Search the Community

We all know very well that what SIP is and how to manipulate it using csrutil command but what really happens if you completely disable SIP or what happens if you partially disable SIP? System Integrity Protection (SIP) is a security technology in macOS that safeguards certain system directories from unauthorized access, even for the root user. It prevents modifications to these directories, including creation, alteration, or deletion of files. The main directories that SIP protects are: /System /bin /sbin /usr The protection rules for these directories and their subdirectories are specified in the /System/Library/Sandbox/rootless.conf file. In this file, paths starting with an asterisk (*) represent exceptions to SIP's restrictions. SIP also imposes several other restrictions. For instance, it disallows the loading of unsigned kernel extensions (kexts) and prevents the debugging of macOS system processes. It also inhibits tools like dtrace from inspecting system processes. When you bypass SIP or when an attacker manages to bypass SIP this is what he will earn: Read mail, messages, Safari history... of all users Grant permissions for webcam, microphone or anything (by directly writing over the SIP protected TCC database) Persistence: He could save a malware in a SIP protected location and not even toot will be able to delete it. Also he could tamper with MRT. Easiness to load kernel extensions (still other hardcore protections in place for this). According to this document which explains in depth you expose your system to serous risks when SIP is disabled: https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip On another section there are details about AMFI (Apple Mobile File Integrity): Trust Cache: The Apple macOS trust cache, sometimes also referred to as the AMFI (Apple Mobile File Integrity) cache, is a security mechanism in macOS designed to prevent unauthorized or malicious software from running. Essentially, it is a list of cryptographic hashes that the operating system uses to verify the integrity and authenticity of the software. When an application or executable file tries to run on macOS, the operating system checks the AMFI trust cache. If the hash of the file is found in the trust cache, the system allows the program to run because it recognizes it as trusted. You can also read the full article here: https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections