Mac Run Apps In Sandbox

What is a “sandbox”?¶

Sandboxing is a technique for confining the execution environment of untrusted programs and processes. In the context of Adobe’s PDF products, an ‘untrusted program’ is any PDF and the processes it invokes. With sandboxing enabled, Acrobat and Reader assume all PDFs are potentially malicious and confines any processing they invoke to the sandbox.

Sandboxes are typically used when data (such as documents or executable code) arrives from an untrusted source. A sandbox limits, or reduces, the level of access its applications have. For example, creating and executing files and modifying system information such as certain registry settings and other control panel functions are prohibited. If a process P runs a child process Q in a sandbox, then Q’s privileges would typically be restricted to a subset of P’s. For example, if P is running on a system, then P may be able to look at all processes on the system. Q, however, will only be able to look at processes that are in the same sandbox as Q. Barring any vulnerabilities in the sandbox mechanism itself, the scope of potential damage caused by a misbehaving Q is reduced.

Sandbox features¶

Acrobat products leverage several types of sandboxes:

Sandbox support in Acrobat products

Sandbox

Product

OS

Lockable?

Protected View

Acrobat and Reader

Windows

Yes

Protected Mode

Acrobat and Reader

Windows

Yes

AppContainer

Acrobat and Reader

Windows

Yes

Note

Acrobat begins support for Protected Mode late spring 2020 via a phased rollout. A small number of users may see the PM option for Acrobat during this time. Wider deployment will appear through the summer.

As a bonus, users will also be able to access a much larger library of apps. “Mac users can for the first time run iOS and iPadOS apps on the Mac,” Apple CEO Tim Cook said. Sandboxie is not available for Mac but there is one alternative that runs on macOS with similar functionality. The most popular Mac alternative is Cuckoo Sandbox, which is both free and Open Source. If that doesn't work for you, our users have ranked 12 alternatives to Sandboxie, but unfortunately only one is available for Mac.

User interface configuration¶

Admins can configure the setting pre or post deployment, lock the feature so that end users cannot change application behavior, or control the features via the user interface:

  1. Go to Edit > Preferences > Security (Enhanced) > Sandbox protections.

  2. Toggle the feature controls as needed.

Sandbox protections user interface

Protected View¶

Protected View (PV) is a highly secure, read-only mode for Windows that blocks most actions until the user decides whether or not to trust the document. Adobe strongly recommends that you use Acrobat in Protected View if you are concerned about security or frequently interact with PDFs on the Internet.

The experience should be familiar to Microsoft Office users: simply choose whether or not to trust a document from the yellow message bar. Admins also have a variety of configuration options.

Note

Protected View is only available when Protected Mode is enabled.

Standalone product vs browser functionality

Feature

Standalone

Browser

Drag-drop PDFs to the reading or navigation pane

No

No

Printing

No

No

Advanced Printing

No

No

Saving

No

No

Pan and Zoom

No

No

Loupe Tool

No

No

Reading mode

No

Yes

Full screen mode

No

No

Configuration¶

The following features are available:

  • Enabling and disabling via the UI

  • Enabling and disabling via the registry

  • Locking the setting

  • Preconfiguring trust for certain PDFs

Registry configuration¶

You can configure the feature prior to deployment manually or via the Customization Wizard. The basic setting is:

For more preference detail, see the Preference Reference.

Registry preferences

Preference

Lockable?

Summary

iProtectedView

Yes

Specifies whether to use Protected View never (default), for files from an untrusted location (recommended), or always.

bEnableAlwaysOutlookAttachmentProtectedView

No

Specifies whether Protected View is disabled for Outlook attachments.

Trusting PDFs¶

As described in Trust Methods, there are several ways to assign trust so that PDFs are exempt from Protected View:

  • Users can trust documents on-the-fly when the PDF opens: When the Yellow Message Bar appears, choose Enable All Features.

  • Create a privileged location via the UI for the file, folder, or host.

  • Deploy or set privileged location via the registry via any method

  • Choose Trust sites from my Win OS security zones. Trust is assigned when PV is set to Potentially Unsafe locations. When PV is set to All Files, then OS trusted sites are not trusted and PDFs do not open outside of PV.

