figure.) Emulators started implementing it at some point, and after not being able to do anything useful with it I just stuck around whispering it to anyone who'd listen. At some point I realized that a Mach exception handler might help solve the freezing issue described in the post, and UTM was the first app where I actually implemented it to see if it would work (though I suggested it to Dolphin earlier: https://github.com/dolphin-emu/dolphin/pull/8492#issuecommen...). Since I ended writing essentially the same thing for PPSSPP (https://github.com/saagarjha/ppsspp) and I knew that there were other emulators that had the same issue, I figured I'd just write it up and point people at that instead of trying to send patches to all of them. I'm kind of lazy ;)
I am fascinated by your port of UTM and have to ask the question you’ve probably been asked thousands of times: is there any prospect of you releasing this on TestFlight?
Unfortunately, the JIT described here cannot be be used in an app submitted to Apple for review, which is required for all apps distributed on the App Store or via TestFlight. By the way, osy (who is also in this thread) is the author of UTM, so you'd want to ask them about project management decisions like these. I just submit patches :)
TestFlight has the same restrictions on app permissions and private API usage as the App Store. A UTM port that requires the get-task-allow permission to enable JIT cannot be distributed through TestFlight.
Just finished implementing this for UTM :) https://github.com/utmapp/qemu/commits/ios-support
To Apple engineers reading this: please don’t patch this technique (unless you’re going to replace it with real JIT APIs). It’s not a security issue because get-task-allow entitlement is never granted in distribution certificates. And it’s allowing us devs to not have to jailbreak our phones and lose out on the security and privacy of the system.