ASLR – Address Space Layout Randomization is an important exploit mitigation technique introduced in iOS 4.3. ASLR makes the remote exploitation of memory corruption vulnerabilities significantly more difficult by randomizing the application objects location in the memory. By default iOS applications uses limited ASLR and only randomizes part of the objects in the memory. The image compares the different memory sections for partial and full ASLR applications.
In order to take full advantage of the ASLR, the application has to compile with -fPIE -pie flag (“Generate Position-Dependent Code” build option in Xcode). This flag is automatically checked by default in the latest version of the XCode (from iOS 6). So, all the applications that are compiled in the latest SDK will automatically use full ASLR. To find out whether the application is compiled with PIE flag or not, connect the iPhone over SSH and execute the below command.
Otool –Vh ApplicaitonBinary
The above image shows PIE at the end of the file header. It indicates that the Facebook application is compiled with PIE flag and uses the full ASLR.
During the pentest, ASLR might cause issues while reversing or decrypting the application. To overcome this problem, Peter Fillmore wrote an awesome tool removePIE that can be used to disable the ASLR of an iOS application. It disables the ASLR by flipping the PIE flag.
Steps to disable the ASLR of an iOS Application:
1. Download removePIE.zip and extract it.
2. Copy removePIE to the iPhone using the below SCP command (password is alpine).
SCP removePIE root@iPhoneIP:/var/root
3. The SCP command copies the removePIE file into /var/root directory on the iPhone. This can be verified by connecting to the iPhone over SSH.
4. Copy removePIE to the corresponding application’s home directory.
5. To disable ASLR of an application, run the removePIE command on the application binary.
The above command takes a backup of the application binary, then flips the PIE flag and disables the ASLR. This can be confirmed by running the otool -Vh ApplicationBinary command.
The above image does not show PIE flag in the file header. It confirms that the Facebook application no more uses the full ASLR.
Note: removePIE does not accept the application path as an argument. Supplying the binary path to the program, ends up with segment fault:11 exception.
2. iOS 4 security evaluation white paper by Dai Zovi