Verifying PV is enabled¶

There are three ways to verify PV is enabled:

  • Check the UI: Choose Edit > Preferences > Enhanced Security.

  • Open a PDF in the standalone application. PV is enabled if a Yellow Message Bar appears with a PV message.

  • Open a PDF in a browser and then:

  1. Right click on the document.

  2. Choose Document Properties > Advanced tab. When Protected Mode or View is invoked, the status will be Protected Mode: On.

Protected view FAQs¶

When should Protected View be disabled?

Protected View should be enabled all the time for casual users who interact with PDFs in unsecure environments. There are a limited number of cases where you might want to disable Protected View:

  • In enterprise settings where PDF workflows are entirely confined to trusted environments under an administrator’s control.

  • If you have third-party or custom plugins that cause issues when running in Protected View. For example, some workflows that use ActiveX plugins may not work by default.

How many processes should be running when I use Protected View?

Open the process explorer or task manager. When in Protected View, two AcroRd32.exe processes will be running alongside the Acrobat.exe process. More processes may appear depending on the number of browser instances you have viewing a PDF, invoked shell extensions, etc.

Protected View: processes

Protected Mode¶

Note

Protected Mode is gradually being extended via a phased rollout to Acrobat’s DC/Continuous track beginning June, 2020. Classic track versions will likely see similar support later this year.

Protected Mode (PM) is specifically designed for use on Windows. It transparently protects users against attacks by sandboxing application processes. The sandbox leverages the operating system’s security controls, and processes execute under a “principle of least privileges.” Thus, processes that could be subject to an attacker’s control run with limited capabilities and must perform actions such as reading and writing through a separate, trusted process. This design has two primary effects:

  • All PDF processing such as PDF and image parsing, JavaScript execution, and 3D rendering happens in the sandbox and are subject to its limits; for example, processes cannot access other processes.

  • Processes that need to perform some action outside the sandbox boundary must do so through a trusted proxy called a “broker process.”

While different users will have different security needs, casual PDF users in unsecure environments should enable Protected Mode all the time. There are a limited number of cases where you might want to disable Protected Mode:

  • When you want to use an unsupported feature.

  • In enterprise settings where PDF workflows are entirely confined to trusted environments under an administrator’s control.

  • If you have third-party or custom plugins that cause issues when running in Protected Mode. For example, some workflows that use ActiveX plugins may not work by default.

Note

Acrobat begins support for Protected Mode late spring 2020 via a phased rollout. A small number of users may see the PM option for Acrobat during this time. Wider deployment will appear through the summer.

Configuration¶

You can configure the feature prior to deployment manually or via the Customization Wizard. The basic setting is:

For more preference detail, see the Preference Reference.

Registry preferences

Preference

Lockable?

Summary

bProtectedMode

Yes

Enables Protected Mode which sandboxes processes.

bUseWhitelistConfigFile

Yes

Allows the user of policy whitelist to allow behavior that Protected Mode would otherwise prevent.

tBrokerLogfilePath

No

Specifies the path and log file name for the Protected Mode log.

tHostWhiteList

No

Specifies whether to show an dialog asking whether to navigate to an URL when Protected Mode is enabled.

Trust overrides¶

None. PM is designed to protect users transparently and without impacting other features.

Logging setup¶

Logging helps you troubleshoot problems when Protected Mode is enabled. The log may provide guidance as to whether a custom policy file should be used to re-enable broken workflows or plugins.

In addition to enabling logging via the UI (above), you can turn on logging and configure a log file location via the registry.

To enable logging, specify a log file location:

  1. Go to HKEY_CURRENT_USERSoftwareAdobe(productname)(version)Privileged.

  2. Right click and choose New > REG_SZ Value.

  3. Create tBrokerLogfilePath.

  4. Right click on tBrokerLogfilePath and choose Modify.

  5. Set the value. For example: C:DOCUME~1<username>LOCALS~1TempBrL4FBA.tmp.

Policy logging for a policy violation:

Verifying PM is enabled¶

There are two ways to verify if Protected Mode is enabled:

  • Open the process explorer or task manager. When protected mode is on, two processes run.

