System Integrity Protection

Last updated
System Integrity Protection
OS X security layers.svg
Security layers present in macOS
Developer(s) Apple Inc.
Initial releaseSeptember 16, 2015;6 years ago (2015-09-16)
Operating system macOS
Included with OS X El Capitan (OS X 10.11) and later
Type Computer security software
Website developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/Introduction/Introduction.html

System Integrity Protection (SIP, [1] sometimes referred to as rootless [2] [3] ) is a security feature of Apple's macOS operating system introduced in OS X El Capitan (2015) (OS X 10.11). It comprises a number of mechanisms that are enforced by the kernel. A centerpiece is the protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when executed by the root user or a user with root privileges (sudo).

Contents

Apple says that the root user can be a significant risk factor to the system's security, especially on systems with a single user account on which that user is also the administrator. SIP is enabled by default, but can be disabled. [4] [5]

Justification

Apple says that System Integrity Protection is a necessary step to ensure a high level of security. In one of the WWDC developer sessions, Apple engineer Pierre-Olivier Martel described unrestricted root access as one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password or vulnerability away from taking full control of the device". He stated that most installations of macOS have only one user account that necessarily carries administrative credentials with it, which means that most users can grant root access to any program that asks for it. Whenever a user on such a system is prompted and enters their account password – which Martel says is often weak or non-existent – the security of the entire system is potentially compromised. [4] Restricting the power of root is not unprecedented on macOS. For instance, versions of macOS prior to Mac OS X Leopard enforce level 1 of securelevel, a security feature that originates in BSD and its derivatives upon which macOS is partially based. [6]

Functions

The "prohibitory symbol" is shown when macOS is not allowed to complete the boot process. This can happen when "kext signing" is enabled and the user installed an unsigned kernel extension. MacOS prohibitory symbol.svg
The "prohibitory symbol" is shown when macOS is not allowed to complete the boot process. This can happen when "kext signing" is enabled and the user installed an unsigned kernel extension.

System Integrity Protection comprises the following mechanisms:

System Integrity Protection protects system files and directories that are flagged for protection. This happens either by adding an extended file attribute to a file or directory, by adding the file or directory to /System/Library/Sandbox/rootless.conf or both. Among the protected directories are: /System, /bin, /sbin, /usr (but not /usr/local). [8] The symbolic links from /etc, /tmp and /var to /private/etc, /private/tmp and /private/var are also protected, although the target directories are not themselves protected. Most preinstalled Apple applications in /Applications are protected as well. [1] The kernel, XNU, stops all processes without specific entitlements from modifying the permissions and contents of flagged files and directories and also prevents code injection, runtime attachment and DTrace with respect to protected executables. [9]

Since OS X Yosemite, kernel extensions, such as drivers, have to be code-signed with a particular Apple entitlement. Developers have to request a developer ID with such an entitlement from Apple. [10] The kernel refuses to boot if unsigned extensions are present, showing the user a prohibition sign instead. This mechanism, called "kext signing", was integrated into System Integrity Protection. [4] [11]

System Integrity Protection will also sanitize certain environmental variables when calling system programs when SIP is in effect. For example, SIP will sanitize LD_LIBRARY_PATH and DYLD_LIBRARY_PATH before calling a system program like /bin/bash to avoid code injections into the Bash process. [12]

Configuration

The directories protected by SIP by default include: [13]

/usr is protected with the exception of /usr/local subdirectory. /Applications is protected for apps that are pre-installed with Mac OS, such as Calendar, Photos, Safari, Terminal, Console, App Store, and Notes. [13]

System Integrity Protection can only be disabled (either wholly or partly) from outside of the system partition. To that end, Apple provides the csrutil command-line utility which can be executed from a Terminal window within the recovery system or a bootable macOS installation disk, which adds a boot argument to the device's NVRAM. This applies the setting to all of the installations of El Capitan or macOS Sierra on the device. [4] Upon installation of macOS, the installer moves any unknown components within flagged system directories to /Library/SystemMigration/History/Migration-[UUID]/QuarantineRoot/. [1] [4] By preventing write access to system directories, the system file and directory permissions are maintained automatically during Apple software updates. As a result, permissions repair is not available in Disk Utility [14] and the corresponding diskutil operation.

Reception

Reception of System Integrity Protection has been mixed. Macworld expressed the concern that Apple could take full control away from users and developers in future releases and move the security policy of macOS slowly toward that of Apple's mobile operating system iOS, whereupon the installation of many utilities and modifications requires jailbreaking. [2] [15] Some applications and drivers will not work to their full extent or cannot be operated at all unless the feature is disabled, either temporarily or permanently. Ars Technica suggested that this could affect smaller developers disproportionately, as larger ones may be able to work with Apple directly. However, they also remarked that by far most users, including power users, will not have a reason to turn the feature off, saying that there are "almost no downsides" to it. [1]

See also

Related Research Articles

macOS Operating system for Apple computers

macOS is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and laptop computers it is the second most widely used desktop OS, after Microsoft Windows and ahead of ChromeOS.

macOS Server Server software for macOS

macOS Server, formerly Mac OS X Server and OS X Server, is a discontinued series of Unix-like server operating systems developed by Apple Inc., based on macOS and later add-on software packages for the latter. macOS Server added server functionality and system administration tools to macOS and provided tools to manage both macOS-based computers and iOS-based devices.

