Skip to content

Add macOS Security Overview #270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 150 commits into
base: main
Choose a base branch
from
Open

Add macOS Security Overview #270

wants to merge 150 commits into from

Conversation

friadev
Copy link

@friadev friadev commented Aug 8, 2024
edited
Loading

Want to cover FileVault, App Sandbox, Hardened Runtime, XProtect, Gatekeeper, Notarization, threat models for each

Disclosure: I copied/used parts of https://github.com/drduh/macOS-Security-and-Privacy-Guide?tab=readme-ov-file#app-sandbox but I wrote those parts so I'm only plagiarizing myself. I also copied parts of official Apple documentation, didn't want to change them for the sake of accurate information. Wherever I do I link back to the source.

@netlify Netlify
Copy link

netlify bot commented Aug 8, 2024
edited
Loading

Deploy Preview for privsec-dev ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit c6150d2
🔍 Latest deploy log https://app.netlify.com/sites/privsec-dev/deploys/67d7dde2ca64d4000832aa6c
😎 Deploy Preview https://deploy-preview-270--privsec-dev.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@friadev friadev marked this pull request as ready for review August 10, 2024 04:17
@friadev friadev marked this pull request as draft August 10, 2024 04:29
@friadev friadev marked this pull request as ready for review August 10, 2024 04:37
@ghost
Copy link

ghost commented Nov 26, 2024

The reasoning needs work. This is not the reason for the attack surface

I can remove that part I guess. I'm not really aware of any other way it increases attack surface.

From https://support.apple.com/en-gb/guide/security/secebb113be1/web:

Just-in-time translation
In the just-in-time (JIT) translation pipeline, an x86_64 Mach object is identified early in the image execution path. When these images are encountered, the kernel transfers control to a special Rosetta translation stub rather than to the dynamic link editor, dyld(1). The translation stub then translates x86_64 pages during the image’s execution. This translation takes place entirely within the process. The kernel still verifies the code hashes of each x86_64 page against the code signature attached to the binary as the page is faulted in. In the event of a hash mismatch, the kernel enforces the remediation policy appropriate for that process.

Unsigned x86_64 code
A Mac with Apple silicon doesn’t permit native arm64 code to execute unless a valid signature is attached. This signature can be as simple as an ad hoc code signature (cf. codesign(1)) that doesn’t bear any actual identity from the secret half of an asymmetric key pair (it’s simply an unauthenticated measurement of the binary).
For binary compatibility, translated x86_64 code is permitted to execute through Rosetta with no signature information at all. No specific identity is conveyed to this code through the device-specific Secure Enclave signing procedure, and it executes with precisely the same limitations as native unsigned code executing on an Intel-based Mac.

@ghost
Copy link

ghost commented Nov 26, 2024
edited by ghost
Loading

Will it be recommended to use Safari or will the recommendation be to use a Chromium-based browser?

@friadev
Copy link
Author

friadev commented Nov 27, 2024

The reasoning needs work. This is not the reason for the attack surface

I can remove that part I guess. I'm not really aware of any other way it increases attack surface.

From https://support.apple.com/en-gb/guide/security/secebb113be1/web:

Just-in-time translation
In the just-in-time (JIT) translation pipeline, an x86_64 Mach object is identified early in the image execution path. When these images are encountered, the kernel transfers control to a special Rosetta translation stub rather than to the dynamic link editor, dyld(1). The translation stub then translates x86_64 pages during the image’s execution. This translation takes place entirely within the process. The kernel still verifies the code hashes of each x86_64 page against the code signature attached to the binary as the page is faulted in. In the event of a hash mismatch, the kernel enforces the remediation policy appropriate for that process.

Unsigned x86_64 code
A Mac with Apple silicon doesn’t permit native arm64 code to execute unless a valid signature is attached. This signature can be as simple as an ad hoc code signature (cf. codesign(1)) that doesn’t bear any actual identity from the secret half of an asymmetric key pair (it’s simply an unauthenticated measurement of the binary).
For binary compatibility, translated x86_64 code is permitted to execute through Rosetta with no signature information at all. No specific identity is conveyed to this code through the device-specific Secure Enclave signing procedure, and it executes with precisely the same limitations as native unsigned code executing on an Intel-based Mac.

