Mailing Lists: Apple Mailing Lists
 Image of Mac OS face in stamp
Re: Can an executable check if it's signed and running validated by GateKeeper?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can an executable check if it's signed and running validated by GateKeeper?

Well, that certainly sounds like it won't slow down crackers much. Is using env variables the only way to substitute libraries, or are there other ways?

On 2012-05-14, at 3:53 AM, Jean-Daniel Dupas wrote:

> Using system functions from dynamic library is ineffective.
> It is pretty easy to write a simple library that interpose its own functions in place of the system one to always returns the application expected values.
> Then you just have to launch your application with the env var DYLD_INSERT_LIBRARIES set to the fake library path and you're done.
>
>
> Le 14 mai 2012 à 03:22, Dave Fernandes a écrit :
>
>> I can't speak to how effective you will be by doing this, but the code-signing APIs have been public since Snow Leopard. See SecCodeCopySelf(), SecCodeCheckValidityWithErrors(), SecCodeCopyStaticCode(), and SecStaticCodeCheckValidityWithErrors(). The first pair will get and check the running executable (from my understanding), and the second pair will get and check the static code on disk (including all resources included in the "seal"). You can also use the APIs to get the signing certificate chain and check whether it is really your public key in the leaf certificate.
>>
>> I'd love to hear whether anyone has found this to be an effective strategy, but the macsb yahoo group might be a better venue for this discussion.
>>
>> Dave
>>
>> On 2012-05-13, at 12:47 PM, Thomas Tempelmann wrote:
>>
>>> Not sure if this is the right place to ask, but I can't find hints about this in the Apple docs on code signing.
>>>
>>> I like my apps to double check that they're running validated by GateKeeper, i.e. that their codesigning is intact (not removed) and that GateKeeper wasn't disabled to run the executable.
>>>
>>> I.e, I do not want to trust GateKeeper taking care of everything but I want to check actively that it happened, as an added barrier against cracking of my code.
>>>
>>> Are there OS APIs for this?
>>>
>>> --
>>> Thomas Tempelmann, http://www.tempel.org/
>>> Follow me on Twitter: http://twitter.com/#!/tempelorg
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Apple-cdsa mailing list      (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Apple-cdsa mailing list      (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> -- Jean-Daniel
>
>
>
>


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Can an executable check if it's signed and running validated by GateKeeper? (From: Thomas Tempelmann <email@hidden>)
 >Re: Can an executable check if it's signed and running validated by GateKeeper? (From: Dave Fernandes <email@hidden>)
 >Re: Can an executable check if it's signed and running validated by GateKeeper? (From: Jean-Daniel Dupas <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.