Checking vendor signature from kext

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Checking vendor signature from kext

Postby adam81 » Tue Sep 04, 2018 4:28 pm


I'd like to check that the signature of a running process signature is from Apple. in order to do so I call
Code: Select all
const char * csproc_get_teamid(struct proc *p)

I tested it in kauth callback that caught the process generated from spindump trying to access some file.

I got the process struct (proc_t) and called the method above with it as an input argument.

However, I got that the teamID return string is NULL.

I also validate it with the more general function of

Code: Select all
struct cs_blob * csproc_get_blob(struct proc *p)

and got the following struct (it can be seen that teamID is NULL). So my question is how does XNU decide that process belong to specific vendor (since in iOS non apple signed apps cannot run) ?
P.S I made sure that the proc_t belong to spindump according to p_comm field. Perhaps I'm using the wrong API ?

Code: Select all
(lldb) p/x *((struct cs_blob *) y)
(struct cs_blob) $25 = {
  csb_next = 0x0000000000000000
  csb_cpu_type = 0x01000007
  csb_flags = 0x24004a01
  csb_base_offset = 0x0000000000000000
  csb_start_offset = 0x0000000000000000
  csb_end_offset = 0x000000000005f000
  csb_mem_size = 0x0000000000003250
  csb_mem_offset = 0x0000000000000000
  csb_mem_kaddr = 0xffffff80392bc000
  csb_cdhash = {
    [0] = 0xd5
    [1] = 0xbf
    [2] = 0xa6
    [3] = 0xa2
    [4] = 0xa2
    [5] = 0xad
    [6] = 0x8f
    [7] = 0xfa
    [8] = 0x37
    [9] = 0x7c
    [10] = 0x6e
    [11] = 0xf7
    [12] = 0xf7
    [13] = 0xb9
    [14] = 0x4c
    [15] = 0x81
    [16] = 0x82
    [17] = 0x18
    [18] = 0x21
    [19] = 0xfb
  csb_hashtype = 0xffffff8003c6cef0
  csb_hash_pagesize = 0x0000000000001000
  csb_hash_pagemask = 0x0000000000000fff
  csb_hash_pageshift = 0x000000000000000c
  csb_hash_firstlevel_pagesize = 0x0000000000000000
  csb_cd = 0xffffff80392bc02c
  csb_teamid = 0x0000000000000000 <no value available>
  csb_entitlements_blob = 0xffffff80392bcd33
  csb_entitlements = 0xffffff800d3b0340
  csb_signer_type = 0x00000000
  csb_platform_binary = 0x00000001
  csb_platform_path = 0x00000000
Posts: 28
Joined: Mon Jan 25, 2016 9:26 am

Re: Checking vendor signature from kext

Postby morpheus » Tue Sep 04, 2018 5:48 pm

I would suggest - Check this again. Seems to me like you might have gotten spindump's blob, which doesn't have a TeamID since it's Apple's. csproc_* gets the blob of the process you handed as argument, and if your p_comm is spindump, then you got spindump's, not the target process. A better API would be to get the file vnode's blob from the UBC.
Site Admin
Posts: 694
Joined: Thu Apr 11, 2013 6:24 pm

Re: Checking vendor signature from kext

Postby adam81 » Wed Sep 05, 2018 7:38 am

Hi and thanks for the help.

Yes, My intension was to identify that the process is really spindump from my kext by validating that it's signed by Apple. from the struct cs_blob, the only field that seem to hint about the signature's vendor is the teamID.

So you say that Apple don't have a teamID, but are there any other characteristics I can use to decide whether this process is signed by apple ?

P.S. notice that in user-space is much easier since I've got codesign that also give me the "Authority" field :

is there any similar field I can acquire from the cs_blob struct ? I can also investigate the process vnode as you recommended using ubc_cs_blob_get


Code: Select all
zoharks-Mac-mini:OSXAgent zohar.k$ codesign -dvvv /usr/sbin/spindump
Format=Mach-O thin (x86_64)
CodeDirectory v=20100 size=3267 flags=0x0(none) hashes=95+5 location=embedded
Platform identifier=4
Hash type=sha256 size=32
CandidateCDHash sha256=d5bfa6a2a2ad8ffa377c6ef7f7b94c81821821fb
Hash choices=sha256
Signature size=4485
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=68
Posts: 28
Joined: Mon Jan 25, 2016 9:26 am

Re: Checking vendor signature from kext

Postby morpheus » Wed Sep 05, 2018 12:18 pm

Just by virtue of there being a CMS blob (or , in *OS, adhoc) and the valid signature, you should be all good. What you need for 100% certainty is to get the CMS blob itself from the CS blob (that would be blob 0x10000 in the superblob, usually the 3rd blob), and perform the verification. Not a good idea, considering that AAPL themselves don't do it in kernel mode (though it's getting there, with CoreTrust).

And no, Apple doesn't do TeamID unless it's for "add-on" stuff like Xcode. Built-in binaries don't have that.
Site Admin
Posts: 694
Joined: Thu Apr 11, 2013 6:24 pm

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest