ROOTS 2018 Talk: The Swift Language from a Reverse Engineering Perspective – Malte Kraus & Vincent Haupert

Over the last decade, mobile devices have taken over the consumer market for computer hardware. Almost all these mobile devices run either Android or iOS as their operating systems. In 2014, Apple introduced the Swift programming language as an alternative to Objective C for writing iOS and macOS applications. The rising adoption of this new language has to some extent obsoleted existing techniques for program analysis for these platforms, like method swizzling and “class-dump”.

In this paper we discuss features of Swift binaries that help in reverse engineering the functionality of the contained code: We document the memory layout of compound data types and the calling convention used by the Swift compiler, as well as the runtime type information that is used by runtime and debugger when data types are not known statically. This type information is rich enough to allow an almost full recovery of the definition of most Swift data types, e.g. including even the names and offset of the members of compound data types.

Based on these findings, we introduce the open source swift-frida library for iOS built on top of the Frida instrumentation framework. It provides this information about all public and many private Swift data types in a process. It allows transparent read/write access to Swift variables and their data members with known type and memory location.

We asked Malte and Vincent a few more questions about their talk.

Please tell us the top 5 facts about your talk.

  • Frida is a popular tool for dynamic analysis of iOS apps
  • Yet, Frida lacked support for Swift, which is the preferred way of developing iOS apps today
  • We present internals of Swift binaries and show how to leverage these insights for dynamic analysis
  • As opposed to Objective-C, Swift binaries store very detailed metadata about the types used in them
  • We also introduce ‘swift-frida’, a work-in-progress developed on Github, which already offers basic support for instrumentation of Swift apps using Frida

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

We wanted to trace function parameters in an app written in Swift, but had the problem that barely any tooling for that use-case existed. That lead to the question to what extent it is possible to recover high-level information from Swift binaries.

Why do you think this is an important topic?

The iOS ecosystem is one of the most popular computing platforms, and Swift is being adopted by more and more developers for their apps. Accordingly, knowledge about how to reverse Swift programs is important.

Is there something you want everybody to know – some good advice for our readers maybe?

Swift binaries store information like type and member names and memory layout for user-defined types that can be of great help when reverse engineering them. Today, there are no public tools to strip or obfuscate this data.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

We will likely see the emergence of the typical arms race between obfuscation and reverse engineering techniques. However, most of the data that can be useful for reverse engineering is actually required at runtime for some language or library features. Therefore, the extent to which obfuscation of this data is possible still remains to be seen.

 

Vincent Haupert is a research fellow and PhD candidate at the IT Security Infrastructures Lab of the Friedrich-Alexander University Erlangen-Nürnberg (FAU) in Germany. His main interests are authentication, system security and software protection of mobile devices. Particularly the security of FinTechs and mobile banking is one of his major research subjects.

 

 

 

 

Malte Kraus recently graduated with a M.Sc. in computer science from Friedrich-Alexander University Erlangen-Nuremberg. He likes to build things that break other things and has been playing CTFs since 2013.

Tags: , , , , , , ,

Leave a Comment