I'm not sure how significant those are.

@friadev
Copy link
Author

friadev commented Nov 27, 2024

Will it be recommended to use Safari or will the recommendation be to use a Chromium-based browser?

I think just leave it up to the reader.

@nihil-admirari
Copy link

NIST offers configuration profiles and scripts for automatic configuration: https://github.com/usnistgov/macos_security/tree/sequoia. Can some of them be recommended?

nihil-admirari
nihil-admirari reviewed Jan 16, 2025
View reviewed changes
content/posts/macos/macOS Security Overview/index.md

macOS comes with a built-in [firewall](https://support.apple.com/guide/mac-help/change-firewall-settings-on-mac-mh11783/mac). Make sure it's enabled at the very least, but you can block all incoming connections for the best security/privacy.

Avoid third-party firewalls like LittleSnitch or LuLu that require you to install a system extension. They don't cover DNS so data exfiltration is still possible.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. LittleSnitch and LuLu block outgoing connections; built-in firewall – only incoming. There's no built-in replacement for these tools.
  2. Latest version of LittleSnitch does cover DNS. With LuLu, it's possible to use dnscrypt-proxy locally.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are other bypasses. This should be updated with the empty TCP connection bypass - that one is trivial

nihil-admirari
nihil-admirari reviewed Jan 16, 2025
View reviewed changes
content/posts/macos/macOS Security Overview/index.md

All encryption keys are handled by the Secure Enclave. Swap space is also [encrypted](https://support.apple.com/en-euro/guide/mac-help/mh11852/mac).

Your Mac is at its most secure when it's fully off and the data is at rest. Depending on your threat model, it might behoove you to turn your Mac off completely whenever you're not using it, especially since Macs do not have memory encryption.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

macOS can be forced to clear FileVault keys from memory when hibernating by executing:

sudo pmset -a hibernatemode 25

and installing DestroyFVKeyOnStandby profile.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this actually documented anywhere by apple or nah?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

man pmset, online version e.g. at https://www.unix.com/man_page/osx/1/pmset/

hibernatemode = 25 (binary 0001 1001) is only settable via pmset. The system will store a copy of memory to persistent storage (the disk), and will remove power to memory. The system will restore from disk image. If you want "hibernation" - slower sleeps, slower wakes, and better battery life, you should use this setting.

Configuration profiles documentation: https://developer.apple.com/documentation/devicemanagement/fdefilevaultoptions.

All configuration profiles in an official Git repository; check new commits after every system update to see the difference between releases: https://github.com/apple/device-management/tree/release/mdm/profiles.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hibernatemode = 25 makes fingerprint unlock useless. Everytime you trying to wake Mac from sleep you have to wait for 10 seconds and input your password.

@nihil-admirari
Copy link

nihil-admirari commented Jan 16, 2025
edited
Loading

May be worth adding:

Compared to Linuxes, macOS doesn't sanitise $HOME when executing sudo: https://scriptingosx.com/2024/03/zsh-scripts-and-root-escalations/. It means that the entire content of shell init scripts is executed as root when elevating.

HOME can be removed from the following line in /etc/sudoers to mitigate it:

Defaults  env_keep += "HOME MAIL"

It may also be worthwhile to mark shell init scripts as immutable as the link suggests.

@TommyTran732
Copy link
Member

@friadev @nihil-admirari is right on the point about schg - it is not bypassable like chattr -i on Linux. This is quite interesting. We 100% should mention this. And we gotta somehow word it so that its clear this mitigates attacks against the shell but still will not stop other scenarios of unsandboxed apps attacking each other

@oppressor1761
Copy link

oppressor1761 commented Mar 20, 2025
edited
Loading

I suggest to use configuration profiles instead of command line to alter system settings.
It's easier to keep track of settings you made and settings in profiles cannot be overwritten. There is a specific payload for you to make custom changes.
Configuration Profiles also gives user additional control over macOS functions. It allows users to turn off a bunch of functions to further reduce attack surface. For example I have the following profile for my Mac