  • When a file is open, choose File > Properties > Advanced tab and view the Protected Mode status. When Protected Mode is enabled, the status will be Protected mode: On.

PM and shell extensions¶

While Protected Mode can be disabled for PDFs viewed with the product, Adobe continues to protect you when 3rd party software invokes a process; that is, Protected Mode sandboxing cannot be disabled for shell extensions. For example, when you use Windows Explorer to preview a PDF in the Preview Pane, it starts a process to display the preview. In such cases, the Task Manager shows that two AcroRd32.exe or Acrobat.exe processes spawn and that the operation is occurring with Protected Mode enabled.

Policy configuration¶

Protected mode prevents a number of actions which IT can bypass by creating a white list of allowed actions. Best todo app ios. The component that reads these policies is called a “broker.” The broker performs actions based on those policies, and when an admin provides a properly configured policy file, the broker can bypass the application’s default restrictions.

The broker first reads and applies all custom policies prior to applying the default policies. Since custom policies take precedence, they are useful for fixing broken workflows, supporting third party plug-ins, etc.

Configurable policies have two requirements:

  • They must reside in the product install directory adjacent to AcroRd32.exe or Acrobat.exe in the install folder. for example: D:ProgramFiles(x86)Adobe(version)(productname)

  • The name of the policy file must be ProtectedModeWhitelistConfig.txt.

Default read policy¶

The sandboxed exe process only has read access to those files and folders under the %USERPROFILE% for the following:

  • The correct functioning of the product; for example %appdata%AdobeAcrobat(version)*.

  • PDFs explicitly opened by the user via the File Open dialog or double-clicking.

While %USERPROFILE% is protected, the actual implementation is not based on folder names but rather on the ACL (access control entry) of the folders. Any folder or file that grants Everyone or BUILTINUsers groups read access is not protected with read-restrictions. Other folders such as the per-user profile folder that don’t grant such an access are protected. Note that many user-account protected network shares don’t grant access to everyone. So, again, those would be protected.

The read policy includes the new FILES_ALLOW_READONLY rule that works just like the FILES_ALLOW_ANY rule, but grants read-only access to a specific path. Admins can use the FILES_ALLOW_READONLY rule of the config policy to grant read-only access to certain areas of the user’s disk.

Enabling custom policies¶

To allow the application to read and use a policy file, registry configuration is required. To enable policy files:

  1. Go to HKEY_LOCAL_MACHINESOFTWAREPoliciesAdobe(productname)(version)FeatureLockDown.

  2. Right click and choose New > DWORD Value.

  3. Create bUseWhitelistConfigFile.

  4. Right click on bUseWhitelistConfigFile and choose Modify.

  5. Set the value to 1 to enable the white list.

Creating policies¶

Once you’ve enabled policies as described in Enabling custom policies, you can write and deploy a policy file. A policy file is a set of policy-rules. There can be one per line, empty lines, or full-line comments that begin with a semi-colon. Each policy rule (one on each line) has the format:

Pattern strings denote file names, registry locations, exe paths, etc. These strings support the following:

  • *: Matches zero or more characters. Only one in series allowed. For example:

    • FILES_ALLOW_ANY = c:temp

    • REG_ALLOW_ANY = HKEY_CURRENT_USERSoftware(SomeProgram)

    • SECTION_ALLOW_ANY = imejp

  • ?: Matches a single character. One or more in a series are allowed.

  • Environment variables: For example, %SystemRoot% could be used in:

Adobe-provided policy rules include those shown below.

Protected mode policy rules

Policy rule

Description

FILES_ALLOW_ANY

Allows open or create for any kind of access that the file system supports.

FILES_ALLOW_DIR_ANY

Allows open or create with directory semantics only.

REG_ALLOW_ANY

Allows read and write access to a registry key.

PROCESS_ALL_EXEC

Allows the creation of a process and return fill access on the returned handles.

NAMEDPIPES_ALLOW_ANY

Allows creation of a named pipe.

