Full Report
I just got off a call with a client, and realised we need to think about how we report binary protections a bit more. More specifically the ios info binary command in objection. They can be a pain to explain if not well understood, and even harder to remediate! Binary protections make exploitation attempts much harder so, naturally we want all of them on. However, as you’d see in this article, not everything can always be enabled and sometimes it’s hard to understand why.
Analysis Summary
# Tool/Technique: objection ios info binary command
## Overview
This refers to the functionality within the `objection` framework used to analyze and report on the status of binary protections (such as PIE, ARC, and Stack Canaries) present in an iOS Mach-O executable or library. Understanding these protections is crucial as they make exploitation attempts significantly harder.
## Technical Details
- Type: Tool (Functionality within a framework)
- Platform: iOS (Mach-O format binaries/libraries)
- Capabilities: Programmatically parses Mach-O file headers and imports to determine the presence of specific security mitigations (PIE, ARC, Canary).
- First Seen: The context implies the feature exists in `objection` version 1.10.0/1.10.1+ (published March 2021).
## MITRE ATT&CK Mapping
The analysis of binary protections directly relates to understanding defenses against exploitation:
- **TA0005 - Defense Evasion** (Indirectly, by analyzing existing defenses)
- **T1027 - Obfuscated Files or Information**
- **T1027.009 - Binary Hardening** (By analyzing the presence/absence of hardening techniques used by developers)
## Functionality
### Core Capabilities
1. **Parsing Mechanism:** Leverages the `macho` Node.js package, injected into the target process via Frida's `Process.enumerateModules()` to read file information.
2. **PIE Detection:** Checks the `flags` field in the Mach-O header for the `0x200000` flag (executable bit).
3. **ARC Detection:** Inferred by checking if the target binary imports the function `objc_release`. (Note: This is an inference based on imports.)
4. **Canary Detection:** Inferred by checking if the binary imports the function `__stack_chk_fail`, implying stack smashing protection is in use.
### Advanced Features
- The tool can distinguish the parsing results for different languages (Objective-C vs. Swift) and binary types (executable vs. library), noting that certain protections may only apply to the main executable or behave differently based on the compilation language.
- Detection logic for ARC was fixed between `objection` versions `< 1.10.0` and `>= 1.10.1`.
## Indicators of Compromise
*Since this is an inspection tool reporting on application security settings, there are no traditional IOCs like malware hashes or C2s.*
- File Hashes: N/A
- File Names: Mach-O binaries/libraries within an application bundle.
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Script execution of the `ios info binary` command within the hooked process context.
## Associated Threat Actors
N/A (This is a defensive/analysis tool used by security researchers and pentesters, not typically associated with threat actors).
## Detection Methods
*Detection focuses on observing unauthorized instrumentation or inspection of application binaries.*
- Signature-based detection: Detection of Frida or objection instrumentation frameworks attached to target processes.
- Behavioral detection: Observing runtime modification or detailed file system enumeration of application binaries during execution.
- YARA rules: N/A
## Mitigation Strategies
*Mitigation centers on ensuring all intended binary protections are correctly enabled during the compilation process for all linked dependencies.*
- **PIE Mitigation:** Ensure the `-fPIC` compiler flag is added to the project's build settings. (Applies mainly to the main executable).
- **ARC Mitigation:** For Objective-C projects, set "Objective-C Automatic Reference Counting" to `YES`. For Swift projects, it should be enabled automatically by `swiftc`.
- **Canary Mitigation:** For Objective-C projects, add the `-fstack-protector-all` compiler flag. For Swift projects, the state is complex; Swift's inherent memory safety may mitigate risk even if conventional parsing doesn't detect the protection being active.
- **General Hardening:** Ensure that protection configuration changes are applied not just to the main executable but to *all* frameworks linked within the project.
## Related Tools/Techniques
- checksec.sh: External script for checking binary security features on Linux/other platforms.
- Radare2 (`rabin2` or `ia` command): Alternative tools capable of enumerating Mach-O flags and imports.