Check signature of OSX bundle before load

views:

146

answers:

+2 Q:

Check signature of OSX bundle before load

Goal: Load .so/.bundle that has been verified to be signed (or verified against an arbitrary algorithm).

I want to be able to verify a .so/.bundle either using OSX's builtin binary signature tools or some custom algorithm and then load that .so/.bundle with dlopen...

The wrench in this is that there seems to be no programmatic way to check-then-load. One could check the file manually and then load it after.. however there is a window-of-opportunity within which someone could swap out that file for another.

Since filesystem locks are advisory in OSX, they are not so useful for this purpose.

+1 A:

You can store an sha256sum of the *.so or *.dylib file in the signature. After you've validated the certificate, you can copy the *.so or *.dylib to a random temporary location, and then verify that the copied *.so or *.dylib has the given check sum. If it does, then you can dynamically load the copy. There might still be a small window of opportunity to overwrite the random temporary file, but I imagine it would be quite small. I suppose you could reverify the checksum after you call dlopen but before you call dlsym. If the checksum doesn't match, then you can call dlcose to unload the library, without executing any functions in it.

Michael Aaron Safyan 2009-07-21 16:37:28

dlopen will execute the init functions in a library on load... so code will get executed...

harningt 2009-07-22 18:20:46

Right. Good point... Maybe if the library were loaded by a separate process running with highly a restricted set of permissions, and the other process interacted with the library via IPC.... Code could be executed, but it wouldn't be able to do much damage.

Michael Aaron Safyan 2009-07-23 17:03:28

ansaurus

tags:

views:

answers:

Check signature of OSX bundle before load

related questions