EVENTS_ALLOW_ANY

Allows the creation of an event with full access.

MUTANT_ALLOW_ANY

Allows creation of a mutant with full access (MUTANT_ALL_ACCESS)

SECTION_ALLOW_ANY

Allows creation/opening of a section with full access

FILES_ALLOW_READONLY (11.0 and later)

Allows read access to a specific path.

BROWSE_FOLDER_FILE_ANY (Acrobat only)

Allows whitelisting of files with specific extensions in BrowseFolder dialog. For example: BROWSE_FOLDER_FILE_ANY=*.xls whitelists all .xls the files when the user is browsing using Choose Folder dialog.

Policy configuration file

3rd party plugin support¶

New June 2020: To ensure that changes in policy files aren’t overwritten by other vendors, Acrobat and Reader allow plugins to use individual custom policy files. The new policy files adhere to same format and syntax as existing policy files.

To create a policy configuration file for specific vendor (file extension):

  1. Create a new policy config text file in Acrobat’s installation folder where Acrobat.exe resides.

  2. Configure registry entries which point to the new file:

    1. Open HKEY_LOCAL_MACHINESOFTWAREPoliciesAdobeAcrobat Acrobat<Track>FeatureLockDown

    2. Create a new key: cProtectedModeConfigFiles

    3. For each custom policy file, create a new sub key with the plugin name, data type of REG_SZ, and the name of your policy file.

Using 3rd party JS editors¶

When Protected Mode is enabled, you can only use Acrobat’s internal JS editor or Notepad or Notepad++. To whitelist other editors, set cJSEditor:

  1. Open HKEY_LOCAL_MACHINESOFTWAREPoliciesAdobeAcrobat Acrobat<Track>FeatureLockDown.

  2. Create a new key: cJSEditor with a data type of REG_SZ

  3. Set the value to the program path. For example, user C:ProgramFilesyourapp.exe.

You cannot use the UI to specify a JS editor.

Protected Mode dialogs¶

Read-warning dialogs

Protected Mode should be transparent to users, but there are some confirmation dialogs which appear under certain scenarios such as when the app needs to read arbitrary files. These files include files that were neither explicitly opened by the user nor required by the app to store its preferences and so weren’t white-listed for access. In such cases, the broker is forced to check with the user before granting the Protected Mode sandbox read access to those files.

A confirmation dialog is shown for the following cases:

  • When the user clicks a link in a PDF that points to another PDF on the user’s disk (“interdoc PDF link”). Note that this is not applicable for internet links (where a different dialog is already shown), but only to links to PDFs on the local disk.

  • When the PDF has a multimedia annotation references a media file kept at a read-restricted location on the user’s disk or a network share.

  • When a PDF tries to access data from an FDF file kept at a read-restricted location on the user’s disk or a network share.

  • When an FDF or XFDF is opened and it tries to reference a PDF file kept at a read-restricted location on the user’s disk or a network share.

  • When the user tries to open a review from the review tracker.

  • When a file on disk is being accessed without user consent.

Note that dialogs rarely appear in the browser since read warnings are associated with access to the user’s disk or network share. For example, in a browser context, access to a FDF or PDF in cases such as those above occur on an HTTP(S) server, and so will not be impacted. Also, most “interdoc PDF links” in online PDFs refer to other online PDFs rather than a user’s machine or network share.

Search-warning dialogs

It is impossible to securely support the index search and the app’s desktop search features via Edit > Advanced Search > Show more options with read-restrictions enabled. So if the user tries to use any of the following features, a warning is thrown: “The operation you are trying to perform potentially requires read access to your drives. Do you want to allow this operation?”.

If the user allows the operation, read-restrictions are temporarily disabled while that process is running. In this case, Protected Mode is ON, but it will temporarily grant the sandbox read access to all of the user’s files. Once the user restarts the app process, Protected Mode read-restrictions will again be in place. The idea is that rather than having the user turn Protected Mode completely off to use these index-search or desktop-search features, it is better to turn off just read-restrictions temporarily.

Calendar free app mac. The dialog appears in the following scenarios:

  • When the user tries to open an index (PDX) file.

