swift reversing

49
Swift Reversing Ryan Stortz Infiltrate 2016

Upload: phungdiep

Post on 13-Feb-2017

243 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Swift Reversing

SwiftReversing

RyanStortzInfiltrate2016

Page 2: Swift Reversing

PresentationOverview

Part1SwiftIntroduction

Part2Methodology

Part3SwiftRE

2

Page 3: Swift Reversing

SwiftIntroduction

3

Page 4: Swift Reversing

4

Page 5: Swift Reversing

SwiftLanguage

• Safe,fast,andexpressive• Closuresandfirst-classfunctions• Tuplesandmultiplereturnvalues• Generics• Fastandconciseiterationoverarangeorcollection• Structs thatsupportmethods,extensions,andprotocols• Functionalprogrammingpatterns,e.g.,mapandfilter• Powerfulerrorhandlingbuilt-in• Advancedcontrolflowwith do, guard, defer,and repeat keywords

5

Page 6: Swift Reversing

CompilerArchitecture

6

Page 7: Swift Reversing

7

Page 8: Swift Reversing

8

Page 9: Swift Reversing

9

Page 10: Swift Reversing

10

Page 11: Swift Reversing

11

Page 12: Swift Reversing

12

Page 13: Swift Reversing

13

Page 14: Swift Reversing

Methodology

14

Page 15: Swift Reversing

Motivation

• ApplicationPenetrationTesting• ExploitDevelopment• Re-implementation• Interoperability• BuildCharacter

15

Page 16: Swift Reversing

InitialQuestions

• Toolchain• Whattoolsareavailablenow?

• LanguageCore• IsitmessagebasedlikeObjective-CordoesitlookmorelikeC/C++?• IsitlazylikeHaskell?• Whatnativetypesareavailable?• Whichstoragebackswhichtypesofvariables?• Whatdoesclassinstantiationlooklike?• HowareOptionals unwrapped?

• ABI• HowdoesSwiftbridgeintoObjective-C?• Howdoesitrepresentvirtualmethodcallsunderthehood?• Howareclassesandstructureslaidoutinmemory?• WhatistheSwiftcallingconvention?

16

Page 17: Swift Reversing

Methodology:Examples

17

Page 18: Swift Reversing

18

Page 19: Swift Reversing

19

Page 20: Swift Reversing

SwiftRE:Toolchain

20

Page 21: Swift Reversing

21

Page 22: Swift Reversing

Toolchain

• swiftc• Thecompiler

• swift• ThecompilerREPL

• swift-demangle• Anamedemangler

22

Page 23: Swift Reversing

23

Page 24: Swift Reversing

swift-demangle

$ echo '__TFeRq_Ss14CollectionTypezqq_S_9GeneratorGVSs17IndexingGeneratorq__zqq_Ss9Indexable8_Elementqqq_S_9GeneratorSs13GeneratorType7Element_SsS_8generateuRq_S_zqq_S_9GeneratorGS0_q__zqq_S1_8_Elementqqq_S_9GeneratorS2_7Element_fq_FT_GS0_q__' | xcrun swift-demangle_ext.Swift.Swift.CollectionType<A where A: Swift.CollectionType, A.Generator == Swift.IndexingGenerator<A>, A._Element == A.Generator.Element>.generate <A where A: Swift.CollectionType, A.Generator == Swift.IndexingGenerator<A>, A._Element == A.Generator.Element> (A)() -> Swift.IndexingGenerator<A>

$ echo ‘_TTSf4n_d___TTSg5C11CommandLine6Option___TZFSa28_allocateBufferUninitializedurfMGSaq__FSiGVSs12_ArrayBufferq__' | xcrun swift-demanglefunction signature specialization <Arg[1] = Dead> of generic specialization <CommandLine.Option> of static Swift.Array._allocateBufferUninitialized <A> ([A].Type)(Swift.Int) -> Swift._ArrayBuffer<A>

24

Page 25: Swift Reversing

$ echo '__TFeRq_Ss14CollectionTypezqq_S_9GeneratorGVSs17IndexingGeneratorq__zqq_Ss9Indexable8_Elementqqq_S_9GeneratorSs13GeneratorType7Element_SsS_8generateuRq_S_zqq_S_9GeneratorGS0_q__zqq_S1_8_Elementqqq_S_9GeneratorS2_7Element_fq_FT_GS0_q__' | xcrunswift-demangle –expand

