Stack protection disabled in Library Analysis

[athompson-1]

Android application type

Classic Xamarin.Android (MonoAndroid12.0, etc.)

Affected platform version

xamarin-android/d17-5/797e2e1

Description

Hi,

After a security analysis of our application it was noted libxamarnin-app.so has stack protection disabled. This issue is a follow up to issue #6258. Libxamarin-app.so may now contain a .text section with executable code. If there's any insight or suggestions regarding this issue, we would be grateful for your input.

Steps to Reproduce

1. Create Xamarin Android app
2. Build apk for release

Did you find any workaround?

No response

Relevant log output

No response

[grendello]

@athompson-1 Classic Xamarin.Android outputs no executable code in libxamarin-app.so, this hasn't changed. The xamarin_app_init function is generated only when unreleased marshal methods (a net8 feature) is used. I've just built a classic app to make sure we do the right thing, and the libxamarin-app.so library contained no such symbol. It does have a .text section, but it's empty (added by the linker). The symbol output from your screenshot contains marshal methods symbols - are you absolutely sure the .so file comes from a classic app?

[athompson-1]

It is .net android.

[jonpryor]

@athompson-1: which version of .NET Android? .NET 7 or .NET 8? LLVM Marshal Methods, which is where the mm_method_names and other symbols come from, is only in .NET 8, which is still in preview.

A related oddity is that LLVM Marshal Methods already enable stack protection; if you look at e.g. obj/Debug/net8.0-android/android/marshal_methods.arm64-v8a.ll, you'll see:

; Function attributes: "frame-pointer"="non-leaf" "min-legal-vector-width"="0" mustprogress "no-trapping-math"="true" nofree norecurse nosync nounwind sspstrong "stack-protector-buffer-size"="8" "target-cpu"="generic" "target-features"="+neon,+outline-atomics" uwtable willreturn writeonly
define void @xamarin_app_init (void (i32, i32, i32, i8**)* %fn) local_unnamed_addr #0
{                                                                               
  store void (i32, i32, i32, i8**)* %fn, void (i32, i32, i32, i8**)** @get_function_pointer, align 8
  ret void                                                                      
}

Note that it includes sspstrong and "stack-protector-buffer-size"="8".

As with #6258, I don't know what your "Cyber Security Analysis Certification" utility is doing, but I think whatever it's doing could be better.

[grendello]

It is .net android.

OK, that makes sense now :) Your OP indicates that it was for classic Android, hence the misunderstanding.

With regards to the report, what @jonpryor said above - whatever utility scanned the code, it works under a wrong assumption that every code must have whatever stack protection markers the utility looks for. However, compilers use heuristics (since stack protection has a runtime cost) to decide whether a function can in fact overflow the stack. They are usually functions which use local (on-stack) arrays and we have none of those.

[athompson-1]

Apologies for the confusion. Thank you for the explanation.