One of the issues of Android and iOS applications is buffer overflow protection. Based on the security guidelines the mobile apps need to compiled with enabled stack-based buffer overflow protection (-fstack-protector-all). Is this flag necessary to be enabled in Xamarin.Forms? If yes, how to compile apps with the flag.
Xamarin.Forms has nothing to do with the stack checks/canaries, it the Mono runtimes (and bundled support frameworks & shared libraries) that are provided by Xamarin.iOS (i.e. Mono.framework/Mono) and Xamarin.Android (i.e. libmono-android.release.so ) that are pre-compiled with stack checks/canaries, PLUS any 3rd-party native libs and user provided native libs that are bundled in the app.
Examples:
Mono.framework/Mono
otool -Iv MonoTouch.iphoneos.sdk/Frameworks/Mono.framework/Mono | grep stack_chk
0x0014d508 33044 ___stack_chk_fail
0x001e4444 33045 ___stack_chk_guard
0x001e44d4 33044 ___stack_chk_fail
0x0014d554 33042 ___stack_chk_fail
0x001e4444 33043 ___stack_chk_guard
0x001e44cc 33042 ___stack_chk_fail
~~~
arm64-v8a/libmono-android.release.so
objdump -dj .text ./Xamarin/Android/lib/arm64-v8a/libmono-android.release.so | grep stack_chk
9130: 97fffd9c bl 87a0 <__stack_chk_fail#plt>
9254: 97fffd53 bl 87a0 <__stack_chk_fail#plt>
98a0: 97fffbc0 bl 87a0 <__stack_chk_fail#plt>
9a90: 97fffb44 bl 87a0 <__stack_chk_fail#plt>
9cb0: 97fffabc bl 87a0 <__stack_chk_fail#plt>
~~~
Note: These are just sample outputs, it would be up to you to check ALL bundled native Frameworks/shared libraries in your app...
Related
I need to bind library for Xamarin.iOS which has many dependencies, such as Firebase/Core and Firebase/Messaging.
Following that doc, I have created a proxy project, generated the fat release, used sharpie to create the ApiDefinitions, generated the dll with a Binding Project in Visual Studio for Mac, and finaly used it in a Xamarin.iOS project that successfully built.
But, the app crashes on startup, on any simulator or real iPhone, with the following logs :
-CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Client com.maxim.myapp2 with pid '372' is now Foreground Running. Background entitlement: NO ActiveLongFormVideoSession: NO WhitelistedLongFormVideoApp NO
-CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Sending EndInterruption to com.maxim.myppev2 with pid '372' because client moved to ForegroundRunning and is not allowed to play in the background
[application<com.maxim.myappev2>:372] Death sentinel fired!
...
[application<com.maxim.myappev2>:372] Process exited: <RBSProcessExitContext; specific: <RBSProcessExitStatus; domain: signal (2); code: SIGSEGV (11)>>.
I think it comes from the Enable Bitcode option, which is not supported by Xamarin.
Indeed, the library I am binding has not this option, but one of its dependencies has :
iMac:Release-fat maxim$ otool -l FirebaseCore/FirebaseCore.framework/FirebaseCore | grep __LLVM
segname __LLVM
segname __LLVM
segname __LLVM
segname __LLVM
iMac:Release-fat maxim$
Is there any chance I can remove this native dependency library of Firebase and use the already binded one https://github.com/xamarin/GooglePlayServicesComponents/ ??
How could I do please ?
I'm investigating how to debug .NET apps on macOS. So far I have successfully compiled LLDB 3.9 with libsosplugin.dylib and have learned how to open the application in it. However, I could not find a way to list source and put breakpoint in it.
$HOME/SDK/build/release/bin/lldb-3.9.1 \
-o "plugin load $HOME/SDK/coreclr/bin/Product/OSX.x64.Debug/libsosplugin.dylib" \
-o "process launch -s" \
dotnet ./bin/Debug/netcoreapp2.2/app.dll
When I stop the app with Crtl+C and type l for sources, it just does nothing.
Process 39465 stopped
* thread #1: tid = 0x979f6, 0x0000000102b85795 libcoreclr.dylib`WKS::gc_heap::mark_object_simple(unsigned char**) + 293, stop reason = signal SIGSTOP
frame #0: 0x0000000102b85795 libcoreclr.dylib`WKS::gc_heap::mark_object_simple(unsigned char**) + 293
libcoreclr.dylib`WKS::gc_heap::mark_object_simple:
-> 0x102b85795 <+293>: movq %rax, %rcx
0x102b85798 <+296>: orq $0x1, %rcx
0x102b8579c <+300>: movq %rcx, (%rdi)
0x102b8579f <+303>: testb $0x1, %al
(lldb) l
(lldb)
Is it ever possible to see dotnet app sources in LLDB?