  • When the user tries to search inside an already selected or shelved index, inside a folder, or in an index linked to a PDF.

FAQs¶

What configurations are not supported?

For a current list of issues, see http://helpx.adobe.com/acrobat/kb/protected-mode-troubleshooting-reader.html.

Is Windows Terminal Services supported?

Yes.

What is the difference between Microsoft’s Application Virtualization Sandbox technology and Protected Mode?

Sandboxing leverages the Operating System’s security model to sandbox an application. Virtualization uses another software program to segregate the application from the host operating system. With virtualization, there is overhead associated with managing and patching the OS and the application separately and there is also the performance impact of rendering the application in a virtualized environment. For more information please refer to our technical blog posts.

What is the difference between Protected Mode in Microsoft IE browser and Protected Mode?

The sandbox we have implemented is more effective at mitigating threats in applications on desktop windows than just running a process at low integrity. While our sandbox runs at a low integrity, it is a much more constrained computing environment. For more information please refer to our technical blog posts.

What effect does Protected Mode have on a PDF viewed in Citrix?

Citrix is supported.

What is the percentage increase in memory footprint because of Protected Mode?

Very little.

Will Protected Mode have any effect on viewing LC Reader-Extended PDFs?

It should work fine out of the box.

Is there any special status for certified documents so that one can disable Protected Mode only with certified documents?

No.

Mac Run Apps In Sandbox Free

Can the security policies for the broker be configured through Customization Wizard or downloaded from a server?

No. Custom policies should be tailored to meet your business requirements and deployed by an administrator.

Are there any unforeseen major issues with the rich PDF types containing content e.g. interactive multimedia, geo, and 3D?

Not many. The feature is designed to be transparent.

Do plug-ins have read and write permissions to things like config files that maybe stored on the user’s system?

Plug-ins will not be able to write log files to non-whitelisted locations. They can continue to write logs to the Temp directory (as returned by GetTempPath() Windows API or equivalent Acrobat API). Another white-listed location is the app’s own Appdata area.

Does the Protected Mode impair a PDF’s ability to access trusted web sites?

No.

If multiple PDFs are open (either standalone or within the browser), is the number of spawned processes the same?

Yes. There will only be two processes. However, if PDFs are open in both the browser and standalone application, one process pair are used for each.

Can my plug-in create and update a preference file in the ``%appdata%AdobeAcrobat(version)Preferences`` directory?

Yes, the app allows writing to these type of locations.

Will plug-ins that access web services via an URL work?

Yes.

Will Protected Mode affect the functioning of URLs in a PDF?

No.

Do shell extensions work in the app ?

Shell extensions run inside a sandbox when the app is the default owner of PDFs. The shell extensions we support include Thumbnails, Properties, Preview, and they all operate as usual except that they will run sandboxed.

Is PM a pure whitelisting mechanism to allow/deny access to the OS, or is it a mix of blacklisting and whitelisting policies working together in the broker?

Both.

If the app needs to make OS calls through the broker, is there additional overhead (such as more threads) which has a performance impact?

There are no additional threads.

What if I inadvertently kill one of the processes?

Killing any of the processes closes the app.

When custom policies fail for certain workflows, what are the options other than disabling Protected Mode?

One option is to add custom policies to bypass protected mode restrictions.

Can plug-in developers write their own broker?

Yes, plug-in developers can write their own broker using the Acrobat SDK.

Do the Broker and the Sandbox processes share both the WindowStation and the Desktop?

Yes.

AppContainer¶

Microsoft Windows provides an application-level sandbox called the “AppContainer”. Like the app’s Protected View and Protected Mode, the AppContainer sandbox blocks application processes from writing and reading outside of its boundaries. Both Acrobat and Reader leverage the AppContainer’s security features.

The AppContainer requires Protected Mode is enabled, and both are designed to be transparent to end users. Together these provide multiple layers of protection from malicious attacks that might try to access your system and data. Like Protected Mode, AppContainer has an HKCU preference as well as an HKLM preference which you can lock.

Note

All tracks of Acrobat and Reader support AppContainer.

