objective-c runtime安全措施之二:反注入
《O'Reilly.Hacking.and.Securing.iOS.Applications>>讀書筆記
反注入:在類函式被呼叫前做完整性檢測(預防應用自定義函式或apple標準庫函式被修改或替換)
原理:呼叫dladdr()函式檢查類方法的基本資訊是否合法
例子1:檢查Foundation框架類中NSMutableURLRequest基類(用於改變URL請求)的setHTTPBody方法的基本資訊
#include <dlfcn.h>
#include <objc/objc.h>
#include <objc/runtime.h>
#include <stdio.h>
#include <string.h>
int main() {
Dl_info info;
IMP imp = class_getMethodImplementation(
objc_getClass("NSMutableURLRequest"),
sel_registerName("setHTTPBody:"));
printf("pointer %p\n", imp);
if (dladdr(imp, &info)) {
printf("dli_fname: %s\n", info.dli_fname);
printf("dli_sname: %s\n", info.dli_sname);
printf("dli_fbase: %p\n", info.dli_fbase);
printf("dli_saddr: %p\n", info.dli_saddr);
} else {
printf("error: can't find that symbol.\n");
}
}
在Mac OS上使用gcc編譯
$ gcc -o main main.m -lobjc -framework Foundation
然後執行該程式和觀察輸出,這些資訊(地址空間、檔名、符號名)可以確認該函式來源、是否合法
$ ./main
pointer 0x7fff8e7aba62
dli_fname: /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
dli_sname: -[NSMutableURLRequest(NSMutableHTTPURLRequest) setHTTPBody:]
dli_fbase: 0x7fff8e633000
dli_saddr: 0x7fff8e7aba62
例子2:使用dladdr函式檢查類中的所有方法的通用程式碼
#include <dlfcn.h>
#include <stdio.h>
#include <objc/objc.h>
#include <objc/runtime.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
static inline BOOL validate_methods(const char *, const char *)
__attribute__((always_inline));
BOOL validate_methods(const char *cls, const char *fname) {
Class aClass = objc_getClass(cls);
Method *methods;
unsigned int nMethods;
Dl_info info;
IMP imp;
char buf[128];
Method m;
if (!aClass)
return NO;
methods = class_copyMethodList(aClass, &nMethods);
while(nMethods--) {
m = methods[nMethods];
printf("validating [ %s %s ]\n",
(const char *) class_getName(aClass),
(const char *) method_getName(m));
imp = method_getImplementation(m);
if (!imp) {
printf("error: method_getImplementation(%s) failed\n",
(const char *) method_getName(m));
free(methods);
return NO;
}
if (! dladdr(imp, &info)) {
printf("error: dladdr() failed for %s\n",
(const char *)method_getName(m));
free(methods);
return NO;
}
/* Validate image path */
if (strcmp(info.dli_fname, fname))
goto FAIL;
/* Validate class name in symbol */
snprintf(buf, sizeof(buf), "[%s ",
(const char *) class_getName(aClass));
if (strncmp(info.dli_sname+1, buf, strlen(buf)))
{
snprintf(buf, sizeof(buf), "[%s(",
(const char *) class_getName(aClass));
if (strncmp(info.dli_sname+1, buf, strlen(buf)))
goto FAIL;
}
/* Validate selector in symbol */
snprintf(buf, sizeof(buf), " %s]",
(const char *) method_getName(m));
if (strncmp(info.dli_sname + (strlen(info.dli_sname) - strlen(buf)),
buf, strlen(buf)))
{
goto FAIL;
}
}
return YES;
FAIL:
printf("method %s failed integrity test:\n",
(const char *)method_getName(m));
printf(" dli_fname: %s\n", info.dli_fname);
printf(" dli_sname: %s\n", info.dli_sname);
printf(" dli_fbase: %p\n", info.dli_fbase);
printf(" dli_saddr: %p\n", info.dli_saddr);
free(methods);
return NO;
}
【注意】
1. 重新命名檢查函式(例如不要用validate_methods這樣具有明顯意義的名字)
2. 在應用的多處加入檢查函式,任何與敏感資料互動的方法在執行前都需要檢查
3. 例子中的logging和printf語句只是用來除錯,程式碼正式釋出前要移除
4. 驗證完整性只是提高了攻擊的門檻,不能完全防禦黑客,需要綜合應用多種技巧,例如思路一中的反除錯技巧,及馬上要介紹的反彙編技巧