Jump to content
Dear guests please register to be able to post and comment. Make sure to validate your account otherwise the unvalidated accounts will be automatically removed after 24 hours.

An intersting read about SIP and AMFI

Cyberdevs

By Cyberdevs
in General Discussion

 Share

Recommended Posts

Cyberdevs Rising Star

Cyberdevs

Posted
Posted

We all know very well that what SIP is and how to manipulate it using csrutil command but what really happens if you completely disable SIP or what happens if you partially disable SIP?

 

System Integrity Protection (SIP) is a security technology in macOS that safeguards certain system directories from unauthorized access, even for the root user. It prevents modifications to these directories, including creation, alteration, or deletion of files. The main directories that SIP protects are: 
/System
/bin
/sbin
/usr

 

The protection rules for these directories and their subdirectories are specified in the /System/Library/Sandbox/rootless.conf file. In this file, paths starting with an asterisk (*) represent exceptions to SIP's restrictions.

SIP also imposes several other restrictions. For instance, it disallows the loading of unsigned kernel extensions (kexts) and prevents the debugging of macOS system processes. It also inhibits tools like dtrace from inspecting system processes.

 

When you bypass SIP or when an attacker manages to bypass SIP this is what he will earn:

Read mail, messages, Safari history... of all users

Grant permissions for webcam, microphone or anything (by directly writing over the SIP protected TCC database)

Persistence: He could save a malware in a SIP protected location and not even toot will be able to delete it. Also he could tamper with MRT.

Easiness to load kernel extensions (still other hardcore protections in place for this).

 

According to this document which explains in depth you expose your system to serous risks when SIP is disabled:

https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip

 

 

On another section there are details about AMFI (Apple Mobile File Integrity):

Trust Cache:

The Apple macOS trust cache, sometimes also referred to as the AMFI (Apple Mobile File Integrity) cache, is a security mechanism in macOS designed to prevent unauthorized or malicious software from running. Essentially, it is a list of cryptographic hashes that the operating system uses to verify the integrity and authenticity of the software.

When an application or executable file tries to run on macOS, the operating system checks the AMFI trust cache. If the hash of the file is found in the trust cache, the system allows the program to run because it recognizes it as trusted.

 

You can also read the full article here:

https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections

  • Like 1
  • Thanks 1
Link to comment
Share on other sites
  • Cyberdevs changed the title to An intersting read about SIP and AMFI

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...