How does code-signing achieve that given the payload would only appear as code in an already running and perhaps already verified program? I'd expect the actually relevant change to be similar to PaX MPROTECT, no?
Conversation
Code signing means I can no longer mark my shellcode as executable because that page isn't signed. It's physically impossible to execute attacker controlled raw shellcode. You can do JIT abuse, interp attacks, etc, but not native opcodes.
2
1
Ah, per-page signing with signature checked on mprotect? That's interesting. I didn't know they had that.
1
1
Not checked on mprotect. Literally just checked on execution. All code must be signed. Period.
2
1
That's even more interesting. How do you check signature on execution? Have the page non-executable up to and including the point of transferring control to it, and do the signature check from the page fault handler?
2
It's essentially MPROTECT combined with checking the signature of pages faulted in via memory mappings.
Permitting only code loaded from the verified images would be stricter, but they need to permit user-installed apps. They require that Apple has signed all the code pages.
1
3
This is part of what people mean when they talk about code signing on iOS. Safari has a special exception allowing it to bypass this for the JavaScript JIT compiler and Safari is the only permitted browser engine. Apps are allowed to ship powerful interpreters and blur the lines.
2
1
How does Firefox on iOS work? Is it just a fake Firefox that's reskinned Safari widget with some Firefox features on top, or do they just use interp-only? (The latter would be *extremely* preferable no matter how slow it is.)
1
Chrome and Firefox on Android are skins over top of a Safari widget. Apple's policies forbid shipping any alternative web engine implementation. An interpreter-only approach would work at a technical level but isn't permitted by their App Store policies. This is common for them.
2
1
I guess you mean on iOS; it's definitely real on Android. Why isn't interpreter permitted by policies if the interpreter does not expose any access to system facilities?
2
iOS has an explicit rule against implementing another web engine. Also, many uses of interpreters and even fancy forms or reflection are bending their rules. They don't want developers running code that's not shipped via the App Store. It depends on the usage and is nuanced.
So for example, if you ship a Python interpreter and use it to run Python code that's shipped with your app via the App Store, you're not breaking the rules. If you dynamically download code that's fed into the interpreter, you're almost certainly breaking the rules. Since this
2
1
depends on App Store review, apps can often get away with it for a long time and it depends on very arbitrary decisions by human reviewers. They sometimes make exceptions. There are frameworks breaking/bending the rules across many apps and sometimes they come down hard on it.
This rule makes sense in the sense of embedded web engines in apps (they're inherently phishing/credential stealing/privacy invading because they trick user into signing in to accounts, etc.) but dedicated browser marketed as such is different.