Page 1 of 1

Entitlements on Dylibs/Bundles (OS X)

PostPosted: Mon May 04, 2015 5:09 am
by patrick
After (re)reading your very informative post about Mobile_Obliterator / entitlements on iOS (http://newosxbook.com/articles/EveningW ... rator.html) - my question is, what is the point of adding entitlements to .dylibs/bundles?

You showed how entitlements can be verified by a 'server' task, via calls to SecTaskCreateWithAuditToken & SecTaskCopyValueForEntitlement. In my (minimal) reversing sessions this appears to only look at the entitlements attached to the task's main executable binary image?

For example, say we have a task A (client) with entitlements 'abc' (on its 'main' binary) that loads dylib with entitlements 'def'. If that task then connects to task B (server) and task B invokes SecTaskCopyValueForEntitlement (e.g. to auth/verify task A), I only see it returning 'abc' ...so what is the point of slapping entitlements onto the dylib(s)? When/how do entitlements on a dylib come into play?

Mahalo for your time :)

Re: Entitlements on Dylibs/Bundles (OS X)

PostPosted: Mon May 04, 2015 4:09 pm
by morpheus
Hi Patrick,

So, (re)-reading my own article, I tried to see where there was an insinuation the dylibs themselves are also signed with entitlements - I couldn't find any such mention. Your bewilderment is understandable, since , in fact, it doesn't make much sense. A dylib can certainly call SecTaskCopy... (i.e. csops(1)) to validate whether a caller has an entitlement - that's not that unusual, because Apple uses dylibs (frameworks, mostly) in the context of their own servers (e.g. MobileObliteration, as was the case in said article). But an entitlement in a code signature wouldn't be effective, since - as you correctly state - csops(1) retrieves the main binary's code signature, and the entitlements therein.

Dylib's signatures are validated through CODE_SIGN_DRS, though, which makes sense so that only "known" dylibs are loaded (to thwart trojan dylib injections). I should note that the requirements grammar does actually allow to specify a rich array of conditions, which do include entitlements, and even specific fields of the Info.plist. Apple doesn't seem to be using this (yet?).

The attached quick sample (ripped from the latest version of ProcExp, which also handles Code Signatures nowadays), will hopefully be useful to demonstrate which entitlements get stored in the UBC, and where. There's a tar with an ARM and x86_64 version. Mind you, this is quick and dirty, and will probably not be 100% stable. The procexp version will prove more stable :)

Hope this helps

J

Re: Entitlements on Dylibs/Bundles (OS X)

PostPosted: Thu May 14, 2015 1:49 am
by patrick
Thanks for your detailed response! Yah, the blog post didn't mention dylibs per-se - but did inspire me to go spelunking around on my OS X box dumping entitlements for various Mach-O binaries (using jtool --ent). I'm guessing, as you surmised, this a feature that Apple may make use of in the future...