How apps can check integrity better than macOS

Last week I looked in detail at the initial signature checks made when a notarized app is launched in Mojave 10.14.5. In normal use, the majority of apps being launched are well-known to the security system, which has already checked their signatures. In those circumstances, macOS is happy to accept its previous cached result, and launch the app without running those checks again.

This allows extensive modifications to be made to an app but for it to continue launching successfully. Those changes would otherwise be sufficient to cause errors on even the most basic of signature checks, such as changes being made to the app’s Info.plist file.

Although Apple doesn’t explain the signature checks normally performed by macOS, it does provide a wide range of static code validation flags for code to use in calls like SecStaticCodeCheckValidityWithErrors() which developers can use to perform their own signature checks. Some of those are explained in outline, but several are merely named and no information is provided. The list of these flags currently includes:

kSecCSDoNotValidateExecutable – which doesn’t evaluate the main executable code
kSecCSDoNotValidateResources – which doesn’t evaluate any bundle resources
kSecCSBasicValidateOnly – described as kSecCSDoNotValidateExecutable | kSecCSDoNotValidateResources, so it doesn’t evaluate either the main executable code or any bundle resources
kSecCSCheckNestedCode – which evaluates code in ‘standard locations’ but not elsewhere
kSecCSStrictValidate – which performs additional checks to ensure the bundle isn’t structured to allow tampering, and rejects any resource envelopes which might weaken the signature
kSecCSCheckAllArchitectures – which evaluates code for all architectures, not just the ‘native’ one
kSecCSFullReport – undocumented
kSecCSCheckGatekeeperArchitectures – undocumented
kSecCSRestrictSymlinks – undocumented
kSecCSRestrictToAppLike – undocumented
kSecCSRestrictSidebandData – undocumented
kSecCSUseSoftwareSigningCert – undocumented
kSecCSValidatePEH – undocumented, and leads to a crash if used!

When examined in the log, these checks follow one of two basic patterns. In the first, only one signature for the whole bundle is checked, with a log sequence such as
0.357287 trustd asynchronously fetching CRL (http://crl.apple.com/root.crl) for client (Sigourney[10740]/0#-1 LF=0) 0.357314 trustd cert[2]: AnchorTrusted =(leaf)[force]> 0 0.358051 opendirectoryd UID: 0, EUID: 0, GID: 0, EGID: 0, PID: 10598, PROC: <private> 0.358074 opendirectoryd RPC: mbr_identifier_translate, Module: SystemCache, Type: <private>, Value: <private>, Requesting: <private> 0.358113 opendirectoryd SystemCache UUID: CFEEB10D-DECE-4A6D-A4DB-A40C0B21DA3E, user: 501@/Local/Default 0.358148 opendirectoryd mbr_identifier_translate completed, delivered 1 result
(times are in decimal seconds, with Sigourney as the name of the app performing the signature check.)

I don’t understand the OpenDirectory entries which seem to refer to the Master Boot Record, an odd thing to be examining in this context. However, they appear consistently after the first CRL check in each signature assessment of this kind.

In the other pattern of log entries, those are followed by a succession of additional checks working through the contents of the bundle, each consisting of paired entries such as
0.270438 trustd asynchronously fetching CRL (http://crl.apple.com/root.crl) for client (Sigourney[10661]/0#-1 LF=0) 0.270463 trustd cert[2]: AnchorTrusted =(leaf)[force]> 0
Total time taken for this extended sequence is around 0.05 second for a basic app bundle, while the simpler check normally takes significantly less than 0.01 second.

The following validation flags only result in the short check being carried out:

kSecCSBasicValidateOnly
kSecCSDoNotValidateResources
kSecCSCheckNestedCode | kSecCSDoNotValidateResources
kSecCSStrictValidate | kSecCSDoNotValidateResources

The following validation flags result in fuller checks:

kSecCSCheckNestedCode
kSecCSStrictValidate
kSecCSCheckNestedCode | kSecCSStrictValidate

There were no differences in log entries made by those three checks: all reported the same sequence, and the same number of CRL fetches, for an app with conventional bundle structure.

The validation flags inevitably have a marked difference on the errors detected by a static code check. kSecCSBasicValidateOnly tolerates changes being made to the bundle’s Resources folder, and doesn’t notice the presence there of data, such as a PDF document, or code, such as the executable from another app. Neither does it notice addition of executable code to the main code folder, MacOS. It does, though, return an error when the Info.plist file is changed.

