AegiScan: A static dataflow analysis framework for iOS application binaries
AegiScan
Aegi(s)Scan(er) is a static dataflow analysis framework for iOS application binaries, which can be used to facilitate vulnerability scanning.
Design
AegiScan utilizes top-down type propagation to resolve Objective-C MsgSend calls, thereby reconstructing the call graph. It then generates the Code Property Graph (CPG) for each function to establish context-sensitive dataflow. Leveraging the call graph, AegiScan integrates the CPGs of different functions for comprehensive inter-procedural analysis. Moreover, AegiScan recovers information lost during optimization (e.g., app thinning) and incorporates it into the analysis.
Implementation
AegiScan is featured with a combination of binary analysis and graph database. The binary analysis, built on the IR of IDA Pro (aka. Microcode), only needs to be conducted once, with the results stored in the Neo4j graph database for multiple queries. In addition, to facilitate vulnerability scanning, AegiScan provides query APIs based on Neo4j’s Cypher query language and interfaces for developing custom scanners.
Develop customized vulnerability scanners
AegiScan is a framework for static dataflow analysis that supports the creation of tailored vulnerability scanners. The development process involves three primary steps:
- Step 1: Define your entry points and sensitive operations, and incorporate your IDAPython scripts into
src/entriesandsrc/sinksto identify custom entries and operations within the IDB. - Step 2: Develop your custom scanners, derived from
BaseScanundersrc/scanners, which include the foundational workflow for generating call graphs and code property graphs that you can adapt to your needs. - Step 3: Modify
src/ida_runner.pyto deploy your custom scanners across various scenarios in iOS apps and other Objective-C binaries.
Furthermore, AegiScan is scalable and capable of supporting additional features in both binary analysis and graph querying. To implement your custom analysis, you may:
- Revise
src/intra_procedural.pyand the visitors withinsrc/visitorsto refine the analysis of individual binary functions. - Adapt
src/inter_procedural.pyto customize inter-procedural tasks. - Extend
src/record.pyand graph models undersrc/modelsto tailor code property graph definitions and construct dataflows according to your specifications. - Amend
src/libs/queries.pyto include custom queries and strategies tailored to your analysis goals.
Install & Use
Copyright (c) 2024 Alibaba
