HOME

TheInfoList



Click Here for Items Related To - System Integrity Protection
OR:
System Integrity Protection on:   [Wikipedia]   [Google]   [Amazon]

System Integrity Protection (SIP, sometimes referred to as rootless) is a security feature of
Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple trees are cultivated worldwide and are the most widely grown species in the genus '' Malus''. The tree originated in Central Asia, where its wild ances ...
's
macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac (computer), Mac computers. Within the market of ...
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
introduced in
OS X El Capitan OS X El Capitan ( ) () is the twelfth major release of macOS (named OS X at the time of El Capitan's release), Apple Inc.'s desktop and server operating system for Macintosh. It focuses mainly on performance, stability, and security. Followi ...
(2015) (OS X 10.11). It comprises a number of mechanisms that are enforced by the
kernel Kernel may refer to: Computing * Kernel (operating system), the central component of most operating systems * Kernel (image processing), a matrix used for image convolution * Compute kernel, in GPGPU programming * Kernel method, in machine lea ...
. A centerpiece is the protection of system-owned
files File or filing may refer to: Mechanical tools and processes * File (tool), a tool used to ''remove'' fine amounts of material from a workpiece **Filing (metalworking), a material removal process in manufacturing ** Nail file, a tool used to gent ...
and
directories Directory may refer to: * Directory (computing), or folder, a file system structure in which to store computer files * Directory (OpenVMS command) * Directory service, a software application for organizing information about a computer network's ...
against modifications by processes without a specific "entitlement", even when executed by the
root user In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of t ...
or a user with
root privileges In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of th ...
(
sudo sudo ( or ) is a program for Unix-like computer operating systems that enables users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do", as that was all it did, and it ...
). Apple says that the root user can be a significant risk factor to the system's security, especially on systems with a single
user account A user is a person who utilizes a computer or network service. A user often has a user account and is identified to the system by a username (or user name). Other terms for username include login name, screenname (or screen name), accoun ...
on which that user is also the administrator. SIP is enabled by default, but can be disabled.


Justification

Apple says that System Integrity Protection is a necessary step to ensure a high level of security. In one of the
WWDC The Worldwide Developers Conference (WWDC) is an information technology conference held annually by Apple Inc. The conference is usually held at Apple Park in California. The event is usually used to showcase new software and technologies in t ...
developer sessions, Apple engineer Pierre-Olivier Martel described unrestricted
root access In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of th ...
as one of the remaining weaknesses of the system, saying that " nypiece of malware is one password or
vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
away from taking full control of the device". He stated that most installations of macOS have only one user account that necessarily carries administrative credentials with it, which means that most users can grant root access to any program that asks for it. Whenever a user on such a system is prompted and enters their account password – which Martel says is often weak or non-existent – the security of the entire system is potentially compromised. Restricting the power of root is not unprecedented on macOS. For instance, versions of macOS prior to
Mac OS X Leopard Mac OS X Leopard (version 10.5) is the sixth major release of macOS, Apple's desktop and server operating system for Macintosh computers. Leopard was released on October 26, 2007 as the successor of Mac OS X 10.4 Tiger, and is available in two ...
enforce of
securelevel securelevel is a security mechanism in *BSD kernels, which can optionally restrict certain capabilities. Securelevel is controlled by the sysctl variable kern.securelevel. This value is an integer, which when set to a value > 0 enables certain cla ...
, a security feature that originates in
BSD The Berkeley Software Distribution or Berkeley Standard Distribution (BSD) is a discontinued operating system based on Research Unix, developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Be ...
and its derivatives upon which macOS is partially based.


Functions

System Integrity Protection comprises the following mechanisms: * Protection of contents and
file-system permissions Most file systems include attributes of files and directories that control the ability of users to read, change, navigate, and execute the contents of the file system. In some cases, menu options or functions may be made visible or hidden depending ...
of system files and directories; * Protection of processes against
code injection Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution. The res ...
, runtime attachment (like
debugging In computer programming and software development, debugging is the process of finding and resolving ''bugs'' (defects or problems that prevent correct operation) within computer programs, software, or systems. Debugging tactics can involve in ...
) and
DTrace DTrace is a comprehensive dynamic tracing framework originally created by Sun Microsystems for troubleshooting kernel and application problems on production systems in real time. Originally developed for Solaris, it has since been released unde ...
; * Protection against unsigned kernel extensions ("kexts"). System Integrity Protection protects system files and directories that are flagged for protection. This happens either by adding an extended file attribute to a file or directory, by adding the file or directory to or both. Among the protected directories are: , , , (but not ). The symbolic links from , and to , and are also protected, although the target directories are not themselves protected. Most preinstalled Apple applications in are protected as well. The
kernel Kernel may refer to: Computing * Kernel (operating system), the central component of most operating systems * Kernel (image processing), a matrix used for image convolution * Compute kernel, in GPGPU programming * Kernel method, in machine lea ...
,
XNU XNU is the computer operating system (OS) kernel developed at Apple Inc. since December 1996 for use in the Mac OS X (now macOS) operating system and released as free and open-source software as part of the Darwin OS, which in addition to macOS ...
, stops all processes without specific entitlements from modifying the permissions and contents of flagged files and directories and also prevents code injection, runtime attachment and DTrace with respect to protected
executables In computing, executable code, an executable file, or an executable program, sometimes simply referred to as an executable or binary, causes a computer "to perform indicated tasks according to encoded instructions", as opposed to a data file ...
. Since
OS X Yosemite OS X Yosemite ( ; version 10.10) is the eleventh major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. OS X Yosemite was announced and released to developers on June 2, 2014, at WWDC 2014 and rel ...
, kernel extensions, such as drivers, have to be code-signed with a particular Apple entitlement. Developers have to request a developer ID with such an entitlement from Apple. The kernel refuses to boot if unsigned extensions are present, showing the user a
prohibition sign The general prohibition sign, also known informally as the no symbol, 'do not' sign, circle-backslash symbol, nay, interdictory circle, prohibited symbol, don't do it symbol, or universal no, is a red circle with a 45-degree diagonal line inside ...
instead. This mechanism, called "kext signing", was integrated into System Integrity Protection. System Integrity Protection will also sanitize certain environmental variables when calling system programs when SIP is in effect. For example, SIP will sanitize and before calling a system program like to avoid code injections into the Bash process.


