How Encrypted Binaries Work In Mac OS X

An anonymous reader writes "By now we know that OS X uses encrypted binaries for some critical apps like Dock, Finder and LoginWindow. Amit Singh explains the implementation of this protection scheme which makes use of the AES crypto algorithm and a special memory pager in Mach. The so called Do Not Steal Mac OS X (DSMOS) kernel extension helps along the way by decrypting things for the special pager when apps get executed. A funny thing is that if you print the pointer at address 0xFFFF1600 in your own app you get as output Apple's karma poem for crackers! According to the article there are 8 protected binaries in OSX including Rosetta and Spotlight meta data demon. Interestingly Apple's window server is NOT one of those."

It sure was simpler back in the day!

[KlaymenDK (713149)]

This is not the first "Do not steal Mac OS" they've done, although the first version never really got tested in action.

http://www.folklore.org/StoryView.py?project=Macin tosh&story=Stolen_From_Apple.txt&sortOrder=Sort%20 by%20Date&detail=medium&search=stolen [folklore.org]

History repeating! :D

One reason not to encrypt the windowing system

[runlevel 5 (977409)]

WM's are huge apps and decrypting one before every startup would add a lot of work that has to be done at boot. According to the article, "the SystemUIServer binary within SystemUIServer.app", is encrypted and that is presumably a larege component of the WM. Also, it's virtually useless without the the dock and finder anyway.

Re:One reason not to encrypt the windowing system

[Trillan (597339)]

No, SystemUIServer is the process that runs Apple's menu do-dads, like the battery indicator, volume menu, iChat menu, keychain menu, clock, spotlight menu... basically, everything in the top right corner. Except for menus that 3rd party applications add, which are always to the left of the SystemUIServer items.

Originally, developers could inject their own menus into it if they figured out Apple's undocumented API for it. However, Apple shut that down (in 10.2, I think) since an unstable menu would destabilize all of Apple's menus. They're all run in the same address space, presumably to allow Apple to cut some corners in their command-drag reordering system. After 10.2, some developers hacked it to allow them to inject other menus into it. Maybe that's what Apple is trying to stop.

Even so, it's a really odd pick for encryption.

Re:

[Megane (129182)]

The DSMOS extension, by definition, can't itself be encrypted so why didn't he run dump of it and either extract the key or confirm IntelMacs are using TCPA hardware so the wailing can begin?

Maybe because of this little bit of text which is in both the binary and two copies of a file called LICENSE:

Copyright (c) 2006 Apple Computer, Inc. All rights reserved.

The purpose of this Apple software is to protect Apple copyrighted materials from unauthorized copying and use. You may not copy, modify, reverse

DRM binaries eliminate competition

[GodWasAnAlien (206300)]

Microsoft would love to do the same thing,
and would I guess that they are planning to, but letting Apple pull it first, as Apple can get away with it.

Microsoft: "Apple used DRM music first, so locking everyone into our music player with DRM/Encrypted-Music is no worse".

Microsoft: "Apple used DRM binaries first, so locking everyone into our OS and Applications with DRM/Encrypted-Binaries is no worse".

why bother?

[oohshiny (998054)]

It doesn't really matter what they protect, they are simply trying to make copying OS X wholesale more cumbersome. Functionally, there is nothing in OS X that would be worth disassembling for anybody: there are already open source implementations of Spotlight, Finder, SystemUIServer, Doc, and all the other stuff, and arguably, the open source versions are technically better. The thing that makes Macs shine and sell is the packaging and integration, not the technology.

Re:Signed binaries = good, encrypted binaries = ba

[AxelTorvalds (544851)]

What if the CPU does the decryption in realtime? Then you can use encrypted binaries to prevent certain types of attacks because the attacker would have to inject encrypted instructions in to an overflow...

I think a patent was just filed for this kind of technology.

Re:Signed binaries = good, encrypted binaries = ba

[Wizard Drongo (712526)]

Actually they're up to about 6% marketshare in the USA, and I think about 8% in the EU. And as for relevance, Apple, like Google are figureheads. When Apple do something, the rest of the market take notice. Like Widgets in OS X 10.4.....after Apple released this, Microsoft weighed in with 'Gadgets' (Yes, I know widgets come from Konfabulator, but Apple made them famous, and after Apple did so, Yahoo! bought Konfabulator, something that wouldn't have happened without Apple copying it in Tiger). So what Apple do is important because you tend to find 6 months after Apple do something, everyone else does too. I wouldn't be at all surprised if Microsoft use the encrypted binary idea in Vista SP1 or whatever comes after Vista (too late to put in Vista). I also wouldn't be at all surprised if Microsoft totally screw it up.

