
Jailed Just-in-Time Compilation on iOS - tbodt
https://saagarjha.com/blog/2020/02/23/jailed-just-in-time-compilation-on-ios/
======
osy
> While this approach works, continuously changing page permissions is often
> quite slow. A better solution for performance is to (ab)use memory mappings
> to map the same physical page twice, with two virtual addresses, one of
> which is accessible with write permissions and one which enables execute
> permissions.

Just finished implementing this for UTM :)
[https://github.com/utmapp/qemu/commits/ios-
support](https://github.com/utmapp/qemu/commits/ios-support)

To Apple engineers reading this: please don’t patch this technique (unless
you’re going to replace it with real JIT APIs). It’s not a security issue
because get-task-allow entitlement is never granted in distribution
certificates. And it’s allowing us devs to not have to jailbreak our phones
and lose out on the security and privacy of the system.

~~~
chrisseaton
It’s not an ‘abuse’ of virtual memory and it doesn’t need patching - virtual
memory is designed to map multiple times and this functionality is used for
basic things like malloc.

~~~
osy
We’re referring to the ability to remap RX memory as RW without the JIT
entitlement which is normally needed to map RWX pages. The author calls it an
(ab)use because mapping RWX is prohibited by the system but RW+RX in aliased
memory which effectively achieves the same purpose is allowed. This ability is
what I hope Apple doesn’t patch at a misguided attempt to fix a “security
issue” (which I argue is not).

~~~
saagarjha
I would argue that being able to run arbitrary code that I have authorized on
my hardware is not a security issue, but Apple clearly disagrees :) I would
expect Apple to patch ptrace rather than virtual memory remapping, in this
case, since there really is no reason that an application that is not spawned
by debugserver "needs" to be able to request PT_TRACE_ME. But since this
doesn't really affect most users, maybe they'll let us have some fun for once…

------
kccqzy
This appears to be an expanded description of a long-known technique,
described by the author on HN years ago:
[https://news.ycombinator.com/item?id=18431524](https://news.ycombinator.com/item?id=18431524)

It's also mentioned in the source code of UTM, a virtual machine app for iOS:
[https://github.com/utmapp/UTM/blob/ac89c106ecf9c765ea47bfe04...](https://github.com/utmapp/UTM/blob/ac89c106ecf9c765ea47bfe0428f504fce9cd9a6/UTM/main.m#L28)

~~~
asveikau
I noticed the author had some comments on this approach on an HN thread the
day before, "QEMU for iOS". Probably the previous discussions stirred some
creative juices and they figured it's a good topic to elaborate upon in blog
post form.

~~~
saagarjha
Somewhat, the story for this is a bit complicated :) I'm sure the ptrace trick
was already well known by the jailbreaking community long before I discovered
it independently, but I used that to port TinyCC to iOS:
[https://github.com/saagarjha/tinycc/tree/ios](https://github.com/saagarjha/tinycc/tree/ios).
(This was after Apple allowed people to sideload apps on their devices, so I
was planning on making an app that would let you write C on your phone. I made
an early demo and even an app icon, but lost motivation after I couldn't
figure out how to make my app appear in sidebar of the Files app, go figure.)
Emulators started implementing it at some point, and after not being able to
do anything useful with it I just stuck around whispering it to anyone who'd
listen. At some point I realized that a Mach exception handler might help
solve the freezing issue described in the post, and UTM was the first app
where I actually implemented it to see if it would work (though I suggested it
to Dolphin earlier: [https://github.com/dolphin-
emu/dolphin/pull/8492#issuecommen...](https://github.com/dolphin-
emu/dolphin/pull/8492#issuecomment-563146828)). Since I ended writing
essentially the same thing for PPSSPP
([https://github.com/saagarjha/ppsspp](https://github.com/saagarjha/ppsspp))
and I knew that there were other emulators that had the same issue, I figured
I'd just write it up and point people at that instead of trying to send
patches to all of them. I'm kind of lazy ;)

~~~
qubex
I am fascinated by your port of UTM and have to ask the question you’ve
probably been asked thousands of times: is there any prospect of you releasing
this on _TestFlight_?

~~~
saagarjha
Unfortunately, the JIT described here cannot be be used in an app submitted to
Apple for review, which is required for all apps distributed on the App Store
or via TestFlight. By the way, osy (who is also in this thread) is the author
of UTM, so you'd want to ask them about project management decisions like
these. I just submit patches :)

