MACF auditing

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

MACF auditing

Postby scknight » Tue Feb 05, 2019 4:08 pm

Is there any built in way to audit when MACF hooks are called? Or would it be basically up to an additional kext to hook the things it wanted to audit and then go from there?
scknight
 
Posts: 56
Joined: Thu Nov 10, 2016 1:01 pm

Re: MACF auditing

Postby morpheus » Tue Feb 05, 2019 7:14 pm

on MacOS, you could do that with DTrace (specifically, fbt, assuming SIP is off). Otherwise, the only way is to join the chain and have your own MACF hook installed.
morpheus
Site Admin
 
Posts: 723
Joined: Thu Apr 11, 2013 6:24 pm

Re: MACF auditing

Postby scknight » Wed Feb 06, 2019 4:05 pm

Thanks as always J. I am currently on macOS and DTrace seems like it will work nicely

Code: Select all
sudo dtrace -n 'fbt::csblob_get_entitlements:entry { stack(8); ustack(8); }'


Trying to take a closer look at entitlement checks. Here's some sample output from the dtrace probe above.

Code: Select all
  1 184611    csblob_get_entitlements:entry
              kernel.development`IOUserClient::copyClientEntitlement(task*, char const*)+0x7f
              kernel.development`identitysvc+0x54
              kernel.development`unix_syscall64+0x2f8
              kernel.development`hndl_unix_scall64+0x16

              libsystem_kernel.dylib`__identitysvc+0xa
              opendirectoryd`0x0000000104eef2cf+0x62
              opendirectoryd`0x0000000104eed364+0x3b
              libdispatch.dylib`_dispatch_call_block_and_release+0xc
              libdispatch.dylib`_dispatch_client_callout+0x8
              libdispatch.dylib`_dispatch_root_queue_drain+0x3ea
              libdispatch.dylib`_dispatch_worker_thread2+0x5a
              libsystem_pthread.dylib`_pthread_wqthread+0x26b

  1 184611    csblob_get_entitlements:entry
              AppleMobileFileIntegrity`loadEntitlementsFromSignature(OSDictionary**, cs_blob*, char const**)+0x4f
              AppleMobileFileIntegrity`_vnode_check_signature(vnode*, label*, int, cs_blob*, unsigned int*, unsigned int*, int, char**, unsigned long*)+0x75
              kernel.development`mac_vnode_check_signature+0xc5
              kernel.development`ubc_cs_blob_add+0xb8
              kernel.development`fcntl_nocancel+0x2d97
              kernel.development`unix_syscall64+0x2f8
              kernel.development`hndl_unix_scall64+0x16

              libsystem_kernel.dylib`__fcntl+0xa
              Security`SecCodeMapMemory+0xa1
              CVMServer`cvmsCodeSignObjectFileImageFromElem+0x51c
              CVMServer`cvmsServerElementBuild+0x192
              CVMServer`__cvmsServInitializeConnection_block_invoke+0xa16
              libxpc.dylib`_xpc_connection_call_event_handler+0x38
              libxpc.dylib`_xpc_connection_mach_event+0x3a5
              libdispatch.dylib`_dispatch_client_callout4+0x9

  0 184611    csblob_get_entitlements:entry
              kernel.development`csops_internal+0x5ad
              kernel.development`unix_syscall64+0x2f8
              kernel.development`hndl_unix_scall64+0x16

              libsystem_kernel.dylib`csops_audittoken+0xa
              Security`SecTaskLoadEntitlements+0x2a
              Security`SecTaskCopyValueForEntitlement+0x3a
              apsd`0x0000000101564ab2+0x8f
              apsd`0x0000000101567830+0x116
              apsd`0x000000010155e314+0x32
              libxpc.dylib`_xpc_connection_call_event_handler+0x38
              libxpc.dylib`_xpc_connection_mach_event+0x3a5


You can definitely see how not everything funnels through the csops or cs_entitlements_blob_get calls. IOKit and AMFI call csblob_get_entitlements directly.
scknight
 
Posts: 56
Joined: Thu Nov 10, 2016 1:01 pm


Return to Questions and Answers

Who is online

Users browsing this forum: RandomDSdevel and 6 guests