Xcode 7 Bitcode workflow and Security Assessment-vulnerability warning-the black bar safety net

ID MYHACK58:62201570105
Type myhack58
Reporter 佚名
Modified 2015-12-17T00:00:00


With Xcode 7, Apple is Xcode adds a new feature Bitcode 【1】: ! New features often mean new attack surface. This article first describes what is Bitcode and Bitcode workflow in the familiar with the Bitcode of the workflow, the next step is to assess the Bitcode related to the attack surface, and finally the description for each attack surface testing methods and current testing results. 0x01 what is Bitcode Simple to say, the Bitcode is an LLVM-IR in the disk of a binary representation. About Bitcode detailed description, please refer to【2】, here will use examples to let everyone on the Bitcode has a feel for it. First write a simple C Program, the function is to calculate the two numbers and, the code is as follows: intadd(int a, int b) { int c = a + b; return c; } The above program is saved as add. c, then we will source program is compiled into Bitcode in: clang-emit-llvm-c-add. c-o add. bc Performing the above command will generate add. bc, we use the binary editor to open the generated file, view the file content: ! Since Bitcode is an LLVM-IR binary representation, as shown in the figure above, in not understanding coding under the premise of basic is not readable. Below we put the Bitcode is converted into text form: llvm-dis add. bc-o add. ll Use a text editor to open add. ll, you can see the add function in the LLVM-IR as follows: ; ModuleID = 'add. bc' target datalayout = "e-m:o-i64:6 4-f80:1 2 8-n8:1 6:3 2:6 4-S128" target triple = "x86_64-apple-macosx10. 1 1. 0" ; Function Attrs: nounwindsspuwtable ; The following is the add() corresponding to the LLVM-IR ; Can be noted that this representation will apply a multivariate, ; Interested students can learn under Static Single Assignment (SSA) define i32 @add(i32 %a, i32 %b) #0 { %1 = alloca i32, align 4 ; variable 1, The 4-byte space, the follow-up used to store the parameters of a %2 = alloca i32, align 4 ; variable 2, The 4-byte space, subsequent to the storage of parameter b %c = alloca i32, align 4 ; variable c, The 4-byte space, the follow-up used to store the results of the c store i32 %a, i32 %1, align 4 ; The a Save to variable 1 store i32 %b, i32 %2, align 4 ; will b saved to variable 2 %3 = load i32, i32 %1, align 4 ; the immediate value 1 is saved to the variable 3 %4 = load i32, i32 %2, align 4 ; the immediate value 2 is saved to the variable 4 %5 = addnsw i32 %3, %4 ; variable 3 with variable 4, and saved to the variable 5 store i32 %5, i32 %c, align 4 ; variable 5 is saved to the result c %6 = load i32, i32 %c, align 4 ; The result is c stored into the variable 6 ret i32 %6 ; return variable 6 } Comparison of the source code has been annotated the add() function in the LLVM-IR representation, everyone should be on the LLVM-IR has a perceptual knowledge, below we together look at the Bitcode of the workflow. 0x02 workflow Apple on workflow description: When you archive for submission to the App Store, Xcode compiles your app into an intermediate representation. The App Store then compiles the bitcode down into the 6 4 - or 3 2-bit executables as necessary. The above workflow can be divided into two stages: In the applications uploaded to the AppStore, Xcode will program the corresponding Bitcode together with the upload. The AppStore will Bitcode re-compiled into an executable program, for users to download. The following will Bitcode related to the complete workflow is divided into the following several questions or sub-process and are made description: WhereistheBitcode it? Embed the Bitcode method From Bitcode to generate an executable program of the method WhereistheBitcode it? Reference to Apple's description, only in the Archive will generate the Bitcode, then build a test project: ! To perform the Archive, and then view the generated package structure: ! Through the analysis in the above directory and is not directly found Bitcode, next check to generate MachO. Using MachOView is loaded to generate the MachO, the results as shown below: ! From the figure above you can see the final executable program, many LLVM-related Segment and Section. To continue to view the corresponding Section of information: ! As shown above, Section__bundle is stored in a xar document, extract the xar document, then use the following command to unlock the document: Unlock: xar-x-f XXX. xar To unlock, you can see the Bitcode file. Summary: program the corresponding Bitcode is Xcode packaged into a xar document, the embedded MachO.

[1] [2] [3] [4] next