Darwin is an open-source Unix-like operating system first released by Apple Inc. in 2000. It is composed of code derived from NeXTSTEP, BSD, Mach, and other free software projects' code, as well as code developed by Apple.

The history of macOS, Apple's current Mac operating system formerly named Mac OS X until 2012 and then OS X until 2016, began with the company's project to replace its "classic" Mac OS. That system, up to and including its final release Mac OS 9, was a direct descendant of the operating system Apple had used in its Macintosh computers since their introduction in 1984. However, the current macOS is a Unix operating system built on technology that had been developed at NeXT from the 1980s until Apple purchased the company in early 1997.

In computing, a loadable kernel module (LKM) is an object file that contains code to extend the running kernel, or so-called base kernel, of an operating system. LKMs are typically used to add support for new hardware and/or filesystems, or for adding system calls. When the functionality provided by an LKM is no longer required, it can be unloaded in order to free memory and other resources.

Mac OS X 10.0 First major release of macOS

Mac OS X 10.0 is the first major release of macOS, Apple's desktop and server operating system. Mac OS X 10.0 was released on March 24, 2001 for a price of US$129. It was the successor of the Mac OS X Public Beta and the predecessor of Mac OS X 10.1.

XNU Computer operating system kernel

XNU is the computer operating system (OS) kernel developed at Apple Inc. since December 1996 for use in the Mac OS X operating system and released as free and open-source software as part of the Darwin OS, which is the basis for the Apple TV Software, iOS, iPadOS, watchOS, and tvOS OSes. XNU is an abbreviation of X is Not Unix.

Mac OS X Tiger Fifth major release of Mac OS X

Mac OS X Tiger is the fifth major release of macOS, Apple's desktop and server operating system for Mac computers. Tiger was released to the public on April 29, 2005 for US$129.95 as the successor to Mac OS X 10.3 Panther. Some of the new features included a fast searching system called Spotlight, a new version of the Safari web browser, Dashboard, a new 'Unified' theme, and improved support for 64-bit addressing on Power Mac G5s. Mac OS X 10.4 Tiger offered a number of features, such as fast file searching and improved graphics processing, that Microsoft had spent several years struggling to add to Windows with acceptable performance.

HFS Plus or HFS+ is a journaling file system developed by Apple Inc. It replaced the Hierarchical File System (HFS) as the primary file system of Apple computers with the 1998 release of Mac OS 8.1. HFS+ continued as the primary Mac OS X file system until it was itself replaced with the Apple File System (APFS), released with macOS High Sierra in 2017. HFS+ is also one of the formats used by the iPod digital music player.

These tables provide a comparison of operating systems, of computer devices, as listing general and technical information for a number of widely used and currently available PC or handheld operating systems. The article "Usage share of operating systems" provides a broader, and more general, comparison of operating systems that includes servers, mainframes and supercomputers.

Disk Utility Software for Apple macOS

Disk Utility is a system utility for performing disk and disk volume-related tasks on the macOS operating system by Apple Inc.

Repairing disk permissions is a troubleshooting activity commonly associated with the macOS operating system by Apple. The efficacy of repairing permissions to troubleshoot application errors has been debated.

Hackintosh Non-Apple computer running macOS

A Hackintosh is a computer that runs Apple's Macintosh operating system macOS on computer hardware not authorized for the purpose by Apple. "Hackintoshing" began as a result of Apple's 2005 transition to Intel processors, away from PowerPC. Since 2005, Mac computers use the same x86-64 computer architecture as many other desktop PCs, laptops, and servers, meaning that in principle, the code making up macOS systems and software can be run on alternative platforms with minimal compatibility issues. Benefits cited for "Hackintoshing" can include cost, ease of repair and piecemeal upgrade, and freedom to use customized choices of components that are not available in the branded Apple products. macOS can also be run on several non-Apple virtualization platforms, although such systems are not usually described as Hackintoshes. Hackintosh laptops are sometimes referred to as "Hackbooks".

Mac OS X Snow Leopard Seventh major version of macOS, released in 2009

Mac OS X Snow Leopard is the seventh major release of macOS, Apple's desktop and server operating system for Macintosh computers.

