search

MobSF / Mobile-Security-Framework-MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
https://opensecurity.in
GNU General Public License v3.0
17.49k stars 3.24k forks source link

"PIE" applies not only to executable files but also to "frameworks." #2290

Closed watanabemk closed 11 months ago

watanabemk commented 1 year ago

ENVIRONMENT

OS and Version: Ubuntu 22.04.3 LTS (Jammy Jellyfish) on WSL2 Python Version: 3.10.12 MobSF Version: v3.7.9 beta

EXPLANATION OF THE ISSUE

Originally, the diagnosis target of "PIE" is executable files, so "Severiyt" of "framework" should be "Info". However, in the API diagnosis result, "Severiyt" of "PIE" in the JSON "framework_analysis" object is "High".

STEPS TO REPRODUCE THE ISSUE

Diagnosis target app: Upload DVIA-v2 [https://github.com/prateek147/DVIA-v2] to MobSF Output diagnostic results using the API "Generate JSON Report API" Check that the “severity” entry in the “PIE” section of the “framework_analysis” array is “High” Expected output result The “severity” entry in the “PIE” section of the “framework_analysis” array becomes “Info”

LOG FILE

*The [-] line is the current output result, and the [+] line is the expected output result.

...
    "framework_analysis": [
        {
...
            "pie": {
                "has_pie": false,
-                 "severity": "high",
+                 "severity": "info",
                "description": "The binary is built without Position Independent Code flag...."
            },
...

POTENTIAL SOLUTION

Add “framework” and work to the conditional expression in the file below. https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/4685d8e73d5c23f8418767a24f3015160adbc6db/mobsf/StaticAnalyzer/views/common/binary/macho.py#L65

github-actions[bot] commented 1 year ago

👋 @watanabemk Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

ajinabraham commented 11 months ago

I will update the current checks.

#define MH_PIE 0x200000         /* When this bit is set, the OS will
                       load the main executable at a
                       random address.  Only used in
                       MH_EXECUTE filetypes. */

Ref: https://opensource.apple.com/source/xnu/xnu-4570.1.46/EXTERNAL_HEADERS/mach-o/loader.h.auto.html

I believe only MachO executables are meant to be PIE. Dylibs and framework bundles are always implicitly position-independent.

ajinabraham commented 11 months ago

Addressed when this https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2307 gets merged to master.