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDisplayName</key>
			<string>SystemPolicyControl</string>
			<key>PayloadType</key>
			<string>com.apple.systempolicy.control</string>
			<key>PayloadUUID</key>
			<string>**********************************</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.systempolicy.control.**********************************</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>EnableAssessment</key>
			<true/>
			<key>AllowIdentifiedDevelopers</key>
			<false/>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>EnergySaver</string>
			<key>PayloadType</key>
			<string>com.apple.MCX</string>
			<key>PayloadUUID</key>
			<string>**********************************</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.MCX.**********************************</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>DestroyFVKeyOnStandby</key>
			<true/>
			<key>com.apple.EnergySaver.portable.BatteryPower</key>
			<dict>
				<key>Hibernate Mode</key>
				<integer>3</integer>
			</dict>
			<key>com.apple.EnergySaver.portable.BatteryPower-ProfileNumber</key>
            <integer>-1</integer>
			<key>com.apple.EnergySaver.portable.ACPower</key>
			<dict>
				<key>Hibernate Mode</key>
				<integer>3</integer>
			</dict>
			<key>com.apple.EnergySaver.portable.ACPower-ProfileNumber</key>
            <integer>-1</integer>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>ManagedPreferences</string>
			<key>PayloadType</key>
			<string>com.apple.ManagedClient.preferences</string>
			<key>PayloadUUID</key>
			<string>**********************************</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.ManagedClient.preferences.**********************************</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>PayloadContent</key>
			<dict>
                <key>com.apple.finder</key>
                <dict>
					<key>Forced</key>
					<array>
						<dict>
							<key>mcx_preference_settings</key>
							<dict>
								<key>AppleShowAllFiles</key>
								<string>true</string>
							</dict>
						</dict>
					</array>
                </dict>
            </dict>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Restrictions</string>
			<key>PayloadType</key>
			<string>com.apple.applicationaccess</string>
			<key>PayloadUUID</key>
			<string>**********************************</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.applicationaccess.**********************************</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>forceOnDeviceOnlyDictation</key>
			<true/>
			<key>allowAssistant</key>
			<false/>
			<key>allowCloudFreeform</key>
			<false/>
			<key>allowApplePersonalizedAdvertising</key>
			<false/>
			<key>allowActivityContinuation</key>
			<false/>
			<key>allowPasswordProximityRequests</key>
			<false/>
			<key>allowPasswordSharing</key>
			<false/>
			<key>allowDiagnosticSubmission</key>
			<false/>
			<key>allowDiagnosticSubmissionModification</key>
			<false/>
			<key>allowCloudPhotoLibrary</key>
			<false/>
			<key>allowMusicService</key>
			<false/>
			<key>allowPersonalizedHandwritingResults</key>
			<false/>
			<key>allowPodcasts</key>
			<false/>
			<key>allowSpellCheck</key>
			<false/>
			<key>allowProximitySetupToNewDevice</key>
			<false/>
			<key>allowRadioService</key>
			<false/>
			<key>allowPredictiveKeyboard</key>
			<false/>
			<key>allowNotesTranscriptionSummary</key>
			<false/>
			<key>allowSafariSummary</key>
			<false/>
			<key>allowUnpairedExternalBootToRecovery</key>
			<false/>
			<key>allowVideoConferencing</key>
			<false/>
			<key>allowVisualIntelligenceSummary</key>
			<false/>
			<key>allowSharedDeviceTemporarySession</key>
			<false/>
			<key>allowSharedStream</key>
			<false/>
			<key>allowAutoCorrection</key>
			<false/>
			<key>allowRemoteAppPairing</key>
			<false/>
			<key>allowPairedWatch</key>
			<false/>
			<key>allowPassbookWhileLocked</key>
			<false/>
			<key>allowCloudMail</key>
			<false/>
			<key>allowNews</key>
			<false/>
			<key>allowNFC</key>
			<false/>
