What does the demise of bitcode mean for the future of application security?

Developer launch developer software
Image: Konstantin Savusia/Adobe Stock

For app developers, Low-Level Virtual Machine bitcode has been a staple of Apple’s toolchain and the Android Native Development Kit for the past seven years. With the release of the Xcode 14 beta, soon to become the standard for iOS and MacOS development from this year, Apple has deprecated the option to build bitcode apps.

For the application security industry, who have largely designed and integrated their approach to code obfuscation around bitcode, this has vast ramifications. Unless security vendors adapt, in the not-too-distant future many apps may face a gaping hole in their security.

What is code obfuscation?

Code obfuscation is a powerful technique for protecting code and an essential part of application security products. The idea behind obfuscation is to modify an executable file so that it is no longer transparent to a hacker but still remains fully functional.

SEE: Mobile device security policy (TechRepublic Premium)

When done effectively, obfuscation makes reverse-engineering a program extremely difficult and is therefore used to protect sensitive intellectual property. For instance, obfuscation can be used to hide an algorithm that a company doesn’t want competitors to understand — most notably to protect security code.

In the field of app shielding, we use a number of tools to enforce a safe environment for apps to operate within. This includes things like hook detection, anti-debug and anti-tampering, all of which are ironically vulnerable to tampering or removal unless well hidden. Obfuscation is therefore used to protect these tools.

Obfuscation can be inserted at three different levels: The source based level, the native binary based level and by far the most dominant approach, the intermediate level. Between many compilers and the native code is an intermediate layer where optimizations are done.

Low-Level Virtual Machine is the best known example of this. LLVM is a set of compiler and toolchain technologies that can be used to develop a front-end for any programming language and a back-end for any instruction set architecture. LLVM is useful because it allows compilers such as Clang or Rustc to target different backends such as Linux on X86_64, armv7, iOS and Windows. If an obfuscator can operate at this level, it’s the easiest to build and maintain because it’s not tied to either the front-end compiler language or the back-end machine instruction set.

However, there is one downside: It is often tied to the toolchain. For apps on iOS and MacOS, those obfuscating at the intermediate level are subject to any changes or major overhauls to Apple’s integrated software development — such as Xcode 14.

What is bitcode?

Bitcode is a serialized version of LLVM’s Intermediate Representation.

A large reason for LLVM’s popular usage in app development, and therefore bitcode’s, is that it’s open source and available to everybody. This has led to many vendors creating obfuscators that operate on bitcode. The advantage for them is that they too can also target many back-ends and also typically several front-ends. The fact that the LLVM libraries also provide all the APIs necessary for manipulating the bitcode has further contributed to its dominance.

Apple has previously made use of bitcode within its toolchain because it had several CPU architectures to support this such as Intel, arm32 and arm64. Apple has even mandated in some cases that apps have to be submitted in bitcode format — not machine code. This has allowed Apple to do the final stage lowering to the machine code for the particular device to be installed on.

How is bitcode affected by future Xcode releases?

Apple has now reached a point where all of its new hardware uses arm64 and no longer requires the flexible back-ends provided by LLVM. Notably, at the WWDC 2022 keynote, there was mention of being able to better optimize purely for that architecture, which hints that the LLVM intermediate layer may be no longer used for that purpose in the future.

This has led to a major overhaul in the form of the Xcode 14 beta, where Apple has deprecated the option to build bitcode apps. Developers for iOS and MacOS can still use bitcode with a warning, but this will later be removed. Essentially, it’s now no longer as easy to produce bitcode apps.

Why does this matter, and who’s impacted?

Future Xcode releases may now prevent security vendors from using bitcode. Obfuscation vendors typically take two approaches to bitcode obfuscation that will be impacted differently.

The first approach is app obfuscation, where the obfuscator acts on the whole app in bitcode format, post-build, as an IPA or Xcarchive file. This is a great approach because it means that the obfuscator doesn’t need to be tightly integrated into the toolchain and obfuscations can work on the whole app rather than individual modules at a time.

The second is a toolchain-integrated approach where the obfuscator replaces or patches components in the Apple toolchain to ensure that it gets called during the build process. This can cause maintenance problems, but typically this is a lightweight integration by creating wrappers around the existing clang compiler.

The first approach is effectively now deprecated. Vendors using this are likely to continue their work (with warnings) for at least another year. However, this method will probably be prevented in Xcode 15 or 16.

The second approach could also be on shaky ground going forward, since we don’t know whether Apple will remove LLVM or prevent access to it in the compiler at some point — potentially even without warning. All vendors that currently use a LLVM-based obfuscator for iOS and MacOS app protection will be impacted by this change.

What does this mean for the future of application security?

Ultimately, LLVM will become less useful and possibly disappear altogether as Apple seeks to leverage its unified architecture for CPU, GPU and ML accelerators. Xcode 14 already contains toolchain components competing with LLVM for this. If LLVM disappears, then going forward, Apple’s platforms could become much harder to protect and therefore fewer vendors will have products available to do that.

