What is a Hardened Runtime AUT?¶
macOS 10.14 and Xcode 10 introduce a new feature called ‘Hardened Runtime’. It is intended to enhance the security of applications by disabling/disallowing various kinds of loading third-party executable code into the AUT - such as Squish libraries.
It effectively disables various features commonly exploited in security breaches.
The exact set of features (Apple calls them ‘entitlements’) is configured when compiling the application. See the Apple page on Hardened Runtime Entitlements on how to do this.
Which entitlements Squish needs¶
To make Squish work, two entitlements need to be checked:
Allow DYLD Environment Variables: This is required to be able to inject code into the running AUT process.
Disable Library Validation: This is needed such that the AUT process can load Squish libraries, i.e. code which was not augmented with the digital code signature of the AUT developer.
This affects both Squish for Qt and Squish for Mac since they’re using the same mechanism for non-intrusive hooking. With Squish for Qt, an alternative may be using the built-in hook and code-signing all Squish libraries that are being loaded into the AUT with your own certificate.
How to tell if an AUT is hardened?¶
First, Squish will be unable to attach to your AUT. If you are unable to ask the developer, it is possible to check using command line tools provided by Xcode. First, make sure Xcode is installed with the command line tools, and issue the following command,using the path to your own AUT instead of TextEdit.app.
This command produces an output that looks something like this:
Executable=/Applications/TextEdit.app/Contents/MacOS/TextEdit Identifier=com.apple.TextEdit Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20100 size=1475 flags=0x0(none) hashes=39+5 location=embedded Platform identifier=7 Signature size=4485 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Info.plist entries=33 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=479 Internal requirements count=1 size=68
In the output look for the line starting with ‘CodeDirectory’. The ‘flags’ entry indicates which flags have been enabled. If the ‘runtime’ flag (0x10000) is present that means the application uses the hardened runtime feature. If it is not set - like in the example output above - the application does not use the hardened runtime.
To find out which entitlements are already enabled in your AUT, you can execute a command like this:
This produces output in the form of a plist file that looks like this:
In this output, check if the keys
com.apple.security.cs.allow-dyld-environment-variables exist and are set to true. If they’re missing or set to false hooking with Squish will fail.
Code-Signing to add entitlements¶
With XCode, it is possible to sign an executable manually, with your own developer certificate, to give it new entitlements. The links below explain how: