Update MASTG-TEST-0229 with info about False Positives

OWASP · Jan 25, 2025 · db28405 · db28405
1 parent 2dbf5e5
commit db28405
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0229.md b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0229.md
@@ -1,5 +1,5 @@
 ---
-title: Stack Canaries not enabled
+title: Stack Canaries Not enabled
 platform: ios
 id: MASTG-TEST-0229
 type: [static]
@@ -35,3 +35,15 @@ The test case fails any binary or library is not purely Swift but does not conta
 **Note:** Checking for the `__stack_chk_fail` symbol only indicates that stack smashing protection is enabled somewhere in the app. While stack canaries are typically enabled or disabled for the entire binary, there may be corner cases where only parts of the application are protected. For example, if the app developer statically links a library with stack smashing protection enabled, but disables it for the entire application.
 
 If you want to be sure that specific security-critical methods are sufficiently protected, you need to reverse-engineer each of them and manually check for stack smashing protection.
+
+When evaluating this please note that there are potential **expected false positives** for which the test case should be considered as passed. To be certain for these cases, they require manual review of the original source code and the compilation flags used.
+
+The following examples cover some of the false positive cases that might be encountered:
+
+### Use of Memory Safe Languages
+
+The Flutter framework does not use stack canaries because of the way [Dart mitigates buffer overflows](https://docs.flutter.dev/reference/security-false-positives#shared-objects-should-use-stack-canary-values).
+
+### Compiler Optimizations
+
+Sometimes, due to the size of the library and the optimizations applied by the compiler, it might be possible that the library was originally compiled with stack canaries but they were optimized out. For example, this is the case for some [react native apps](https://github.com/facebook/react-native/issues/36870#issuecomment-1714007068). They are built with `-fstack-protector-strong` but when attempting to search for `stack_chk_fail` inside the binary files, it is not found. The React Native developers in this case declare that they won't be adding `-fstack-protector-all` as, in their case, [they consider that doing so will add a performance hit for no effective security gain](https://github.com/facebook/react-native/issues/36870#issuecomment-1714007068).