When macOS checks the signature of an unquarantined app on launch, its detection behaviour resembles that of the kSecCSBasicValidateOnly flag for a static code check, and specifically excludes resources. This ensures that the overall code signatre is checked, but apps still have flexibility over data such as Help books. When the quarantine flag is set, signature checking is much more thorough and will detect any discrepancies, including resources, which more closely resembles the effect of the kSecCSStrictValidate flag.

It is simple for developers to add code to check the integrity of their own apps. Incorporating a section similar to the following early during the app’s launch should suffice:
let myURL = Bundle.main.bundleURL var code: SecStaticCode? = nil let err: OSStatus = SecStaticCodeCreateWithPath(myURL as CFURL, [], &code) if (err == OSStatus(noErr)) && (code != nil) { var checkFlags: SecCSFlags? = nil checkFlags = SecCSFlags.init(rawValue: kSecCSCheckNestedCode) let secReq: SecRequirement? = nil var secErr: Unmanaged<CFError>? let csErr: OSStatus = SecStaticCodeCheckValidityWithErrors(code!, checkFlags!, secReq, &secErr) if csErr != errSecSuccess { NSApplication.shared.terminate(self) } if secErr != nil { secErr?.release() } } }

checksig

In that case, kSecCSCheckNestedCode is used to ensure that a normal app bundle is checked fully. Alternatively, the flag kSecCSStrictValidate would include coverage of structural changes which might otherwise be missed. There seems little point in combining the two, but adding kSecCSCheckAllArchitectures works around the potential for malicious code to be hidden as if it were for a different architecture.

One criticism levelled against this technique is that it only checks that the app bundle matches its current signature. It’s feasible for another app to make changes to that bundle and then apply a new signature to it. There are at least two ways of addressing that:

Check the secure timestamp of the signature, and require it to be, say, no more recent than a couple of hours after the original signing. Any subsequent re-signing of the bundle would then fail.
Check the code-signing entity, to ensure that only your signature is accepted.

No doubt there are other strategies available too.

Deciding what you do is a matter of balancing perceived risks. However, such static code checks never rely on cached assessments, and are an accurate assessment of the integrity of the app at the moment that the app is launched. Even for apps which are hardened and notarized, they add a valuable assurance.

Finally, for all users, it’s worth bearing in mind that the checks and protections discussed here are only available to apps (and other executable code) which are properly signed. While macOS will continue to run unsigned code and apps, without an Apple-provided developer signature none of these checks can be performed. App bundles can be thoroughly subverted, and there’s no way for macOS or the app to detect those changes. Just because most malware now gets signed doesn’t mean that signatures aren’t important.

7Comments

Add yours

1

Tihiy on July 18, 2019 at 2:40 pm

There are many hidden issues may arise if you decide to check your bundle on each startup.
That’s on ~500MB bundle.
1) Checks can be really slow. Like several seconds slow or several minutes if you don’t disable online validation. Verifying single file in a bundle still triggers whole bundle reading. Disk I/O is not cheap even on SSD.
2) Checks can crash. There were bugs in 10.12 (crashes by itself), 10.13 (crashes if used in multiple threads) and 10.14 (crashes by itself).
3) Validity of a bundle can be broken by a stupid user (changing something in a bundle), stupid app (some CleanMyMac version used to delete unused language resources from bundle), or system (Time Machine restore screws up signatures for script files).

We do check validity only for downloaded update files and for problem reports / logs.
We do that via codesign invocation with 2 minute timeout and yet it still known to time out or crash.
We got rid of all checks on startup and yet we still receive “namespace CODESIGNING” crash-on-startup reports because of obscure macOS bugs.

You better don’t trust the system. There are too many variables out of your control.
Those systems are perhaps broken but all other apps which don’t go this route are not affected.
This can change on 10.15 with notarised apps, but still, there will be users with SIP disabled.

Same principles apply to Windows. If you need anti-piracy or anti-hijack protection, on-disk code signature verification is not the answer: you need to do something smarter and more reliable.

