5 Replies
      Latest reply: Oct 27, 2016 3:58 AM by POM RSS
      chrales Level 1 Level 1 (0 points)

        Hi,

         

        We're working on an app that manages a lot of critically sensitive data (namely, a password manager), and we're trying to get the most security we can out of macOS. One obvious vulnerability is that a malicious user can always use lldb or a similar tool to dump the memory at a time when a password is there.

         

        SIP offers protection against these types of attacks. I wanted to know if we could protect our app by using the SIP mechanism.

         

        Is any of the following solutions possible:

         

        • Add an entitlement to the app to make it rootless
        • Configure SIP settings in the user's home directory to add the app to the rootless apps list
        • Request that the app be added to the list in a future macOS release
        • Re: Enabling SIP on 3rd-party apps
          eskimo Apple Staff Apple Staff (6,075 points)

          The current SIP protections are based on how the code is signed, which isn’t something you can change.  It seems reasonable to file an enhancement request for a way to opt into that protection.  Please post your bug number, just for the record.

          Keep in mind that the user can, at their option, disable SIP on the system as a whole, which limits the utility of this for your purposes.  I guess you could set your app up not to work if SIP is disabled, although:

          • there’s no public API for detecting that (another enhancement request opportunity!)

          • you’re likely to really annoy some customers, who run with SIP disabled for other reasons

          In the meantime, one thing you can do right now is call PT_DENY_ATTACH on yourself; see the ptrace man page for details.  This won’t stop a determined attacker (ask me how I know!) but there are very few downsides.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Enabling SIP on 3rd-party apps
              chrales Level 1 Level 1 (0 points)

              Thanks Quinn. This pretty much covers the subject.

               

              The current SIP protections are based on how the code is signed, which isn’t something you can change.

               

              Is this anything like the Kernel Extension codesigning keys? Should we just request a "new" type of key?

               

              This won’t stop a determined attacker (ask me how I know!)

               

              How do you know?    And what are the risks, and the steps an attacker could take to bypass this?

                • Re: Enabling SIP on 3rd-party apps
                  eskimo Apple Staff Apple Staff (6,075 points)

                  Is this anything like the Kernel Extension codesigning keys?

                  No.  Last I checked, SIP only kicks in for Apple code that comes built in to the OS.

                  How do you know?

                  Well, I was being facetious but, sure I can answer that: a while back I built my own tool to nobble PT_DENY_ATTACH so that I could debug various plug-ins that get loaded in system components that set PT_DENY_ATTACH.  And no, I won’t share (-:

                  And what are the risks, and the steps an attacker could take to bypass this?

                  What’s your threat model?  Are you trying to protect yourself from the user themselves (like a DRM scheme)?  Or trying to protect yourself from code that the user has unwittingly run?

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                • Re: Enabling SIP on 3rd-party apps
                  chrales Level 1 Level 1 (0 points)

                  I dropped a couple of enhancement requests as per your suggestion:

                   

                  rdar://28650702

                  rdar://28650719

                  • Re: Enabling SIP on 3rd-party apps
                    POM Apple Staff Apple Staff (0 points)

                    "I guess you could set your app up not to work if SIP is disabled"

                     

                    Not quite. You cannot trust the system to tell you the trust if SIP has been disabled, because the protection is not active anymore and the API could be made to return true when the real answer is false.