iOS - some concepts of Penetration Testing

1. Stack Cookie (aka Stack Canary)

Stack Smashing Protection:

Stack smashing protection is an exploit mitigation technique that protects against stack overflow attacks by placing a random value known as stack canary before local variables on stack. The stack canary is checked upon return of the function. In case of an overflow, the canary is corrupted, and the application is able to detect and protect against the overflow. In order to take advantage of the stack smashing protection, the application should be compiled with the –fstack-protector-all flag.

iOS applications which use the stack canaries will contain _stack_chk_fail and _stack_chk_guard symbols in the binary.To find out whether the application is protected with stack smashing protection or not, connect the iPhone over SSH and execute the command below.

Otool –I –v ApplicationBinary | grep stack
2. ARC

Automatic Reference Counting:

ARC is another exploit mitigation technique introduced in iOS 5. It protects applications from memory corruption vulnerabilities by moving the responsibility of memory management from the developer to the compiler. ARC can be enabled in an application within XCode by setting the compiler option “Objective-C Automatic Reference Counting” to “yes”. By default it is marked as “yes”.

iOS applications with ARC enabled will contain_objc_release symbols in the binary.To find out whether the application is using ARC or not, execute the command below on SSH terminal.

Otool –I –v ApplicationBinary | grep _objc_release

3. PIE

Address Space Layout Randomization

ASLR is an important exploit mitigation technique introduced in iOS 4.3. ASLR makes the remote exploitation of memory corruption vulnerabilities significantly more difficult by randomizing the application objects’ location in the memory. By default, iOS applications use limited ASLR and only randomize part of the objects in the memory.

In order to take full advantage of ASLR, the application should be compiled with the -fPIE –pie flag (“Generate Position-Dependent Code” build option in Xcode). In the latest version of the XCode, this flag is automatically checked by default.

references: 
http://resources.infosecinstitute.com/penetration-testing-for-iphone-applications-part-5/

https://security.stackexchange.com/questions/47341/how-does-the-stack-cookie-protect-return-address-from-being-overwrite

https://security.stackexchange.com/questions/20497/stack-overflows-defeating-canaries-aslr-dep-nx
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 大白 设计师: CSDN官方博客
应支付0元
点击重新获取
扫码支付

支付成功即可阅读