Skip to content

Using_iOracle

Jump to bottom
CostinCarabas edited this page May 15, 2017 · 44 revisions

Using iOracle

Instructions for using iOracle.

There are four steps to complete before iOracle can be used to make queries:

  1. Extract static data from device
  2. Extract relevant sandbox profile data
  3. Extract dynamic data from device
  4. Post process and consolidate facts and rules

Before any of these steps can be completed, you may need to set up certain dependencies. The iOracle repo should already include most of the binaries needed, but it does not set up prolog for you. We have been using swi-prolog and a regular expression package for it. To install these on OS X, perform the following steps. Things should be similar when installing on Linux.

 #install homebrew if you don't have it already
 #use homebrew to install swipl and its libarchive
 brew install libarchive
 brew uninstall swi-prolog
 brew install swi-prolog --with-libarchive
 #launch swipl
 swipl
 #within the prolog prompt, type the following to install the regex package
 pack_install(regex).

1. Extract static data from device

There are 2 steps to extracting static data:

  1. Extract data from connected device
  2. Extract data from extracted file system

Extract data from connected device

We have bundled all the relevant scripts into iOracle/automatedDataExtraction/dataExtractorForConnectedDevice.sh This script extracts many data easier to get on a live device, but not necessarily dynamic data. It also extracts the file system of the device which is used as input for the next step. The following is it's usage output:

 Usage: ./dataExtractorForConnectedDevice.sh userOniOSDevice hostOfiOSdevice portForiOSDevice directoryToDownload directoryForOutput
 Example: ./dataExtractorForConnectedDevice.sh root localhost 2270 / iPod5_iOS812_12B440
 WARNING: This script will sudo rm -rf the directory at the path of directoryForOutput

Extract data from extracted file system.

We have bundled the static analysis scripts that can be run on an extracted file system into iOracle/automatedDataExtraction/dataExtractorForExtractedFileSystem.sh. These scrips also include our idascripts that determine which sandbox profiles are used by processes that assign sandboxes to themselves. The following is it's usage output:

Usage: ./dataExtractorForExtractedFileSystem.sh directoryProducedBydataExtractorForConnectedDeviceScript
Example: ./dataExtractorForExtractedFileSystem.sh iPod5_iOS812_12B440

In the usage examples, the directory for output is iPod5_iOS812_12B440, so after running these scripts a directory called iPod5_iOS812_12B440 would now contain a subdirectory called prolog facts with our statically generated prolog facts.

2. Extract relevant sandbox profile data

There are three steps to producing the relevant sandbox profile data:

  1. Use SandBlaster to get the SBPL formatted profiles for the iOS version of the device
  2. Use SandScout and it's bulk analysis script to convert all SBPL profiles into Prolog facts
  3. Copy Prolog facts into the directory of prolog facts produced during static analysis

SandBlaster

Clone the SBPL profiles for the relevant iOS version from the SandBlaster output repo, sandbox_profiles. This should produces a directory full of about 100 different .sb files containing the SBPL formatted sandbox profiles. This directory is used as input to SandScout.

SandScout

The scripts for sandscout can be found in iOracle/allProfileSandScout/. processAllProfiles.sh will use the sandscout compiler (still called smartPly.py) to process each SBPL file in the directory created by sandblaster. processAllProfiles.sh produces two types of output, a directory filled with prolog fact files for each profile and a single file containing all of these facts consolidated together. The single consolidated file is what we will use as input for the next step. The directory of individual files is only useful for debugging or for manual analysis of profile rules.

The following is the usage output for processAllProfiles.sh:

  Usage: ./processAllProfiles.sh directoryContainingSBPLProfiles directoryToOutputTo fileToConsolidateFactsInto
  Example: ./processAllProfiles.sh SBPLProfiles/ prologFactsForProfiles/ ./allTheProfileFacts.pl

Copy Profile Facts to Directory of Prolog Facts for Device

Next, we want to move or copy the single file of consolidated profile facts into the directory of prolog facts for the device. This step might look like the following:

  cp all_profile_facts_812.pl iPod5_iOS812_12B440/prologFacts/

We should really bundle this step into the functionality of processAllProfiles.sh.

3. Extract dynamic data from device

The relevant scripts are now stored in iOracle/automatedDataExtraction/dynamicAnalysisPrototype/

To perform dynamic analysis over an iOS device:

  ./startDynamicAnalysis.sh $user $host $port $outputFolder

The setup should be done in background and should be ready within seconds.

  • Perform several scenarios. This part is manual. 
   ./stopDynamicAnalysis.sh $user $host $port $outputFolder

This will clean up the device and should put it in the initial state. After that, prolog files should be generated.

The prolog files are stored at $outputFolder/prologFacts.

4. Post Process and Consolidate

Post processing and consolidating requires two steps:

  1. Run post processing script
  2. Load facts and rules into Prolog

We should integrate the following steps into the script that stops and cleans up the dynamic analysis scripts. Once the dynamic analysis is finished, it should be ok to automatically run the following post processing steps.

Run Post Processing Script

The post processing script, postProcessing.sh, is located in iOracle/unixPermissionRuleWorkInProgress/tdd/scripts/. It does the following:

  • Produce facts about unix permissions more amenable to prolog queries
  • Produce facts representing directory parent-child relationships, which helps Prolog evaluate rules about directory parents
  • Removes facts that contain unsanitized strings (we replace certain characters in file paths that cause us trouble).
  • Consolidate all prolog facts in the device's prolog directory into one file called all_facts.pl and place this file into the device's directory. (e.g., iPod5_iOS812_12B440/all_facts.pl)

Since this step consolidates all the prolog facts, it must be done after all of the previous, fact producing steps have completed.

The following is the usage output of postProcessing.sh:

  Usage: ./postProcessing.sh inputDirectoryUsedForExtraction
  Example: ./postProcessing.sh iPod5_iOS812_12B440

Load Facts and Rules Into Prolog

I've created directory at iOracle/rules/ that contains symbolic links to our Prolog rules files as well as a prolog file that just imports all these rules called all_rules.pl.

To load all the relevant facts and rules to make queries do the following:

  • Launch swipl
  • Load all the facts e.g., ["iPod5_iOS812_12B440/all_facts"].
  • Load all the rules e.g., ["rules/all_rules"].

As we add more collections of rules, we must remember to update iOracle/rules/ as well as all_rules.pl. Note that when testing it is sufficient to reload the rules after changing them. This is much more efficient than quitting prolog and needing to reload all of the facts again.

How to Make Queries

Now that you are ready to make queries, it will help to review the following documentation of the facts and rules available to us when making queries. Note that the rule files in iOracle/rules also contain comments that should help explain how they work. Contact Luke if you have any questions about Prolog.

  • iOracle/prolog_fact_documentation.txt
  • iOracle/prolog_rule_documentation.txt
Clone this wiki locally