			<key>allowCloudAddressBook</key>
			<false/>
			<key>allowCloudBackup</key>
			<false/>
			<key>allowCloudCalendar</key>
			<false/>
			<key>allowCloudNotes</key>
			<false/>
			<key>allowCloudBookmarks</key>
			<false/>
			<key>allowCloudKeychainSync</key>
			<false/>
			<key>allowCloudDocumentSync</key>
			<false/>
			<key>allowSpotlightInternetResults</key>
			<false/>
			<key>allowContentCaching</key>
			<false/>
			<key>allowCloudDesktopAndDocuments</key>
			<false/>
			<key>allowGenmoji</key>
			<false/>
			<key>allowMultiplayerGaming</key>
			<false/>
			<key>allowImageWand</key>
			<false/>
			<key>allowMailSmartReplies</key>
			<false/>
			<key>allowManagedAppsCloudSync</key>
			<false/>
			<key>allowMailSummary</key>
			<false/>
			<key>allowiPhoneWidgetsOnMac</key>
			<false/>
			<key>allowiTunes</key>
			<false/>
			<key>allowLockScreenControlCenter</key>
			<false/>
			<key>allowLockScreenNotificationsView</key>
			<false/>
			<key>allowLockScreenTodayView</key>
			<false/>
			<key>allowCloudPrivateRelay</key>
			<false/>
			<key>allowCloudReminders</key>
			<false/>
			<key>allowDiagnosticSubmissionModification</key>
			<false/>
			<key>allowEnterpriseBookBackup</key>
			<false/>
			<key>allowEnterpriseBookMetadataSync</key>
			<false/>
			<key>allowFindMyFriendsModification</key>
			<false/>
			<key>allowDefinitionLookup</key>
			<false/>
			<key>allowDictation</key>
			<false/>
			<key>allowUniversalControl</key>
			<false/>
			<key>allowImagePlayground</key>
			<false/>
			<key>allowiPhoneMirroring</key>
			<false/>
			<key>allowWritingTools</key>
			<false/>
			<key>allowBookstore</key>
			<false/>
			<key>allowDefinitionLookup</key>
			<false/>
			<key>allowGameCenter</key>
			<false/>
			<key>allowExternalIntelligenceIntegrations</key>
			<false/>
			<key>allowAccountModification</key>
			<false/>
			<key>allowAutoUnlock</key>
			<false/>
			<key>allowStartupDiskModification</key>
			<false/>
			<key>allowPasswordAutoFill</key>
			<false/>
			<key>forceAuthenticationBeforeAutoFill</key>
			<true/>
			<key>safariAllowAutoFill</key>
			<false/>
			<key>allowFindMyDevice</key>
			<false/>
			<key>allowFindMyFriends</key>
			<false/>
			<key>allowUSBRestrictedMode</key>
			<true/>
			<key>allowChat</key>
			<false/>
			<key>allowExplicitContent</key>
			<true/>
			<key>allowRemoteScreenObservation</key>
			<false/>
			<key>allowBookstoreErotica</key>
			<true/>
			<key>forceAssistantProfanityFilter</key>
			<false/>
			<key>forceClassroomAutomaticallyJoinClasses</key>
			<false/>
			<key>forceClassroomRequestPermissionToLeaveClasses</key>
			<false/>
			<key>forceClassroomUnpromptedAppAndDeviceLock</key>
			<false/>
			<key>forceClassroomUnpromptedScreenObservation</key>
			<false/>
			<key>forceDelayedAppSoftwareUpdates</key>
			<false/>
			<key>forceDelayedMajorSoftwareUpdates</key>
			<false/>
			<key>forceDelayedSoftwareUpdates</key>
			<false/>
			<key>allowAppleIntelligenceReport</key>
			<false/>
			<key>forceAirPlayOutgoingRequestsPairingPassword</key>
			<true/>
			<key>forceAirPlayIncomingRequestsPairingPassword</key>
			<true/>
			<key>forceEncryptedBackup</key>
			<true/>
			<key>forceLimitAdTracking</key>
			<true/>
			<key>forceOnDeviceOnlyTranslation</key>
			<true/>
			<key>forceAirPrintTrustedTLSRequirement</key>
			<true/>
			<key>forceAuthenticationBeforeAutoFill</key>
			<true/>
			<key>allowAddingGameCenterFriends</key>
			<false/>
			<key>allowAirPrint</key>
			<false/>
			<key>allowAirPrintCredentialsStorage</key>
			<false/>
			<key>allowAirPrintiBeaconDiscovery</key>
			<false/>
			<key>allowAssistantUserGeneratedContent</key>
			<false/>
			<key>allowAssistantWhileLocked</key>
			<false/>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>profile</string>
	<key>PayloadIdentifier</key>
	<string>**********************************</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadUUID</key>
	<string>**********************************</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<key>TargetDeviceType</key>
	<integer>5</integer>
</dict>
</plist>