Mac

Configuration¶

You can configure the feature prior to deployment manually or via the Customization Wizard. The basic setting is:

For more preference detail, see the Preference Reference.

Registry preferences

Preference

Lockable?

Summary

bEnableProtectedModeAppContainer

Yes

Specifies whether to enable the AppContainer sandbox.

The App Sandbox, originally introduced in Mac OS X Leopard as “the Seatbelt”, is a macOS security feature modeled after FreeBSD’s Mandatory Access Control (left unabbreviated for clarity) that serves as a way to restrict the abilities of an application beyond the usual user- and permission-based systems that UNIX offers. The full extent of the capabilities the sandbox manages is fairly broad, ranging from file operations to Mach calls, and is specified in a custom Scheme implementation called the Sandbox Profile Language (SBPL). The sandbox profiles that macOS ships with can be found in /System/Library/Sandbox/Profiles, and while their format is technically SPI (as the header comment on them will tell you) there is fairly extensive third-party documentation. The implementation details of sandboxing are not intended to be accessed by third-party developers, but applications on Apple’s platforms can request (and in some cases, such as new applications distributed on the Mac App Store and all applications for Apple’s embedded platforms, must function in) a sandbox specified by a fixed, system-defined profile (on macOS, application.sb). Barring a few exceptions (which usually require additional review and justification for their use) this system-provided sandbox provide an effective way to prevent applications from accessing user data without consent or performing undesired system modifications.

In January I discovered a flaw in the implementation of the sandbox initialization procedure on macOS that would allow malicious applications distributed through the Mac App Store to circumvent the enforcement of these restrictions and silently perform unauthorized operations, including actions such as accessing sensitive user data. Apple has since implemented changes in the Mac App Store to address this issue and the technique outlined below should no longer be effective.

Sandbox initialization on macOS

Sandboxing is enforced by the kernel and present on both macOS and Apple’s iOS-based operating systems, but it is important to note that third party code is not required to run in a sandbox on macOS. While the use of the platform sandbox is mandatory for third-party software running on embedded devices, on Macs it is rarely used by applications distributed outside of the Mac App Store; even on the store there are still a couple of unsandboxed applications that have been grandfathered into being allowed to remain for sale as they were published prior to the 2012 sandboxing deadline. A lesser known, but likely related fact is that processes are not born sandboxed on macOS: unlike iOS, where the sandbox is applied by the kernel before the first instruction of a program executes, on macOS a process must elect to place itself into the sandbox using the “deprecated” sandbox_init(3) family of functions. These themselves are wrappers around the __sandbox_ms function, an alias for __mac_syscall from libsystem_kernel.dylib in /usr/lib/system. This design raises an important question: if a process chooses to place itself in a sandbox, how does Apple require it for apps distributed through the Mac App Store?

Experienced Mac developers already know the answer: Apple checks for the presence of the com.apple.security.app-sandbox entitlement in all apps submitted for review, and its mere existence magically places the process in a sandbox by the time code execution reaches main. But the process isn’t actually magic at all: it’s performed by a function called _libsecinit_initializer inside the library libsystem_secinit.dylib, also located at /usr/lib/system:

_libsecinit_initializer calls _libsecinit_appsandbox, which (among other things) copies the current process’s entitlements, checks for the com.apple.security.app-sandbox in them, and calls __sandbox_ms after consulting with the secinitd daemon. So this answers where the sandbox is applied, but doesn’t explain how: for that, we need to look inside libSystem.

libSystem is the standard C library on macOS (see intro(3) for more details). While it vends system APIs, by itself it does very little; instead, it provides this functionality by re-exporting all the libraries inside of /usr/lib/system:

Like most standard libraries, the compiler will automatically (and dynamically) link it into your programs even if you don’t specify it explicitly:

When a program is started, the dynamic linker will ensure that libSystem’s initializer functions are called, which includes the function that calls _libsecinit_initializer. As dyld ensures that libSystem’s initializer is run prior to handing off control to the app’s code, this ensures that any application that links against it will have sandboxing applied to it before it can execute its own code.

