Stack protections in bitcode and after recompilation present?

Question

Maurice from Holland OP

Created Jul ’18

Replies 1

Boosts 0

Views 3.9k

Participants 1

Hi,

I have a Swift/Objective C/C++ combined iOS app (iOS 11) and I've used the -fstack-protector-all flag to guard against buffer overflows.

When I use "otool -Iv [binary]", on the binary that's in the xcarchive, I can see stack protections present.

However, when I export to an .ipa (and sign it with a distribution certificate) with bitcode enabled and I run the same otool command on the binary in the .ipa, otool does not show stack protections anymore.

I'm assuming here that the LLVM intermediate language format is different from machine language format and thus these protections are not shows.

My question: I cannot find any clear literature online about this: are stack protections still present in bitcode and/or are stack protections present after Apple recompiles the bitcode into architecture specific machine language when the app is deployed to the App Store?

Thanks in advance for the help!

Maurice

Boost

Answer 1

Maurice from Holland OP

Aug ’18

Hi all,

I've worked this out with Apple support and wanted to share the outcome with you for future reference;

It's confirmed that the bitcode version of your iOS app still has stack-protections in place (if it's built from Swift, or if it's built with a -fstack-protector-* flag in case of C++ or Objective-C code). Because bitcode is a different representation than LLVM machine code, `otool -Iv [binary]` or `nm -m [binary]` will not show stack protections like below:

(undefined) external ___stack_chk_fail (from libSystem)
(undefined) external ___stack_chk_guard (from libSystem)

So if you want to confirm/validate that stack protections are still in place when you compile to bitcode, you can do two things:

- archive your project and check with otool or nm on the binary in the .xcarchive

- generate your .ipa out of your archive and sign it with an ad-hoc certificate, and indicate you want to recompile the bitcode to machine code. You can achieve this by adding the following line to adHoc.plist:

<key>compileBitcode</key><true/>

And use the argument `-exportOptionsPlist "appStore.plist"` in your xcodebuild command if you're building command-line. Alternatively you can indicate 'recompile from bitcode' if you use the wizard to package your .ipa.

Afterwards, you can use otool/nm on the binary in that .ipa to verify that stack protections are indeed still there.

Unfortunately you cannot recompile an .ipa that was signed with an AppStore certificate, so signing it with an Adhoc certificate is the closest there is to validate this process.

Hope this helps!

0