Entitlements on Dylibs/Bundles (OS X)

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Entitlements on Dylibs/Bundles (OS X)

Postby patrick » Mon May 04, 2015 5:09 am

After (re)reading your very informative post about Mobile_Obliterator / entitlements on iOS (http://newosxbook.com/articles/EveningW ... rator.html) - my question is, what is the point of adding entitlements to .dylibs/bundles?

You showed how entitlements can be verified by a 'server' task, via calls to SecTaskCreateWithAuditToken & SecTaskCopyValueForEntitlement. In my (minimal) reversing sessions this appears to only look at the entitlements attached to the task's main executable binary image?

For example, say we have a task A (client) with entitlements 'abc' (on its 'main' binary) that loads dylib with entitlements 'def'. If that task then connects to task B (server) and task B invokes SecTaskCopyValueForEntitlement (e.g. to auth/verify task A), I only see it returning 'abc' ...so what is the point of slapping entitlements onto the dylib(s)? When/how do entitlements on a dylib come into play?

Mahalo for your time :)
Posts: 7
Joined: Mon May 04, 2015 5:04 am

Re: Entitlements on Dylibs/Bundles (OS X)

Postby morpheus » Mon May 04, 2015 4:09 pm

Hi Patrick,

So, (re)-reading my own article, I tried to see where there was an insinuation the dylibs themselves are also signed with entitlements - I couldn't find any such mention. Your bewilderment is understandable, since , in fact, it doesn't make much sense. A dylib can certainly call SecTaskCopy... (i.e. csops(1)) to validate whether a caller has an entitlement - that's not that unusual, because Apple uses dylibs (frameworks, mostly) in the context of their own servers (e.g. MobileObliteration, as was the case in said article). But an entitlement in a code signature wouldn't be effective, since - as you correctly state - csops(1) retrieves the main binary's code signature, and the entitlements therein.

Dylib's signatures are validated through CODE_SIGN_DRS, though, which makes sense so that only "known" dylibs are loaded (to thwart trojan dylib injections). I should note that the requirements grammar does actually allow to specify a rich array of conditions, which do include entitlements, and even specific fields of the Info.plist. Apple doesn't seem to be using this (yet?).

The attached quick sample (ripped from the latest version of ProcExp, which also handles Code Signatures nowadays), will hopefully be useful to demonstrate which entitlements get stored in the UBC, and where. There's a tar with an ARM and x86_64 version. Mind you, this is quick and dirty, and will probably not be 100% stable. The procexp version will prove more stable :)

Hope this helps

(81.5 KiB) Downloaded 365 times
Site Admin
Posts: 717
Joined: Thu Apr 11, 2013 6:24 pm

Re: Entitlements on Dylibs/Bundles (OS X)

Postby patrick » Thu May 14, 2015 1:49 am

Thanks for your detailed response! Yah, the blog post didn't mention dylibs per-se - but did inspire me to go spelunking around on my OS X box dumping entitlements for various Mach-O binaries (using jtool --ent). I'm guessing, as you surmised, this a feature that Apple may make use of in the future...
Posts: 7
Joined: Mon May 04, 2015 5:04 am

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 4 guests