Found elf built without Stack Protection: Stack canaries can greatly increase the difficulty of exploiting a stack buffer overflow because it forces the attacker to gain control of the instruction pointer by some non-traditional means such as corrupting other important variables on the stack. Built with option -fstack-protector. Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack -allocated variables, and preventing them from causing program misbehavior or from becoming serious security vulnerabilities.
Hi,
I have a Swift/Objective C/C++ combined iOS app (iOS 11) and I've used the -fstack-protector-all flag to guard against buffer overflows.
When I use 'otool -Iv [binary]', on the binary that's in the xcarchive, I can see stack protections present.
However, when I export to an .ipa (and sign it with a distribution certificate) with bitcode enabled and I run the same otool command on the binary in the .ipa, otool does not show stack protections anymore.
I'm assuming here that the LLVM intermediate language format is different from machine language format and thus these protections are not shows.
My question: I cannot find any clear literature online about this: are stack protections still present in bitcode and/or are stack protections present after Apple recompiles the bitcode into architecture specific machine language when the app is deployed to the App Store?