I recently ventured into macOS security and how to get past it for red team tradecraft. This series of posts contains an overview of components that make up macOS security architecture:

• System Integrity Protection (SIP) - Protects certain parts of MacOS from being written to or being modified by malicious software. It achieves this by restricting permissions of the root user account. As a result, even if any malicious software is able to obtain root access, it will not be able to alter folders and apps protected by the SIP. System Integrity Protection includes protection for these parts of the system:

  • /System

  • /usr

  • /bin

  • /sbin

  • /var

  • Apps that are pre-installed with the Mac operating system

  SIP allows modification of these protected parts only by processes that are signed by Apple and have special entitlements to write to system files, such as Apple software updates and Apple installers. Apps that are downloaded from the App Store work with System Integrity Protection by default.

• Executable Entitlements - Think of executable entitlements as rights or privileges that are granted to an app. These rights (or lack of them) define what an app can or cannot do (aka capabilities) on a machine running MacOS. Developers configure entitlements for their app by declaring capabilities in Xcode which get stored in a property list file with the .entitlements extension. They are applied to the app during the app signing process.

• Hardened Runtime - Helps in preventing certain types of attacks, such as code injection, dynamically linked library (DLL) hijacking, and process memory space tampering, while the app is executing i.e. during runtime. When enabled it allows only signed code to be loaded in memory, restricts creation of memory regions with write and execute permissions etc. Developers can disable certain checks of hardened runtime by applying the relevant entitlement.

• App Sandbox - This is an access control technology for MacOS apps. It helps in minimizing harm from compromised apps by restricting them to the minimum privileges needed to function. It is a requirement for distributing app via the App Store. If an app needs to access a restricted resource or protected file location during the runtime, it must include an entitlement for the same. Otherwise system will deny access to the resource during the runtime.

Red Team Notes
- System Integrity Protection (SIP) - Protects critical macOS system areas from modification, restricting even root user permissions.
- Executable Entitlements - Define app capabilities by granting specific rights.
- Hardened Runtime - Prevents runtime attacks like code injection and memory tampering by enforcing strict security checks.
- App Sandbox - Limits app privileges to reduce harm from compromised apps, requiring explicit entitlements for access to restricted resources.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.