Configuration

The directories protected by SIP by default include: * /System * /sbin * /bin * /usr * /Applications /usr is protected with the exception of /usr/local subdirectory. /Applications is protected for apps that are pre-installed with Mac OS, such as Calendar, Photos, Safari, Terminal, Console, App Store, and Notes. System Integrity Protection can only be disabled (either wholly or partly) from outside of the
system partition The system partition and the boot partition (also known as the system volume and the boot volume) are computing terms for disk partitions of a hard disk drive or solid-state drive that must exist and be properly configured for a computer to oper ...
. To that end, Apple provides the
command-line utility A console application is a computer program designed to be used via a text-only computer interface, such as a text terminal, the command-line interface of some operating systems (Unix, DOS, etc.) or the text-based interface included with most g ...
which can be executed from a
Terminal Terminal may refer to: Computing Hardware * Terminal (electronics), a device for joining electrical circuits together * Terminal (telecommunication), a device communicating over a line * Computer terminal, a set of primary input and output devic ...
window within the
recovery system The terms Recovery disc (or Disk), Rescue Disk/Disc and Emergency Disk all refer to a capability to boot from an external device, possibly a thumb drive, that includes a self-running operating system: the ability to be a boot disk/Disc that runs ...
or a bootable macOS installation disk, which adds a boot argument to the device's
NVRAM Non-volatile random-access memory (NVRAM) is random-access memory that retains data without applied power. This is in contrast to dynamic random-access memory (DRAM) and static random-access memory (SRAM), which both maintain data only for as lon ...
. This applies the setting to all of the installations of El Capitan or
macOS Sierra macOS Sierra (version 10.12) is the thirteenth major release of macOS (formerly known as and ), Apple Inc.'s desktop and server operating system for Macintosh computers. The name "macOS" stems from the intention to uniform the operating sys ...
on the device. Upon installation of macOS, the installer moves any unknown components within flagged system directories to . By preventing
write access Most file systems include attributes of files and directories that control the ability of users to read, change, navigate, and execute the contents of the file system. In some cases, menu options or functions may be made visible or hidden depending ...
to system directories, the system file and directory permissions are maintained automatically during Apple software updates. As a result, permissions repair is not available in
Disk Utility A disk utility is a utility program that allows a user to perform various functions on a computer disk, such as disk partitioning and logical volume management, as well as multiple smaller tasks such as changing drive letters and other mount p ...
and the corresponding operation.


Reception

Reception of System Integrity Protection has been mixed. ''
Macworld ''Macworld'' is a website dedicated to products and software of Apple Inc., published by Foundry, a subsidiary of IDG Inc. It started life as a print magazine in 1984 and had the largest audited circulation (both total and newsstand) of Macin ...
'' expressed the concern that Apple could take full control away from users and developers in future releases and move the security policy of macOS slowly toward that of Apple's
mobile operating system A mobile operating system is an operating system for mobile phones, tablet computer, tablets, smartwatches, smartglasses, or other non-laptop personal computing, personal mobile computing devices. While computers such as typical laptops are "mobi ...
iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also include ...
, whereupon the installation of many utilities and modifications requires jailbreaking. Some applications and drivers will not work to their full extent or cannot be operated at all unless the feature is disabled, either temporarily or permanently. ''
Ars Technica ''Ars Technica'' is a website covering news and opinions in technology, science, politics, and society, created by Ken Fisher and Jon Stokes in 1998. It publishes news, reviews, and guides on issues such as computer hardware and software, sc ...
'' suggested that this could affect smaller developers disproportionately, as larger ones may be able to work with Apple directly. However, they also remarked that by far most users, including
power user A power user is a user of computers, software and other electronic devices, who uses advanced features of computer hardware, operating systems, programs, or websites which are not used by the average user. A power user might not have extensive tec ...
s, will not have a reason to turn the feature off, saying that there are "almost no downsides" to it.


See also

*
AppArmor AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the ...
*
Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
*
Security-Enhanced Linux Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space ...
(SELinux) *
Social engineering (security) Social engineering may refer to: * Social engineering (political science), a means of influencing particular attitudes and social behaviors on a large scale * Social engineering (security), obtaining confidential information by manipulating and/or ...
*
Trusted Computing Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning that is distinct from the field of Confidential Computing. The core id ...
*
Trusted Solaris Trusted Solaris is a discontinued security-evaluated operating system based on Solaris (operating system), Solaris by Sun Microsystems, featuring a mandatory access control model. Features * Accounting * Role-Based Access Control * Auditing * Devic ...
*
User Account Control User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed
*
User Interface Privilege Isolation User Interface Privilege Isolation (UIPI) is a technology introduced in Windows Vista and Windows Server 2008 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) ...
*
Windows File Protection Windows File Protection (WFP), a sub-system included in Microsoft Windows operating systems of the Windows 2000 and Windows XP era, aims to prevent programs from replacing critical Windows system files. Protecting core system files mitigates probl ...


References


External links

* {{macOS MacOS security technology