Gatekeeper (macOS)

Gatekeeper is a security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. Gatekeeper builds upon File Quarantine, which was introduced in Mac OS X Leopard and expanded in Mac OS X Snow Leopard. The feature originated in version 10.7.3 of Mac OS X Lion as the command-line utility spctl. A graphical user interface was originally added in OS X Mountain Lion (10.8) but was backported to Lion with the 10.7.5 update.

OS X Mavericks Tenth major release of OS X

OS X Mavericks is the 10th major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. OS X Mavericks was announced on June 10, 2013, at WWDC 2013, and was released on October 22, 2013, worldwide.

OS X El Capitan Twelfth major release of macOS

OS X El Capitan is the twelfth major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh. It focuses mainly on performance, stability, and security. Following the California location-based naming scheme introduced with OS X Mavericks, El Capitan was named after a rock formation in Yosemite National Park. El Capitan is the final version to be released under the name OS X. OS X El Capitan received far better reviews than did Yosemite.

macOS Sierra Thirteenth major release of macOS

macOS Sierra is the thirteenth major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. The name "macOS" stems from the intention to uniform the operating system's name with that of iOS, watchOS and tvOS. Sierra is named after the Sierra Nevada mountain range in California and Nevada. Its major new features concern Continuity, iCloud, and windowing, as well as support for Apple Pay and Siri.

Apple File System (APFS) is a proprietary file system developed and deployed by Apple Inc. for macOS Sierra (10.12.4) and later, iOS 10.3 and later, tvOS 10.2 and later, watchOS 3.2 and later, and all versions of iPadOS. It aims to fix core problems of HFS+, APFS's predecessor on these operating systems. APFS is optimized for solid-state drive storage and supports encryption, snapshots, and increased data integrity, among other capabilities.

macOS Mojave 15th major version of the macOS operating system

macOS Mojave is the fifteenth major release of macOS, Apple Inc.'s desktop operating system for Macintosh computers. Mojave was announced at Apple's Worldwide Developers Conference on June 4, 2018, and was released to the public on September 24, 2018. The operating system's name refers to the Mojave Desert and is part of a series of California-themed names that began with OS X Mavericks. It succeeded macOS High Sierra and was followed by macOS Catalina.

References

  1. 1 2 3 4 Cunningham, Andrew; Hutchinson, Lee (September 29, 2015). "OS X 10.11 El Capitan: The Ars Technica Review—System Integrity Protection". Ars Technica . Retrieved September 29, 2015.
  2. 1 2 Cunningham, Andrew (June 17, 2015). "First look: OS X El Capitan brings a little Snow Leopard to Yosemite". Ars Technica. Retrieved June 18, 2015.
  3. Slivka, Eric (June 12, 2015). "OS X El Capitan Opens Door to TRIM Support on Third-Party SSDs for Improved Performance". MacRumors . Retrieved June 18, 2015.
  4. 1 2 3 4 5 Martel, Pierre-Olivier (June 2015). "Security and Your Apps" (PDF). Apple Developer . pp. 8–54. Archived (PDF) from the original on April 23, 2016. Retrieved September 30, 2016.
  5. "Configuring System Integrity Protection". Mac Developer Library. Apple. September 16, 2015. Archived from the original on August 17, 2016. Retrieved September 30, 2016.
  6. Garfinkel, Simon; Spafford, Gene; Schwartz, Alan (2003). Practical UNIX and Internet Security. O'Reilly Media. pp. 118–9. ISBN   9780596003234.
  7. "About the screens you see when your Mac starts up". Apple Support. August 13, 2015. Archived from the original on April 21, 2016. Retrieved September 30, 2016.
  8. "About System Integrity Protection on your Mac". Apple Support. May 30, 2016. Archived from the original on March 20, 2016. Retrieved September 30, 2016.
  9. "What's New In OS X - OS X El Capitan v10.11". Mac Developer Library. Apple. Archived from the original on March 4, 2016. Retrieved September 30, 2016. Code injection and runtime attachments to system binaries are no longer permitted.
  10. "Kernel Extensions". Mac Developer Library. Apple. September 16, 2015. Archived from the original on August 17, 2016. Retrieved September 29, 2016.
  11. "Trim in Yosemite". Cindori. Retrieved June 18, 2015.
  12. Walton, Jeffrey (March 28, 2020). "Nettle 3.5.1 and OS X 10.12 patch". nettle-bugs (Mailing list). Retrieved 13 July 2020.
  13. 1 2 "How to Check if System Integrity Protection (SIP) is Enabled on Mac". OS X Daily. August 1, 2018. Retrieved March 6, 2021.
  14. "OS X El Capitan Developer Beta 2 Release Notes". Mac Developer Library. Apple. June 22, 2015. At section Notes and Known Issues. Archived from the original on June 26, 2015. Retrieved June 29, 2015.
  15. Fleishman, Glenn (July 15, 2015). "Private I: El Capitan's System Integrity Protection will shift utilities' functions". Macworld . Retrieved July 22, 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.