[转]Blocking Code Injection on iOS and OS X

Source:http://www.samdmarshall.com/blog/blocking_code_injection_on_ios_and_os_x.html

Yesterday I posted (twitter) a set of linker flags that can be set that will block types of code injection on iOS and OS X that came from a little known check inside the dynamic linker. This is an explanation as to how and why those flags work and what they do.

Background

The dynamic linker (dyld) is the process that loads and runs binaries on OS X and iOS. This process also has some very special environment variables that can modify the normal behavior of it (You can check out the whole list here:?man-page?or?web). One commonly used environment variable is "DYLD_INSERT_LIBRARIES":

DYLD_INSERT_LIBRARIES
    This is a colon separated list of dynamic libraries to load before the ones specified in the
    program. This lets you test new modules of existing dynamic shared libraries that are used in
    flat-namespace images by loading a temporary dynamic shared library with just the new modules.
    Note that this has no effect on images built a two-level namespace images  using a dynamic
    shared library unless DYLD_FORCE_FLAT_NAMESPACE is also used.

This is commonly used to inject dylibs into applications that modify behavior or patch specific functionality. This is how the vast majority of modifications on existing applications are run on jailbroken devices. However it also has some more mundane uses, such as for injecting code while performing analysis and debugging when in Xcode.

When an application is launched the binary is run through dyld and that processes the binary file. This finds what libraries it needs to load and link against to generate a complete symbol table. Doing this requires parsing through the binary header, while it does this it can trigger flags in dyld based on what segments are present in the binary. There is a special flag that will be set for binaries that are marked as "restricted". This special flag means that the dynamic linker should ignore any set environment variables.

Stopping dyld from Loading Code

There are three ways to flag a binary as "restricted" to the dynamic linker.

  1. Set restricted status by entitlements

    This option is only available to applications on OS X with special entitlements.

  2. setuid and setgid

    Any application that makes these two calls are going to be marked as restricted by the linker as a security measure.

  3. Restricted Segment of Header

    The final way to mark a binary as restricted is by telling the linker to add new section to the binary header that is named "__RESTRICT" and has a section named "__restrict" when you compile it. This can be done in Xcode by adding the following flags into your "Other Linker Flags"

     -Wl,-sectcreate,__RESTRICT,__restrict,/dev/null
    

    This segment type is not mentioned anywhere on Apple‘s documentation for the Mach-O ABI. Google results for how it works are also very sparse. The only place that this can be found documented is actually in the source code for?dyld.

Notes

  • If Apple ever removes the checks for this type of segment in the binary header you aren‘t going to be causing problems to your app.
  • This should only be added to build configurations that you plan to distribute the resulting binary. Marking debug builds as restricted can cause problems when you go to debug using Instruments, guard malloc, and many third party debugging tools that use library injection.
  • The flags listed above generate an empty section (size zero) in the binary, if you wish to validate your own binaries then you can specify a file name instead of "/dev/null" and it will store that file in the binary‘s header. Adding your own file there can be useful if you plan on validating that your binary is correctly signed and not modified.

-

时间: 2024-09-30 05:29:58

[转]Blocking Code Injection on iOS and OS X的相关文章

(Code Review for iOS

iOS 代码审查 (Code Review for iOS) The iOS app development team is using Gerrit for code review. The following instructions assume you're using a recent version of Mac OS X. Contents [hide] 1 New to Git? 2 Activate your code review account 3 Get the code

Adding In-App Purchase to your iOS and OS X Applications

Adding In-App Purchase to your iOS and OS X Applications In-App Purchase allows you to sell additional features and functionality from within your iOS and OS X applications. If you wish to offer In-App Purchase in your applications, you must complete

CVE: 2014-6271 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

目录 1. 漏洞的起因 2. 漏洞原理分析 3. 漏洞的影响范围 4. 漏洞的POC.测试方法 5. 漏洞的修复Patch 1. 漏洞的起因 这个漏洞的起因源自于Bash(Bourne Again SHell)的ENV指令 http://ss64.com/bash/env.html env: Display, set, or remove environment variables, Run a command in a modified environment. Syntax env [OPT

[iOS笔记]《编写高质量iOS与OS X代码的52个有效方法》:1.熟悉Objective-C

简介: 最近公司项目收尾,可以有时间看看书了.<编写高质量iOS与OS X代码的52个有效方法>这本书讲解了很多iOS开发的技巧和规范,大力推荐! 下面是自己看书时整理的笔记,照惯例先上目录: 目录: 第一章:熟悉Objective-C 第二章:Object.Message.Runtime 第三章:接口与API设计 第四章:Protocol与Category 第五章:内存管理 第六章:Block与GCD 第七章:系统框架 第一章    熟悉Objective-C 第1条:了解Objective

Node.app让Nodejs平台在iOS和OS X系统上奔跑

首先呢,欢迎大家去查看同样内容的链接:http://www.livyfeel.com/nodeapp/. 因为那个平台我用的markdown语法,我也懒得修改了,就这样黏贴过来了. 这是一个惊人的恐怖消息! 首先个人来介绍一下本文出现的几个知识点: ####Node.js Node.js是一个平台,下面简称Node.它用来是前端广为使用的javascript语言,可以在服务器的后端进行奔跑.我们知道,如果一个前端没有CSS和javascript,仅仅依靠HTML来供用户查看页面,是多么撕心裂肺的

bWAPP----PHP Code Injection

PHP Code Injection 主要代码 1 <div id="main"> 2 3 <h1>PHP Code Injection</h1> 4 5 <p>This is just a test page, reflecting back your <a href="<?php echo($_SERVER["SCRIPT_NAME"]);?>?message=test">

iOS开发中的那些的约定俗成(1)————《编写高质量iOS与OS X代码的52个有效方法》读书笔记(第一章)

iOS开发中的那些的约定俗成(1) ----<编写高质量iOS与OS X代码的52个有效方法>读书笔记(第一章) 前言 "我要成为一个高产的开发人员.""想要混的好,就得多努力." 写这些东西是因为毕竟看了书,但是看书看过去之后,也许印象不是很深刻,有些东西现在也理解不了,那我就把我理解的,现在就可以用到的东西,简单的写出来就好,让自己今后看到就能明白其中的意思. 还有就是锻炼一下表达,编辑能力,慢慢的提升自己,随时随地的都要有一个锻炼的心. 最后当然就

使用cecil 完成 code injection

1. 安装Mono.Cecil 2. 创建一个测试项目: 添加测试方法: 这个方法的返回值会被动态重写. public class Class1 { public static string Test() { return "ok"; } } 3. code Injection 代码: var path = @"\XX\bin\Debug\ClassLibrary1.dll"; var assembly = AssemblyDefinition.ReadAssemb

CVE-2009-1151 phpMyadmin Remote Code Injection &amp;&amp; Execution

目录 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述Insufficient output sanitizing when generating configuration file phpMyAdmin是用PHP编写的工具,用于通过WEB管理MySQL phpMyAdmin的Setup脚本用于生成配置.如果远程攻击者向该脚本提交了特制的POST请求的话,就可能在生成的config.inc.php 配置文件中包含任意PH