_Demangling for _TFeRq_Ss14CollectionTypezqq_S_9GeneratorGVSs17IndexingGeneratorq__zqq_Ss9Indexable8_Elementqqq_S_9GeneratorSs13GeneratorType7Element_SsS_8generateuRq_S_zqq_S_9GeneratorGS0_q__zqq_S1_8_Elementqqq_S_9GeneratorS2_7Element_fq_FT_GS0_q__

kind=Globalkind=Function

kind=Extensionkind=Module, text="Swift"kind=Protocolkind=Module, text="Swift"kind=Identifier, text="CollectionType"

kind=DependentGenericSignaturekind=DependentGenericParamCount, index=1kind=DependentGenericConformanceRequirementkind=Type

kind=DependentGenericParamType, text="A"kind=Index, index=0kind=Index, index=0

kind=Typekind=Protocolkind=Module, text="Swift"kind=Identifier, text="CollectionType"

kind=DependentGenericSameTypeRequirementkind=Type

kind=DependentMemberType, text="Generator"kind=Typekind=DependentGenericParamType, text="A"kind=Index, index=0kind=Index, index=0

kind=Typekind=Protocolkind=Module, text="Swift"kind=Identifier, text="CollectionType"

kind=Typekind=BoundGenericStructurekind=Typekind=Structurekind=Module, text="Swift"kind=Identifier, text="IndexingGenerator"

kind=TypeListkind=Typekind=DependentGenericParamType, text="A"

kind=Index, index=0kind=Index, index=0

kind=DependentGenericSameTypeRequirementkind=Type

kind=DependentMemberType, text="_Element"

kind=Typekind=DependentGenericParamType, text="A"kind=Index, index=0kind=Index, index=0

kind=Typekind=Protocolkind=Module, text="Swift"kind=Identifier, text="Indexable"

kind=Typekind=DependentMemberType, text="Element"kind=Typekind=DependentMemberType, text="Generator"kind=Type

kind=DependentGenericParamType, text="A"kind=Index, index=0kind=Index, index=0

kind=Typekind=Protocolkind=Module, text="Swift"kind=Identifier, text="CollectionType"

kind=Typekind=Protocolkind=Module, text="Swift"kind=Identifier, text="GeneratorType"

kind=Identifier, text="generate"kind=Typekind=DependentGenericTypekind=DependentGenericSignaturekind=DependentGenericParamCount, index=1kind=DependentGenericConformanceRequirement

kind=Typekind=DependentGenericParamType, text="A"kind=Index, index=0kind=Index, index=0

kind=Typekind=Protocolkind=Module, text="Swift"kind=Identifier, text="CollectionType"

kind=DependentGenericSameTypeRequirementkind=Typekind=DependentMemberType, text="Generator"kind=Typekind=DependentGenericParamType, text="A"

kind=Index, index=0kind=Index, index=0

kind=Typekind=Protocol

kind=Module, text="Swift"kind=Identifier, text="CollectionType"

kind=Typekind=BoundGenericStructurekind=Typekind=Structure

kind=Module, text="Swift"kind=Identifier, text="IndexingGenerator"

kind=TypeListkind=Type

kind=DependentGenericParamType, text="A"kind=Index, index=0kind=Index, index=0

kind=DependentGenericSameTypeRequirement

kind=Typekind=DependentMemberType, text="_Element"kind=Typekind=DependentGenericParamType, text="A"

kind=Index, index=0kind=Index, index=0

kind=Typekind=Protocol

kind=Module, text="Swift"kind=Identifier, text="Indexable"

kind=Typekind=DependentMemberType, text="Element"kind=Typekind=DependentMemberType, text="Generator"

kind=Typekind=DependentGenericParamType, text="A"kind=Index, index=0kind=Index, index=0

kind=Typekind=Protocolkind=Module, text="Swift"kind=Identifier, text="CollectionType"

kind=Typekind=Protocol

kind=Module, text="Swift"kind=Identifier, text="GeneratorType"

kind=Typekind=UncurriedFunctionType

kind=ArgumentTuplekind=Typekind=DependentGenericParamType, text="A"kind=Index, index=0kind=Index, index=0

kind=ReturnTypekind=Typekind=FunctionTypekind=ArgumentTuple

kind=Typekind=NonVariadicTuple

kind=ReturnTypekind=Typekind=BoundGenericStructurekind=Typekind=Structure

kind=Module, text="Swift"kind=Identifier, text="IndexingGenerator"

kind=TypeListkind=Type

kind=DependentGenericParamType, text="A"kind=Index, index=0kind=Index, index=0

ext.Swift.Swift.CollectionType<A where A: Swift.CollectionType, A.Generator == Swift.IndexingGenerator<A>, A._Element == A.Generator.Element>.generate <A where A: Swift.CollectionType, A.Generator == Swift.IndexingGenerator<A>, A._Element == A.Generator.Element> (A)() -> Swift.IndexingGenerator<A>25

Page 26: Swift Reversing

InitialQuestions:Revisited(Toolchain)

• Toolchain• Whattoolsareavailablenow?

26

swift-demangle

Page 27: Swift Reversing

SwiftRE:LanguageCore

27

Page 28: Swift Reversing

LanguageCore

• Nativetypes• String,Bool,Int,Int8,Int16,Int32,Int64,UInt,UInt8,UInt16,UInt32,UInt64,Float,Float80,Double• NotaggedpointersinSwift(butwillbeintheObjc bridges)

• ControlFlow• Optionals• ClassInstantiation

28

Page 29: Swift Reversing

Messages?Laziness?

29

Page 30: Swift Reversing

Optionals

• Swifthasoptionals whichalleviatesalotofnull/nilpointerproblems.

