Motivations • No free security source code analysis tools • A lot of manual work for security testing • Can't fully depend on grep and scripts. • Security coding guideline doesn’t work well by itself • Introduce an early detection tool
Xcode Plug-in • We extend security on Xcode with our plug-in – Centralize developer-friendly security features on the IDE – Provide a solution to avoid making vulnerabilities – Detect vulnerabilities at earlier phases of development – Cut down the cost of manual security testing
Intro of Xcode plug-in development • Choose “Bundle” as a template and “Cocoa” as a Framework • Configure build settings (XCGCReady, XCPluginHasUI, XC4Compatible, Deployment Location, Wrapper Extension, etc.) • Create a Class • Build • Relaunch Xcode
XSecurity • XSecurity – Quick Security Help with built-in Security Guidelines – Real-time Vulnerability Notifications – Static Analysis with Clang Static Analyzer
Feature 1: Quick Security Help • Quick Help – Display concise reference documentation without taking focus away from the file you’re editing.
Feature 1: Quick Security Help • Quick Security Help – Add security guidelines in reference documentation. – Added to both Quick Help Inspector and the Quick Help Window – Can automatically display and hide the inspector area.
Feature 1: Quick Security Help Quick Help Inspector
Quick Help Window
Feature 2: Real-time Vulnerability Notifications • Real-time Vulnerability Notifications – Show the vulnerability as it is being created. – Instant bug know-how to developers. – Early prevention.
Feature 2: Real-time Vulnerability Notifications • Detection Triggers – When the source is modified. – When switching between source files. • Methodology – Research parts of Xcode, how it works. – Categorize vulnerabilities according to characteristics. – Heavy use of RegEx
Feature 2: Real-time Vulnerability Notifications
Feature 3: Clang Static Security Analyzer • Clang – A compiler front-end for C family languages – It uses LLVM as its back end – Creates an abstract syntax tree (AST) of the code – LLVM Community (Mainly professionals from Apple, Google, ARM, Intel, etc.)
Feature 3: Clang Static Security Analyzer • Clang Static Analyzer – A source code analysis tool that can find bugs in C, C++ and Objective-C programs. – Can run from CLI and within Xcode – 100% open source and part of Clang project
Feature 3: Clang Static Security Analyzer • It boils down to checkers – Static analyzer engine can do path-sensitive exploration of the program. – Checkers implement the logic for bug detection – And, construct bug reports. – Well-documented http://clang-analyzer.llvm.org/checker_dev_manual.html
Feature 3: Clang Static Security Analyzer • Analyzer in action
Feature 3: Clang Static Security Analyzer • CI with Security Checkers
Detectable Vulnerabilities Category Vulnerability Real-time Checker Insecure Data Storage Insecure Keychain Storage ● ● Insecure NSUserDefaults Usage ● ● Unencrypted Data in plist File ● Insecure Permanent Credential ● ● Storage Insufficient Transport Ignores Certificate Validation Errors ● ● Layer Security Security Decisions Via Abusing URL Schemes ● ● Untrusted Inputs Side Channel Data Leaking Web Caches ● Leakage Leaking Logs ● ● Leaking Pasteboard ● Client Side Injection SQL Injection (SQLite) ●
Future Plans • We aim to… – Make configurations flexible or customizable guideline in Quick Security Help – Have an option to select rules – Improve reporting functionalities – Develop more rules for real-time vulnerability notifications and checkers
Next vulnerabilities Category Vulnerability Insufficient Transport Layer Security Data Transport Over Unencrypted Channel Query String for Sensitive Data Certificate Unpinning Sensitive Information Disclosure Hard Coded Sensitive Information Query String for Sensitive Data Broken Cryptography Use Vulnerable Encryption Algorithms Poor Authorization & Authentication Invalid Usage of Persistent Identifier Insecure OAuth implementation Client Side Injection Cross Site Scripting