Go Blocking Code injection on IOS and OS X

Source:http://www.samdmarshall.com/blog/blocking_code_injection_on_ios_and_os_x.html

Yesterday I posted (Twitter) A set of linker flags that can is set that would block types of code injection on IOS and OS X That came from a little known check inside the dynamic linker. This is a explanation as to how and why those the flags work and what they do.

Background

the Dynamic Linker (DYLD) is the process which loads and runs binaries on OS X and IOS. This process also have some very special environment variables that can modify the normal behavior of it (you can check out The whole list here:?man-page?or?web). One commonly used environment variable is "dyld_insert_libraries":

dyld_insert_libraries this was a colon separated list of dynamic LIBRARIES to load before the ones specified in the Program. This lets you test new modules of existing dynamic GKFX libraries that is used in flat-namespace images by loading a Temporary dynamic shared library with just the new modules. Note that this have no effect on images built a two-level namespace images using a dynamic shared library unless Dyld_f Orce_flat_namespace is also used. 

this is commonly used to inject dylibs into applications that modify behavior or patch specific functionality. This is what the vast majority of modifications on existing applications was run on jailbroken devices. However it also have some more mundane uses, such as for injecting code while performing analysis and debugging when in Xco De.

When a application is launched the binary was run through dyld and that processes the binary file. This finds what libraries it needs to the load and link against to generate a complete symbol table. Doing This requires parsing through the binary header, while it does this it can trigger flags in DYLD based on what Segme NTS is present in the binary. There is a special flag, that would be set for binaries this is marked as "restricted". This special flag means, the dynamic linker should ignore any set environment variables.

Stopping Dyld from Loading Code

There is three ways to flag a binary as "restricted" to the dynamic linker.

2. Set Restricted status by entitlements

   This option is a available to applications in OS X with special entitlements.

4. Setuid and Setgid

   Any application that makes these and calls is going to being marked as restricted by the linker as a security measure.

5. Restricted Segment of the Header

   The final, to mark a binary as restricted are by telling the linker to add new sections to the binary header, which is name D "__restrict" and have a section named "__restrict" when you compile it. This can-be-done-in-Xcode by adding the following to your "other Linker flags"

    -Wl,-sectcreate,__RESTRICT,__restrict,/dev/null

   This segment type isn't mentioned anywhere on Apple's documentation for the Mach-o ABI. Google results for how it works is also very sparse. The only place, this can being found documented is actually in the source code FOR?DYLD.

Notes

• If Apple ever removes the checks for this type of segment in the binary header of your aren ' t going to being causing problems to Your app.

• This should is added to build configurations so you plan to distribute the resulting binary. Marking debug builds as restricted can cause problems when I go to debug using Instruments, Guard malloc, and many third Party Debugging tools, the use library injection.

• The flags listed above generate an empty sections (size zero) in the binary, if you wish to validate your own binaries then You can specify a file name instead of "/dev/null" and it'll store that file in the binary ' s header. Adding your own file There can be useful if your plan on validating this your binary is correctly signed and not modified.

-

Go Blocking Code injection on IOS and OS X