-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues with has_arc() and has_canary() Functions Not Detecting Symbols in Mach-O Files #44
Comments
For me the has_arc and has_canary functions are able to find imports (and return true when the You said you are using Goblin 0.5.2. Are you using the official 0.0.9 release or did you checkout this git? (Because the current state on git requires at least goblin 0.6.0). If you are using the official release, please try the current state on git. If the problems persist, could you provide further information on the executables you were checking? EDIT: |
I looked into this further and the problem seems to be that checksec uses the imports() function which only returns imports known to dyld. A potential fix would be to change from the imports function to the symbols() function.
|
Environment
Description
I've encountered a potential issue with the has_arc() and has_canary() functions in the macho.rs file. These functions are intended to check for the presence of specific keywords in the imports of a Mach-O binary: _objc_release for has_arc(), which should return true if ARC is being used, and either ___stack_chk_fail or ___stack_chk_guard for has_canary(), which should return true if stack protection is enabled.
Expected Behavior
When provided with a Mach-O binary that has ARC and stack canaries properly applied, the
has_arc()
function is expected to returntrue
if the_objc_release
symbol is presentand
has_canary()
should returntrue
if stack protection symbols are present.$ nm ~/Desktop/hello_canary U ___stack_chk_fail U ___stack_chk_guard 0000000100000000 T __mh_execute_header 0000000100003f2c T _main U _read
Actual Behavior
Despite supplying a Mach-O file that I've verified to have ARC enabled, the
has_arc()
function returnedfalse
. Upon further inspection, it appears that the list of imports retrieved within the function is empty. This same behavior is observed with thehas_canary()
function, suggesting that both functions may consistently returnfalse
regardless of the actual contents of the Mach-O binary.Investigation
To further investigate the issue, I added additional print statements to the has_arc() function to trace the flow and check where it might be failing. Below is the modified version of the has_arc() function:
When running the above code with a Mach-O binary that is known to have ARC enabled, the output was as follows:
This output indicates that the imports() call is successful, but it retrieves an empty list of imports, leading to the function incorrectly reporting that ARC is not used. Given that I have verified the binary has ARC enabled through other means, this result seems to be inaccurate.
Additional Information
I have verified the presence of ARC and stack canaries in my Mach-O binary using both
otool
andnm
command-line tools, which show the expected symbols. This leads me to believe there might be a discrepancy in how themacho.rs
file handles the parsing or detection of these symbols.I am wondering if there could be an underlying issue with how imports are being retrieved or if there's an assumption made by the checker that doesn't hold true for all Mach-O binaries.
Any insights or suggestions on this matter would be greatly appreciated.
The text was updated successfully, but these errors were encountered: