'전체 글'에 해당되는 글 471건

https://github.com/olxios/SmartSec_iOS_Security/blob/master/README.md

iOS 무결성 검증하는 소스 코드를 찾던 중 해당 내용을 확인하게 되어 글을 작성 합니다.

iOS Anti-Reversing Defenses

File Integrity Checks

등등에 대한 내용을 확인할 수 있다.

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md#file-integrity-checks

File Integrity Checks (MSTG-RESILIENCE-3 and MSTG-RESILIENCE-11)

Overview

There are two topics related to file integrity:

1. Application source code integrity checks: In the "Tampering and Reverse Engineering" chapter, we discussed the iOS IPA application signature check. We also saw that determined reverse engineers can easily bypass this check by re-packaging and re-signing an app using a developer or enterprise certificate. One way to make this harder is to add an internal run-time check that determines whether the signatures still match at run time.

2. File storage integrity checks: When files are stored by the application, key-value pairs in the Keychain, UserDefaults/NSUserDefaults, a SQLite database, or a Realm database, their integrity should be protected.

Sample Implementation - Application Source Code

Apple takes care of integrity checks with DRM. However, additional controls (such as in the example below) are possible. The mach_header is parsed to calculate the start of the instruction data, which is used to generate the signature. Next, the signature is compared to the given signature. Make sure that the generated signature is stored or coded somewhere else.

int xyz(char *dst) { const struct mach_header * header; Dl_info dlinfo; if (dladdr(xyz, &dlinfo) == 0 || dlinfo.dli_fbase == NULL) { NSLog(@" Error: Could not resolve symbol xyz"); [NSThread exit]; } while(1) { header = dlinfo.dli_fbase; // Pointer on the Mach-O header struct load_command * cmd = (struct load_command *)(header + 1); // First load command // Now iterate through load command //to find __text section of __TEXT segment for (uint32_t i = 0; cmd != NULL && i < header->ncmds; i++) { if (cmd->cmd == LC_SEGMENT) { // __TEXT load command is a LC_SEGMENT load command struct segment_command * segment = (struct segment_command *)cmd; if (!strcmp(segment->segname, "__TEXT")) { // Stop on __TEXT segment load command and go through sections // to find __text section struct section * section = (struct section *)(segment + 1); for (uint32_t j = 0; section != NULL && j < segment->nsects; j++) { if (!strcmp(section->sectname, "__text")) break; //Stop on __text section load command section = (struct section *)(section + 1); } // Get here the __text section address, the __text section size // and the virtual memory address so we can calculate // a pointer on the __text section uint32_t * textSectionAddr = (uint32_t *)section->addr; uint32_t textSectionSize = section->size; uint32_t * vmaddr = segment->vmaddr; char * textSectionPtr = (char *)((int)header + (int)textSectionAddr - (int)vmaddr); // Calculate the signature of the data, // store the result in a string // and compare to the original one unsigned char digest[CC_MD5_DIGEST_LENGTH]; CC_MD5(textSectionPtr, textSectionSize, digest); // calculate the signature for (int i = 0; i < sizeof(digest); i++) // fill signature sprintf(dst + (2 * i), "%02x", digest[i]); // return strcmp(originalSignature, signature) == 0; // verify signatures match return 0; } } cmd = (struct load_command *)((uint8_t *)cmd + cmd->cmdsize); } } }

Sample Implementation - Storage

When ensuring the integrity of the application storage itself, you can create an HMAC or signature over either a given key-value pair or a file stored on the device. The CommonCrypto implementation is best for creating an HMAC. If you need encryption, make sure that you encrypt and then HMAC as described in Authenticated Encryption.

When you generate an HMAC with CC:

1. Get the data as NSMutableData.
2. Get the data key (from the Keychain if possible).
3. Calculate the hash value.
4. Append the hash value to the actual data.
5. Store the results of step 4.

// Allocate a buffer to hold the digest and perform the digest. NSMutableData* actualData = [getData]; //get the key from the keychain NSData* key = [getKey]; NSMutableData* digestBuffer = [NSMutableData dataWithLength:CC_SHA256_DIGEST_LENGTH]; CCHmac(kCCHmacAlgSHA256, [actualData bytes], (CC_LONG)[key length], [actualData bytes], (CC_LONG)[actualData length], [digestBuffer mutableBytes]); [actualData appendData: digestBuffer];

Alternatively, you can use NSData for steps 1 and 3, but you'll need to create a new buffer for step 4.

When verifying the HMAC with CC, follow these steps:

1. Extract the message and the hmacbytes as separate NSData.
2. Repeat steps 1-3 of the procedure for generating an HMAC on the NSData.
3. Compare the extracted HMAC bytes to the result of step 1.

NSData* hmac = [data subdataWithRange:NSMakeRange(data.length - CC_SHA256_DIGEST_LENGTH, CC_SHA256_DIGEST_LENGTH)]; NSData* actualData = [data subdataWithRange:NSMakeRange(0, (data.length - hmac.length))]; NSMutableData* digestBuffer = [NSMutableData dataWithLength:CC_SHA256_DIGEST_LENGTH]; CCHmac(kCCHmacAlgSHA256, [actualData bytes], (CC_LONG)[key length], [actualData bytes], (CC_LONG)[actualData length], [digestBuffer mutableBytes]); return [hmac isEqual: digestBuffer];

Bypassing File Integrity ChecksWhen you're trying to bypass the application-source integrity checks

1. Patch the anti-debugging functionality and disable the unwanted behavior by overwriting the associated code with NOP instructions.
2. Patch any stored hash that's used to evaluate the integrity of the code.
3. Use Frida to hook file system APIs and return a handle to the original file instead of the modified file.

When you're trying to bypass the storage integrity checks

1. Retrieve the data from the device, as described in the "Device Binding" section.
2. Alter the retrieved data and return it to storage.

Effectiveness Assessment

For the application source code integrity checks Run the app on the device in an unmodified state and make sure that everything works. Then apply patches to the executable using optool, re-sign the app as described in the chapter "Basic Security Testing", and run it. The app should detect the modification and respond in some way. At the very least, the app should alert the user and/or terminate the app. Work on bypassing the defenses and answer the following questions:

• Can the mechanisms be bypassed trivially (e.g., by hooking a single API function)?
• How difficult is identifying the anti-debugging code via static and dynamic analysis?
• Did you need to write custom code to disable the defenses? How much time did you need?
• What is your assessment of the difficulty of bypassing the mechanisms?

For the storage integrity checks A similar approach works. Answer the following questions:

• Can the mechanisms be bypassed trivially (e.g., by changing the contents of a file or a key-value pair)?
• How difficult is obtaining the HMAC key or the asymmetric private key?
• Did you need to write custom code to disable the defenses? How much time did you need?
• What is your assessment of the difficulty of bypassing the mechanisms??

https://www.kitploit.com/2019/11/sql-injection-payload-list.html?m=1

어느 순간부터 공부 했거나 수행 했던 업무 등이 기억나지 않아... 기록을 남겨본다..

뭐 언제까지 이어갈지는 나도 모르겠다