It doesn't look like there is any debug information for that function - certainly not any lldb can find or read. Without that, lldb won't be able to construct the map from PC -> source location and so no source based operations are going to work.
lldb only supports the DWARF and PDB debug formats (and PDB is a work in progress and was not present in lldb-3.9.1 which is a pretty old lldb.)
I have not played around with compiling .NET apps on macOS, so I don't know what options it offers for debug information. You'll need to figure out that first.
I want to convert static iOS framework (https://github.com/comScore/ComScore-iOS-watchOS-tvOS/tree/master/ComScore/iOS) into dynamic.
> clang -arch x86_64 -dynamiclib -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator10.3.sdk -lc++ -F . -framework ComScore -ObjC -o ComScoreDynamic
This command is successful, however, there is a problem with symbol visibility.
When I check symbols in the original framework it is around 4k of public symbols:
> nm -gU ComScore.framework/ComScore | wc -l
4387
In dynamic version only very few of them:
nm -gU ComScoreDynamic
0000000000114af8 S _OBJC_CLASS_$_SCORCommonUtils
0000000000114940 S _OBJC_CLASS_$_SCORCrossPublisherIdSourceValue
0000000000114a08 S _OBJC_CLASS_$_SCORHTTP
0000000000114990 S _OBJC_CLASS_$_SCORHelper
0000000000114aa8 S _OBJC_CLASS_$_SCORObfuscation
0000000000114a80 S _OBJC_CLASS_$_SCORReachability
0000000000114918 S _OBJC_CLASS_$_SCORUniqueId
0000000000114b20 S _OBJC_METACLASS_$_SCORCommonUtils
00000000001149e0 S _OBJC_METACLASS_$_SCORCrossPublisherIdSourceValue
0000000000114a30 S _OBJC_METACLASS_$_SCORHTTP
0000000000114968 S _OBJC_METACLASS_$_SCORHelper
0000000000114ad0 S _OBJC_METACLASS_$_SCORObfuscation
0000000000114a58 S _OBJC_METACLASS_$_SCORReachability
00000000001149b8 S _OBJC_METACLASS_$_SCORUniqueId
00000000001166b0 D __ZTINSt3__117bad_function_callE
00000000000d5d60 S __ZTSNSt3__117bad_function_callE
All other symbols marked as internal (t and s markings).
How can I keep symbols external?
UPDATE:
Looks like this can be similar problem: Export an `OBJC_CLASS` from one static lib as part of another
Problem is that symbols in static lib are exported as private_extern and there is no way to preserve them in dynamic library.
The public symbols in the comScore framework are marked private external. This can be seen with the nm utility and looking for the SCORAnalytics class:
nm -m ComScore/iOS/ComScore.framework/Versions/A/ComScore |grep _OBJC_CLASS_\$_SCORAnalytics
Shows:
---------------- (LTO,DATA) private external _OBJC_CLASS_$_SCORAnalytics
This means the symbol can only be linked against once. When Cocoapods performs a pre-link for secondary ('transitive') dependencies, these symbols lose their extern attribute. The idea here is to prevent public symbols from a dependency from leaking into those of another library. The problem is that, for Swift projects, they aren't fully resolved until the final app link; by that point they're no longer available.
The real issue is that the comScore library is a static framework. The best solution would be for comScore to release it as a dynamic framework, but these are only supported by iOS 8 and above; comScore insists on support all the way back to iOS 6. I know.
For now, my solution is to include the comScore framework directly in our Cocoapod and vend it within the Podspec, allowing it to work with both Obj-C and Swift projects. The downside is I have to manually update our Cocoapod every time comScore releases a new version. There would also be symbol conflicts if another pod included comScore, but since our pod is a metrics aggregator that logs to several backends, it's likely to be the only metrics component in use. YMMV.
I'm working on porting Mumble over to Windows RT (using the jailbreak), and I've hit an issue where this one function is getting corrupted when Mumble loads.