LikeLiked by 1 person
- 2
  
  hoakley on July 18, 2019 at 3:17 pm
  
  Thank you.
  A 500 MB bundle is unusually large for an independent developer, but there’s no ‘hidden issue’ over the time it would take to check the signatures fully on that. As I detail in the article, if you have a very large Resources folder, there’s a flag to use which disables its checking. It’s not difficult to time such signature checks, and if your app is so large that it isn’t feasible, then clearly it’s not for that app.
  I’m interested to see that you reckon that in Mojave signature checks crash, because I’ve been using them quite a lot over the last few months and haven’t experienced any at all, nor have users reported them. There’s no good reason to use them outside the main thread either: in fact, that doesn’t seem a wise move if you want to terminate the app if the signature check fails.
  If users start modifying the contents of app bundles, then I’m afraid that I have absolutely no sympathy, particularly as I warn users that my apps check their own signatures.
  Any app which modifies app bundles is malware, pure and simple – it’s a malicious act, and if you know of a current product which does that, please let me know because I’d love to expose it here. In 10.14.5 and later and in Catalina, macOS can have serious problems as a result. It’s an utterly stupid thing to do, and the developers should be exposed for the damage that they are doing.
  I have never seen a TM restore change the contents of a data fork. Can you please give me a reference/link on that? Again, that is completely unacceptable. TM and other apps can change extended attributes safely, and there was a time when TM did, but as xattrs are excluded from signatures that doesn’t make any difference.
  I trust that you have filed bug reports with Apple for those bugs you have found? I’d be interested to know of Apple’s response to them, because such issues are normally taken very seriously. After all, macOS relies on the same fundamental mechanisms at first run of a quarantined app.
  I can’t comment on Windows – I know nothing about it, although I gather that signatures there don’t seem to be taken too seriously.
  What do you suggest for integrity checking that is “smarter and more reliable” then?
  Howard.
  
  LikeLike
  - 3
    
    Tihiy on July 18, 2019 at 8:27 pm
    
    Our app is Parallels Desktop; those crashes are rare but since our app is widely used we get all kinds of crashes you can imagine. Codesigning crash on 10.14 affects just 0.001% of installs.
    TM restores data fork correctly; however, for script files inside bundle, signatures are stored as xattrs afaik.
    As for evil cleaner, CleanMyMac used to do that. I didn’t use it – but guys from security lab @WWDC told me that – they hate it.
    And yes, we got support requests from users which are used to replacing ICNS files in our apps (with better icons?) and got very stinky the day we broke it.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on July 18, 2019 at 8:43 pm
      
      Ah – that’s a bit different from the far more humble and modest apps that others here work on! I’m delighted to meet you.
      Of course that’s a very different situation, and not one that appears to have any easy solution using signatures.
      The issue of TM and signatures is interesting. I hadn’t realised it, but of course the checksums used in signatures only include the data forks, not xattrs. I suppose this should be self-evident, as including xattrs would cause impossible problems with quarantine flags, for instance. So even if TM doesn’t restore xattrs correctly, it shouldn’t affect the checksums. But if it mangles the signature itself, which in scripts is normally attached as a xattr, that would be, um, messy. There is an interesting solution which I’m looking at: I hadn’t realised it, but the names of xattrs contains embedded flags for how they are to be treated when copying. It’s an obscure feature, but one which could be relevant here.
      Thanks for engaging here – I understand what you’re saying, but for us lesser mortals with tiny little apps, static integrity checks are thankfully quick and reliable enough, in my experience.
      I hope you’re enjoying the Catalina betas, and looking forward to running lots of macOS VMs for those of us who will still need 32-bit apps in the future!
      Howard.
      
      LikeLike
5

Joxster the Mighty on July 19, 2019 at 4:54 am

I’m one of those “stupid users” who occasionally changes the resource bundle in an app, but it is purely to modify the icon used. I won’t name the application, but it’s widely used; twice in the last ten years the same icon has been used for successive versions. This makes it extremely difficult to manage the multiple versions installed on a single machine (and, for development, testing and customer support reasons, that’s a common and useful occurrence throughout the userbase) and adding a text label with the version number to the icon seems like a relatively harmless change.

If anyone can recommend an alternative solution I’d really like to know.

LikeLiked by 1 person
- 6
  
  hoakley on July 19, 2019 at 8:16 am
  
  Thank you – I apologise if my words were offensive, but they certainly weren’t intended to be personal. I do appreciate the situation that some users face.
  The problem is that Apple is putting more and more behind the protection of SIP, quite rightly. That makes third-party apps increasingly vulnerable, as they aren’t normally so well protected (and you’d curse them even more if they were).
  For the moment, the best thing to do is whatever works best. Some apps do check their integrity, and I think it’s important that their docs should make that clear, so users know that they shouldn’t try changing the app. For those, the only option seems to be changing its name, I’m afraid. Others will, so long as their quarantine flag has been cleared, tolerate an icon change, at least in Mojave.
  I will look in more detail at this today with some test apps, and aim to publish an article here in the morning explaining what is possible. It won’t cover Catalina yet, as the betas are still changing quite substantially, so what might be fine in beta 4 may not work with later releases.
  Howard.
  
  LikeLike
- 7
  
  hoakley on July 19, 2019 at 10:37 am
  
  Full solution appearing at 0700 UTC tomorrow here. It’s rather an interesting story too.
  Howard.
  
  LikeLike

Share this:

Related