• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Code Sign verification on Leopard
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Code Sign verification on Leopard

  • Subject: Re: Code Sign verification on Leopard
  • From: Charles Srstka <email@hidden>
  • Date: Wed, 14 Oct 2009 23:35:27 -0500
On Oct 14, 2009, at 10:50 AM, Clark Cox wrote:

You say that as if "getting infected by" and "being specifically
targeted by" a virus are different things. Either a virus has targeted
your application, and as such knows enough about it to modify it's
code (and therefore replace/defeat any signature check), or it's
targeting something outside of your application (a framework, a bundle
loaded into your application, etc.), in which case the changed code
happens outside of your application's code and a signature check will
not find any issues.

If you're trying to detect malicious changes to your application, then
checking your own signature is useless, the entity doing the check has
to be beyond the reach of the malicious code in order to be trusted;
once that check is inside the application code itself, it becomes
useless.

Back in the old days when Macs had a fair number of viruses, a number of them used to insert themselves into the code of every application on the system. An early example of this was nVIR, which infected every application it encountered with its own viral code, without knowing anything about the application itself. It worked by patching the jump table in the CODE 0 resource, so that particular method wouldn't work on OS X, but I'm sure that with a sufficient knowledge of the structure of the Mach-O format and of Intel assembly, one could do something similar.

Actually, heck, you wouldn't even need that. All a virus would have to do would be to move the binary somewhere else and put a binary in its place that does something malicious and then launches the real binary, and the user would never tell the difference.

Unless, of course, the app checked its code signature.

Charles
_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: Code Sign verification on Leopard

      • From: Kyle Sluder <email@hidden>
      • 

    • RE: Code Sign verification on Leopard

      • From: Jeff Laing <email@hidden>
      • 





References: 


 >Code Sign verification on Leopard (From: Jakub Bednar <email@hidden>)


 >Re: Code Sign verification on Leopard (From: "email@hidden" <email@hidden>)


 >Re: Code Sign verification on Leopard (From: Jens Alfke <email@hidden>)


 >Re: Code Sign verification on Leopard (From: Charles Srstka <email@hidden>)


 >Re: Code Sign verification on Leopard (From: Clark Cox <email@hidden>)






    

  • Prev by Date:
Re: shared preferences.

    • 

  • Next by Date:
RE: Code Sign verification on Leopard

    • 

  • Previous by thread:
Re: Code Sign verification on Leopard

    • 

  • Next by thread:
RE: Code Sign verification on Leopard

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •