Reputation: 2648
Prevent corrupted executable from launching on OS X
I have a process(Launch Daemon) that gets launched by launchd in root context in OS X. The process is code signed. Still if I corrupt the binary, it loads again. To corrupt the binary, I open the executable in hex editor, and do a find and replace for any string. Is there a way to prevent this process from launching in case it is corrupted?
Upvotes: 3
Views: 493
Answers (2)
Reputation: 27629
Apple provides a code signing framework that allows an executable to check its own signature and test if the application has been tampered with.
Start by obtaining a code object with the call to SecCodeCopySelf, then use the retrieved SecCodeRef to call SecCodeCheckValidity or SecCodeCheckValidityWithErrors.
It's up to your application to quit if it encounters a problem with the validity. As it's running in the root context, it could also unload itself from launchd.
Note that the time take to verify the application is dependent upon its size and number of files. A very large app bundle, such as XCode, can take about 3 minutes, though a small application will barely be noticeable.
Upvotes: 1
Reputation: 11
Generally OS X's Gatekeeper will not prevent you from executing a binary that is not code signed or mis-signed, so long as you have already removed the quarantine attribute after downloading to approve it ("xxx is an applications downloaded from the Intenet..."). Also it it will stand down if it seems like you are executing it on purpose (right click, Open, or execute in a Terminal). After something has been approved to run, GateKeeper is done.
So this is a nice safeguard but very weak stuff, frankly. Nothing like iOS.
For your purposes, you may want to check out Ostiarius. This is recently-released tool that will cause the OS X kernel to refuse to execute any binary that is unsigned (or modified) and also from the Internet from running, period. You could use xattr to add the quarantine attribute to your binary so it will be affected.
And/or, in a launchd script that calls it, use codesign -dv to check the signature yourself before you are willing to launch it. You could also sandbox the app to make sure that if it were hijacked it would not be entitled to do absolutely everything.
Because this is a launchd process, the same security researcher has another free tool called BlockBlock that might interest you. I believe that it would prevent the binary from getting replaced in the first place until you approve it.
Frankly everything this guy has made is pretty cool. May want to check out the rest.
Upvotes: 1
Related Questions
- Run / Open VSCode from Mac Terminal
- How can I prevent SQL injection in PHP?
- Are PDO prepared statements sufficient to prevent SQL injection?
- Pipe to/from the clipboard in a Bash script
- How do I call Objective-C code from Swift?
- How can I Remove .DS_Store files from a Git repository?
- How does the SQL injection from the "Bobby Tables" XKCD comic work?
- Prevent Sleep on Mac OS
- Launchd job runs but then quits immediately