30

Page 31: Swift Reversing

00000000`00000002 00 00000000`00000000 01[ Value = 2 ] [Op] [ Value = nil ] [Op](lldb) list

50 => case .Some(2):51 let train = Train()52 train.makeNoise()53 case .Some(3):54 let car = Car()55 print(car.description)56 default:57 print("Invalid choice!")5859 }

(lldb) reg readGeneral Purpose Registers:

rax = 0x0000000000000002rbx = 0x0000000000000000rcx = 0x0000000000000002rdx = 0x0000000000000002rdi = 0x0000000100702b80rsi = 0x000000000000000arbp = 0x00007fff5fbff9b0rsp = 0x00007fff5fbff840r8 = 0x0000000000000000r9 = 0x0000000000000000

r10 = 0x00000001002ad201r11 = 0x00000001000dfcc0r12 = 0x0000000000000000r13 = 0x0000000000000000r14 = 0x0000000000000000r15 = 0x0000000000000000rip = 0x000000010000148e classes`classes.main () -> () + 446 at

classes.swift:50rflags = 0x0000000000000297

cs = 0x000000000000002bfs = 0x0000000000000000gs = 0x0000000000000000

(lldb) x/8i $pc-> 0x10000148e: 48 39 d1 cmpq %rdx, %rcx

0x100001491: 75 40 jne 0x1000014d3 0x100001493: e8 e8 02 00 00 callq 0x100001780 0x100001498: 48 89 c7 movq %rax, %rdi0x10000149b: e8 b0 fb ff ff callq 0x1000010500x1000014a0: 48 89 45 b0 movq %rax, -0x50(%rbp)0x1000014a4: 48 8b 38 movq (%rax), %rdi0x1000014a7: 48 89 bd 20 ff ff ff movq %rdi, -0xe0(%rbp)

(lldb) x/40xg $rbp-0x280x7fff5fbff988: 0x0000000000000002 0x0000000000000300

31

Page 32: Swift Reversing

32

Page 33: Swift Reversing

DynamicAllocationandClassInstantiation

RefCounted *swift_allocObject(Metadata *type, size_t size, size_t alignMask);

33

Page 34: Swift Reversing

34

Page 35: Swift Reversing

35

Page 36: Swift Reversing

InitialQuestions:Revisited(LanguageCore)

• LanguageCore• IsitmessagebasedlikeObjective-CordoesitlookmorelikeC/C++?• IsitlazylikeHaskell?• Whatnativetypesareavailable?• Whichstoragebackswhichtypesofvariables?• Whatdoesclassinstantiationlooklike?• HowareOptionals unwrapped?

36

C++

No,thankGod

Stack,Heap,dependsonlifetime

SlightlydifferentthanC++

WithabitwiseAND

Theusuals

Page 37: Swift Reversing

SwiftRE:ABI

37

Page 38: Swift Reversing

ABI

• Objective-CBridging• Virtualfunctioncalls• Ownershiprules• Callingconvention

38

Page 39: Swift Reversing

Objective-CBridging

39

Page 40: Swift Reversing

40

Page 41: Swift Reversing

VirtualFunctionCalls

41

Page 42: Swift Reversing

OwnershipandOwnershipRules

• SwiftisfullARC• AutomaticReferenceCounting• Everythingisderivedfromafewbasetypes,whichincludethereferencecounts.

• Functionsunderstandtheirargumentownershiprules• Dead• Guaranteed• Exploded• GuaranteedandExploded

42

Page 43: Swift Reversing

CallingConvention

• Swift’sapproach:• YOLO• ExternalcallsareRAX:RDX:RCX:R8

• __swiftcall isnotsupportedinHexRays

• Scatteredreturnvalues• Hexrays hasalotoftroublewiththem:(

43

Page 44: Swift Reversing

44

Page 45: Swift Reversing

__swiftcall

Swift::String __usercall __spoils<rax,rdx,rcx,r8> func@<0:rdx, 8:rax, 16:rcx>(void *a1, void *a2)

Swift::String *__cdecl func(Swift::String *__return_ptr__struct_ptr retstr, void *a1, void *a2);

45

Page 46: Swift Reversing

InitialQuestions:Revisited(ABI)

• ABI• HowdoesSwiftbridgeintoObjective-C?• Howdoesitrepresentvirtualmethodcallsunderthehood?• Howareclassesandstructureslaidoutinmemory?• WhatistheSwiftcallingconvention?

46

Seamlessly

SimilartoC++

ExactlylikeObjective-c

Yolo

Page 47: Swift Reversing

Tools

47

Page 48: Swift Reversing

swift.py

• IDAandHexRays plugin• RewritesHex-Raysoutputtodemangle names• AnnotatesIDAwithdemangled names• Classbodyrecovery• Typepropagation(ComingSoon)• Witnesstablerecovery(Comingsoon– Hopefully)

Demo

48

Page 49: Swift Reversing

Questions?

RyanStortz• PrincipalSecurityResearcheratTrailofBits• PreviouslyatRaytheonSIGOVS

ContactInformation:• @withzombies• [email protected]

49