Snake&Apple III — Checksec

Detecting exploit mitigation in Mach-O binaries using Python.

INTRO

Welcome to another article in the series on macOS security internals!

This time, I will discuss the various binary protections on macOS. You will learn here how to detect these protections and assess whether they are configured securely or not. You can see a summary of the article below:

Towards the end, I will share my custom implementation of a well-known checksec tool, but for macOS. You can see its final output below:

Please note that some topics have been intentionally omitted and will be addressed in future articles. However, leave a comment if you have any questions or need clarification about anything written here while reading. I guarantee a response and will use your feedback for future articles.

The Snake&Apple III. Checksec repository contains all of the code used.

PIE — Position-Independent Executable

The code and data sections of the executable are designed to be loaded and executed at different memory addresses, enhancing security by reducing the predictability of memory layouts. Introduced randomness makes return-oriented programming (ROP) attacks more difficult to execute.

When PIE is enabled on Linux, the kernel loads the binary into memory at a base address + PIE offset. Additionally, ASLR can be enabled to add a random number to this offset (slide).

On the other hand, in macOS, PIE is like a switch for ASLR, meaning that the ASLR will not operate for the binary if the PIE flag is not set.

The image below shows two x86_64 binaries run on macOS with an Apple Silicon chip because I could not run arm64 without a PIE…