Bypassing sandbox initialization

As you may have guessed, this process is problematic. In fact, there are actually multiple issues, each of which allows an application with the com.apple.security.app-sandbox entitlement to bypass the sandbox initialization process.

dyld interposing

dyld interposing is a neat little feature that allows applications to tell the dynamic linker to “interpose” an exported function and replace it with another by including a special __DATA,__interpose section in their binary. Since _libsecinit_appsandbox is exported by libsystem_secinit.dylib so that it can be called by libSystem, we can try interposing it with a function that does nothing:

When interposing was first introduced, it would only be applied when a library was preloaded into a process using the DYLD_INSERT_LIBRARIES environment variable. However, on newer OSes this functionality has been improved to work for any linked libraries as well, which means all we have to do to take advantage of this feature is put this code in a framework and link against it in our main app. Since interposing is applied before image initializers we will be able to prevent the real _libsecinit_initializer from running and thus __sandbox_ms being called. Success!

As this technique allowed an application that appears to be sandboxed (possessing the com.apple.security.app-sandbox entitlement) to interfere with its own initialization process, I reported this issue to Apple on January 20th and explained that such an app might be able to be submitted to the App Store and get past app review. On March 19th, I received a reply from Apple stating that App Store applications are prevented from being interposed, which was news to me. Apparently right after I submitted my original report Apple added an additional check in dyld, one so new that it’s still not in any public sources:

While the dyld source for configureProcessRestrictions only shows five flags being read from amfi_check_dyld_policy_self, the binary clearly checks a sixth: 1 << 6. (configureProcessRestrictions has been inlined here into its caller, dyld::_main.) I still do not know what its real name is but it’s used later in dyld::_main to control whether interposing is allowed. This means we can’t interpose _libsecinit_initializer–we’ll have to prevent it from from being called instead.

Update, 6/10/19

With the code to dyld released, we can see that the flag is called AMFI_DYLD_OUTPUT_ALLOW_LIBRARY_INTERPOSING. Interestingly, there are some applications that are exempted from the check in AMFI’s macos_dyld_policy_library_interposing, meaning that they are still susceptible to this issue:

Static linking

Linking against libSystem causes dyld to call _libsecinit_initializer, so it’s logical to try to avoid having anything to do with dyld at all. This is fairly strange to do on macOS, as it does not have a stable syscall interface, but with the right set of compiler flags we can make a fully static binary that needs to no additional support to run.

Fun fact

We know that this must be possible because Go used to do it, until they got tired of new versions of macOS breaking everything and gave up trying to make system calls themselves. Go programs as of Go 1.11 now use libSystem.

Unfortunately, macOS does not ship with a crt0.o that we can statically link, so using just the -static flag does not work:

But if we’re jettisoning the standard library, we might as well get rid of the C runtime as well, defining our own start symbol:

No dyld means no code that can arrange a call _libsecinit_initializer, so we’re free to do whatever we like without restriction. However, not having libSystem and dyld to support us means we cannot use dynamic linking and need to make raw system calls for everything, which is a bit of a pain. One way to resolve this would be to keep the unsandboxed code short–just a couple of calls to acquire a handle on restricted resources–then stash that away before execveing a new dynamically linked binary, restoring the process to a sane state. When responding to Apple with a new sample program based on this idea, I simply opened a file descriptor for the home directory (you can locate the directory without any syscalls by pulling the current username from the apple array on the stack during process initialization) and then once that succeeds executed an inner binary. The new file descriptor was preserved for across the execve call and became accessible to the inner application, even though that one was dynamically linked and had the sandbox applied to it as usual.

Dynamically linking against nothing

Statically linking works, but it’s somewhat inconvenient: either you perform the work of the dynamic linker yourself if you want to do anything non-trivial, or you execve a new binary. It’s actually worse than that though, because there’s an additional complication: executing a new binary causes a hook in the AppleMobileFileIntegrity kernel extension to run, and when System Integrity Protection is enabled this hook (for reasons unknown to me) checks to see if the process has a valid dyld signature:

The strange pointer arithmetic and mask is really a check for CS_DYLD_PLATFORM, which the comment helpfully states is set if the “dyld used to load this is a platform binary”. Since we didn’t use dyld at all, this isn’t set and we can’t execve. While malicious applications willing to do a bit of work can still “fix” their process without blowing it away, I figured I might as well figure out a way to construct a new one.