@nihil-admirari
Copy link

Is anyone aware of an in-depth analysis of macOS telemetry?

Germany's Federal Office for Information Security did one for Windows: #287 (comment). Microsoft also provides Diagnostic Data Viewer which allows one to look at the data that was collected.

Doug Leith from Trinity College did analysis on stock Android and iOS: https://www.scss.tcd.ie/doug.leith/pubs/apple_google2.pdf

We find that even when minimally configured and the handset is idle both iOS and Google Android share data with Apple/Google on average every 4.5 mins. The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number etc are shared with Apple and Google. Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this. When a SIM is inserted both iOS and Google Android send details to Apple/Google. iOS sends the MAC addresses of nearby devices, e.g. other handsets and the home gateway, to Apple together with their GPS location. Users have no opt out from this and currently there are few, if any, realistic options for preventing this data sharing.

macOS apparently transmits tons of data to Apple: https://sneak.berlin/20210202/macos-11.2-network-privacy/. There wasn't an attempt to decrypt it to find out what is transmitted exactly, compared to Windows, Android, and iOS.

@friadev
Copy link
Author

friadev commented Apr 9, 2025

Is anyone aware of an in-depth analysis of macOS telemetry?

Germany's Federal Office for Information Security did one for Windows: #287 (comment). Microsoft also provides Diagnostic Data Viewer which allows one to look at the data that was collected.

Doug Leith from Trinity College did analysis on stock Android and iOS: https://www.scss.tcd.ie/doug.leith/pubs/apple_google2.pdf

We find that even when minimally configured and the handset is idle both iOS and Google Android share data with Apple/Google on average every 4.5 mins. The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number etc are shared with Apple and Google. Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this. When a SIM is inserted both iOS and Google Android send details to Apple/Google. iOS sends the MAC addresses of nearby devices, e.g. other handsets and the home gateway, to Apple together with their GPS location. Users have no opt out from this and currently there are few, if any, realistic options for preventing this data sharing.

macOS apparently transmits tons of data to Apple: https://sneak.berlin/20210202/macos-11.2-network-privacy/. There wasn't an attempt to decrypt it to find out what is transmitted exactly, compared to Windows, Android, and iOS.

On iOS you can easily see the analytics it sends in the settings, can't find it on macOS though. It's really nothing of substance, just a bunch of crash reports and random stuff. No personal data or anything from what I can see. It's really very boring. I think if there was anything interesting it definitely would be reported on by now.

@oppressor1761
Copy link

https://it-training.apple.com/tutorials/support/sup145/
https://it-training.apple.com/tutorials/support/sup140/
might be revelant

@nihil-admirari
Copy link

nihil-admirari commented Apr 9, 2025
edited
Loading

It's really nothing of substance, just a bunch of crash reports and random stuff. No personal data or anything from what I can see. It's really very boring. I think if there was anything interesting it definitely would be reported on by now.

It was found out and reported, please look at the quote:

The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number etc are shared with Apple and Google. Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this. When a SIM is inserted both iOS and Google Android send details to Apple/Google. iOS sends the MAC addresses of nearby devices, e.g. other handsets and the home gateway, to Apple together with their GPS location. Users have no opt out from this and currently there are few, if any, realistic options for preventing this data sharing.

The info was obtained by jailbreaking iPhone, patching SSL library to accept any connection as valid, and then decrypting what iPhone sends to Apple on a MitM proxy, with iPhone thinking that it's talking to genuine Apple servers. It doesn't show up in analytics logs.

Same was done to Android. Windows telemetry components were disassembled (if I'm not mistaken). The question is: does anybody know about similar research done on macOS?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nihil-admirari nihil-admirari nihil-admirari left review comments

@TommyTran732 TommyTran732 TommyTran732 left review comments

@wj25czxj47bu6q wj25czxj47bu6q wj25czxj47bu6q left review comments

@oppressor1761 oppressor1761 oppressor1761 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@TommyTran732 TommyTran732

Labels
[c] new content Pull requests that add an entirely new article
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@friadev @TommyTran732 @wj25czxj47bu6q @oppressor1761 @nihil-admirari