It’s entirely possible this shake-up may well compromise the security of many of the apps on the App Store. Whether this happens or not will depend on the adaptability of security vendors. Those using a toolchain-integrated approach will be fine for the time being, but they run the risk that this approach could be closed off without warning in the future.

What is likely is that we will see an increase in the native binary based approach to obfuscation. The key difference being this approach to obfuscation is where the built machine code is directly manipulated. There aren’t many obfuscators that currently use this method as it’s particularly difficult to do and may need to support lots of binary formats and/or CPU instruction sets.

In any case, while the future of code obfuscation may be uncertain, one thing is for sure — app developers will need to take a proactive approach, watching security vendors and planning accordingly if they want to ensure their apps remain secure.

Andrew Whaley

Andrew Whaley is the Senior Technical Director at Promon, a Norwegian app security company. With his vast experience in penetration testing, application hardening, code obfuscation, cryptography and blockchain, Andrew leads Promon’s R&D team in enhancing the company’s core product suite with new security capabilities. 

Source link

istanbul escort aksaray escort arnavutköy escort ataköy escort avcılar escort avcılar türbanlı escort avrupa yakası escort bağcılar escort bahçelievler escort bahçeşehir escort bakırköy escort başakşehir escort bayrampaşa escort beşiktaş escort beykent escort beylikdüzü escort beylikdüzü türbanlı escort beyoğlu escort büyükçekmece escort cevizlibağ escort çapa escort çatalca escort esenler escort esenyurt escort esenyurt türbanlı escort etiler escort eyüp escort fatih escort fındıkzade escort florya escort gaziosmanpaşa escort güneşli escort güngören escort halkalı escort ikitelli escort istanbul escort kağıthane escort kayaşehir escort küçükçekmece escort mecidiyeköy escort merter escort nişantaşı escort sarıyer escort sefaköy escort silivri escort sultangazi escort suriyeli escort şirinevler escort şişli escort taksim escort topkapı escort yenibosna escort zeytinburnu escort porno 1080p porno izle 4k porno izle 720p porno izle abella danger alman alman porno alman porno izle aloha tube porno amatör amatör porno amatör porno izle anal anal porno anal porno izle arap porno asa akira porno asyalı porno bangbros porno bangbros porno izle banyoda sikis başörtülü porno beeg porno izle beyaz tenli porno izle biseksuel porno izle bisexsuel porno brandi love porno brazzers brazzers porno izle canli porno canli porno izle çinli porno çinli porno izle ensest porno ensest porno izle ensest seks erotik porno erotik porno izle esmer porno esmer porno izle etek altı fake agent fake taxi fake taxi porno fantazi pornoları fantezi porno izle fetiş porno fetiş porno izle fetish fransız porno fransız porno izle full hd hg porno izle gangbang porno genç kız porno izle genç kız sikişi genç teen porno izle gizli çekim porno gizli çekim pornosu grup pornosu grup porno grup porno izle hd pornolar hd porno hd porno izle hemşire porno hemşire pornosu hizmetçi porno hizmetçi porno izle ingiliz porno japon pornoları japon porno kızlık bozma kızlık bozma porno izle konulu porno konulu porno izle koreli porno köylü pornoları kumral porno kumral porno izle latin pornoları latin porno latin porno izle lezbiyen pornoları lezbiyen porno lezbiyen porno izle lisa ann porno liseli pornoları liseli porno liseli porno izle manken porno manken porno izle masaj porno izle masturbasyon porno izle masturbasyon pornoları mature porno mia khalifa porno mia malkova porno milf porno izle mobil porno mobil porno izle öğrenci porno izle öğretmen porno izle okul porno izle olgun kadın pornosu olgun porno oral porno oral porno izle oral seks porna izle pornhub pornhub porno izle porno film izle porno indir porno izle porno resimler porno star porntube porno izle redtube redtube pornoları riley reid porno rokettube rus pornoları rus porno rus porno izle sakso blowjob porno izle sarışın pornoları sarışın porno sarışın porno izle sarışın pornoları sekreter porno shemale sikiş sikiş sikiş izle şişman porno siyahi pornoları suriyeli pornoları swinger porno tecavüz porno teen porn türbanlı pornoları türbanlı porno türk pornoları türk porno türk porno izle türkçe altyazılı porno türkçe altyazılı porno izle xhamster pornoları xhamster porno xhamster porno izle xnxx xnxx porno xnxx porno izle xvideos xvideos porno izle yaşlı porno yeşilçam porno izle youjizz youporn youporn porno izle zenci porno güvenilir bahis siteleri bahis siteleri casino deneme bonusu casino siteleri deneme bonusu para yatırma bonusu bahis siteleri casino siteleribahis sitesi para yatırma