Since the hook wants us to have a valid dyld, we should probably just link dynamically. As we mentioned before, this makes the compiler automatically bring in libSystem (and with it, the libsystem_secinit.dylib initializers), which we don’t want. I couldn’t find out a way to get the linker to not automatically insert the load command for libSystem, but we can get essentially the same result by modifying the binary ourselves afterwards to delete that specific command. I found a Mach-O editor online that was slightly crashy but worked well enough for this purpose. Unfortunately, removing the load command isn’t enough: dyld specifically checks for libSystem “glue” before running our code, and as we don’t have a libSystem at all it aborts execution.

However, there’s one way around this: if we use a LC_UNIXTHREAD rather than a LC_MAIN load command, dyld will pass execution to us without checking for libSystem (as it thinks we have linked against crt1.o instead). Both load commands specify the entrypoint of the executable, but LC_MAIN is the “new” way of doing so. LC_UNIXTHREAD specifies the entire thread state, but LC_MAIN only points to the “entry offset” where code execution should begin–the linker sets this to where main is, unless you’ve used -e to change it. The compiler uses it for dynamically linked binaries because it expects libSystem to set all the thread state prior to calling the entrypoint function.

Mac Run Apps In Sandbox

The linker flag -no_new_main tells the linker to use LC_UNIXTHREAD instead of LC_MAIN for dynamically linked executables, but it has been silently ignored for years (apparently, this has something to do with rdar://problem/39514191). This means to generate the binary we’ll have to go back in time and download an old toolchain that accepts this flag. The one that Xcode 5.1.1 ships with does nicely.

Fun fact

I have a friend who refers to Xcode 5.1.1 as “the good toolchain” because it supports everything.

Once we use that to create a binary, upon running it we have a valid dyld in our process and unsandboxed code execution so we can just continue as we did in the statically linked case, as this will satisfy AMFI’s checks.

Final thoughts

I submitted the final example to Apple just before the initial 90-day disclosure deadline of April 20th, and when they requested an extension to work on the new information I provided them with an additional 30 days. Apple says it has made changes in the Mac App Store to address this issue during that period, and although I don’t really have a good way to check if or how the change works I would guess that it simply looks for and rejects applications using techniques similar to the ones described above.

Mac Run Apps In Sandbox Games

dyld is a fairly complicated system and it has many useful features, but these features along with the fact that it runs in-process makes it nontrivial to protect against control flow subversion early in the initialization process. Applying sandboxing in the kernel itself, as iOS does, is probably a better solution in the long run, as the bugs I found here were fairly straightforwards and exploited logic errors rather than undefined behavior in the language. Perhaps we will see such a change in the future.

Mac Run App In Sandbox

The code I submitted to Apple to demonstrate the issue is available online.

Mac Run Apps In Sandbox Mode

Timeline

  • 1/20/20: Initial disclosure of library interposing bypass to Apple
  • 1/22/20: Acknowledgment of submission by Apple
  • 1/28/20: Request for status update after recent updates did not resolve the issue
  • 1/29/20: Response from Apple that they were still investigating
  • 2/26/20: Request for update and affirmation of 90-day disclosure timeline
  • 2/28:20: Response from Apple that they were still looking into the issue
  • 3/19:20: Email from Apple stating that Mac App Store applications cannot be interposed
  • 3/20/20: Submission of statically linked application to avoid interposing
  • 3/23/23: Acknowledgement of the new information
  • 4/14/20: Submission of dynamically linked application to bypass execve limitation
  • 4/17/20: Request for more time from Apple to analyze the new submission
  • 4/19/20: Disclosure deadline extended by 30 days to May 20th
  • 4/20/20: Confirmation and appreciation for the extension
  • 5/13/20: Request for an update on progress
  • 5/15/20: Confirmation that a change had been implemented in Mac App Store
  • 5/20/20: Expiration of discretionary disclosure extension