Mumble (Corrupt function):
0:000> dq user32.dll+0x023918
77a63918 47c3004244696841 4770df010c16f241
77a63928 4770df010c17f241 4770df010c18f241
77a63938 4770df010c19f241 4770df010c1af241
77a63948 4770df010c1bf241 4770df010c1cf241
77a63958 4770df010c1df241 4770df010c1ef241
77a63968 4770df010c1ff241 4770df015c81f44f
77a63978 4770df010c21f241 4770df010c22f241
77a63988 4770df010c23f241 4770df010c24f241
0:000> u user32.dll+0x023918
* ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\windows\system32\user32.dll -
user32!WindowFromPoint:
77a63918 6841 ldr r1,[r0,#4]
77a6391a 4469 add r1,r1,sp
77a6391c 0042 lsls r2,r0,#1
77a6391e 47c3 ?blx r8
77a63920 f2410c16 mov r12,#0x1016
77a63924 df01 svc #1
TeXworks (Expected output):
0:000> dq user32.dll+0x23918
77a63918 4770df010c15f241 4770df010c16f241
77a63928 4770df010c17f241 4770df010c18f241
77a63938 4770df010c19f241 4770df010c1af241
77a63948 4770df010c1bf241 4770df010c1cf241
77a63958 4770df010c1df241 4770df010c1ef241
77a63968 4770df010c1ff241 4770df015c81f44f
77a63978 4770df010c21f241 4770df010c22f241
77a63988 4770df010c23f241 4770df010c24f241
0:000> u user32.dll+0x23918
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\system32\USER32.dll -
USER32!WindowFromPoint:
77a63918 f2410c15 mov r12,#0x1015
77a6391c df01 svc #1
77a6391e 4770 bx lr
77a63920 f2410c16 mov r12,#0x1016
77a63924 df01 svc #1
77a63926 4770 bx lr
77a63928 f2410c17 mov r12,#0x1017
77a6392c df01 svc #1
(Apologies for the less than stellar formatting of the code, a screenshot of the windows can be found here: http://i.imgur.com/M6mLHN1.png )
Mumble uses Qt (customized by the Mumble team, to my understanding), Protobuf, Boost, and OpenSSL
TeXworks uses Qt
What I've tried so far:
Disabling the application compatibility engine
Unloading user32.dll at load, then reloading it (calling FreeLibrary 100 times, then calling LoadLibrary)
Removing anything that might look even remotely suspect from the manifests (from Qt and Mumble)
Removing the entire manifests (from Qt and Mumble)
If I patch this one function using cdb after Mumble launches it all works awesomely, but if I don't patch it the first action performed that calls that function ends in a crash. Opening/closing windows and dragging all call that function, so it's rather critical to the program that it's there.
Any help or pointers on this would be more than appreciated.
Edit: I've verified that it's something inside mainCRTStartup that's mucking around with it, trying to figure out what exactly it is now.
Edit 2: Found a platform-specific hook hidden in the Mumble code that was causing my troubles. Solved.
Since I can finally answer this now, Mumble had some hooks hidden away that I didn't know about. I defined a custom entrypoint that called mainCRTStartup so I could step through that and find exactly where that memory was getting changed, it led me straight to the hook.
Here's the code I used for that:
EXTERN_C int WINAPI mainCRTStartup();
void __stdcall EntryPoint()
{
MessageBox(HWND_DESKTOP,L"Pause(Before mainCRTStartup)",L"Pause(Before mainCRTStartup",MB_OK);
mainCRTStartup();
ExitProcess(0);
}
That allowed me to attach a debugger at the messagebox and step through mainCRTStartup until I found the static initializer that was getting called to load the hook.
I am trying to use GDB to debug a Linux kernel zImage before it is decompressed. The kernel is running on an ARM target and I have a JTAG debugger connected to it with a GDB server stub. The target has to load a boot loader. The boot loader reads the kernel image from flash and puts it in RAM at 0x20008000, then branches to that location.
I have started GDB and connected to the remote target, then I use GDB's add-symbol-file command like so:
add-symbol-file arch/arm/boot/compressed/vmlinux 0x20008000 -readnow
When I set a breakpoint for that address, it does trap at the correct place - right when it branches to the kernel. However, GDB shows the wrong line from the source of arch/arm/boot/compressed/head.S. It's 4 lines behind. How can I fix this?
I also have tried adding the -s section addr option to add-symbol-file with -s .start 0x20008000; this results in exactly the same problem.
There are assembler macros that print out stuff when compiling with low level debug. You have to make sure the macros are appropriate for your board.
linux-latest/arch/arm$ find . -name debug-macro.S | wc
56 56 2306
Find the file for your board and ensure the correct serial port registers are hit. You can instrument the code with out using JTAG. These macros are used in the decompress code. Of course configure with *CONFIG_DEBUG_LL*.
Most likely the ATAGs are not correct or one of the other requirements. Checkout Documentation/arm/Booting to make sure you have registers set properly. Note there is a new requirement with recent kernels to send a dt list.