Re:

[DurendalMac (736637)]

The thing is, Apple's implementation of Widgets is very well done. 10.5 is going to improve it with better memory management and the easy creation of widgets from any section of a webpage. The MS sidebar is a clunky and cumbersome implementation, probably because MS can't design a really good user interface to save their lives.

Re:

[rekoil (168689)]

Everyone, including Apple, knows that no copy/license protection system is foolproof. The best you can ask for is something that's difficult enough to break that it effectively deters the mainstream "casual pirate" - remember, even bank vaults are rated on how long it would take a skilled safecracker to open the lock, and never guaranteed to be impenetrable.

Re:

[dwandy (907337)]

Just wondering. How easy is it to reverse-engineer a massive closed-source piece of software (like, say, MS Windows)?

Trivial ... just takes time to "re-code" it ... a lot of time ... check out http://www.winehq.com/ [winehq.com] who are in fact reverse engineering Windows.

Such a reverse-engineering job would be of obvious commercial interest (especially to parties who work in countries with lax regulatory regimes), so there is an obvious incentive to do it.

Why reverse engineer when you can just print copies? There's

Re:

[s20451 (410424)]

So you want to RE a proprietary solution specifically to sell it in a region which is known for its "loose" ethics toward piracy?

I'm not interested in re-selling the proprietary solution. I'm interested in selling detailed information about the proprietary solution.

Reverse engineering makes security holes more obvious (does it not? Otherwise, how do hackers find security holes?). This is of obvious interest to "industrial" crackers -- the ones who harness large botnets and sell them to the highest bidder.

Re:Signed binaries = good, encrypted binaries = ba

[pyite (140350)]

OSX is denying the user one of the fundamental Freedoms.

Uh, it might be a "fundamental Freedom" if you had a "fundamental Right" of some sort to do as you wish with other people's IP. Unfortunately, you don't. A significant number of people make a good living for themselves and their families working for companies that, while being very understanding and supportive of the free software movement in its proper place, gain competitive advantage over their peers by employing the best intellectual talent to solve problems with technological solutions that if copied would eliminate any sort of advantage that company may have in solving a certain problem.

Re:Signed binaries = good, encrypted binaries = ba

[Bastian (66383)]

If you purchase a physical item, do you still think of it as the seller's property after you've paid for it and taken it home?

When I purchase a car, the car is my property. Honda is not trampling on my liberties by not giving me all the CAD files and whatnot that were used to make my car.

Re:Oh look, we can scramble a binary.

[binarybum (468664)]

"Hi, I'm a PC."
"And I'm a Mac. My insides are all scrambled up. It protects me from dangerous crackers."
"All scrambled up?"
"Yep, that's right, my most important parts are very heavily scrambled."
"Does it hurt when you poop?"
"like you wouldn't believe"

Re:Oh look, we can scramble a binary.

[sokoban (142301)]

Where do you think iPods come from?

Re:

[ettlz (639203)]

Thank-you. Maybe I should expand on the question as: "This is a curious little piece of technology, and something similar could no-doubt be hacked into Linux or BSD with an a few hours' coding, but I doubt ordinary users of said OSs would use or tolerate such a thing. So, other than discouraging reverse-engineering and attempts to run OS X on non-Apple hardware, precisely how does this benefit those who will use the system? And does this really merit a Slashdot story?"

Re:

[Overzeetop (214511)]

Actually, it's copy protection written into the firmware. By locking down the hardware side, and making their software incompatible with anything else, they've DRM'd the software while making you feel fresh all day. But we all know what that smell is covering up.

Re:

[xjerky (128399)]

The point is that if you are an Apple hardware buyer, then you'll never have to deal with false positives disabling your system, unlike WGA.

And if you are not an Apple hardware buyer, then they don't want you as a potential customer anyway.

Re:

[by Anonymous Coward]

I'm running 10.2.8 - quite old. Printing 0xFFFF1600 as a string with printf causes a seg. fault on my box.

well that's one hell of an Easter egg!

Re:Love mac - hate some of the choices

[frdmfghtr (603968)]

I also can't stand spotlight. It is a resource hog and doesn't work well, plus it takes up critical real estate on the menu bar.

"Critical real estate on the menu bar"? Exactly how big is your Spotlight icon? Mine is less than half the size of my little fingernail on my 12" iBook, as big across as the menu bar is thick. I hardly call that "critical" but if that's your opinion, then so be it.

Re:That poem is scary..

[astrosmash (3561)]

The fundamental purpose of Copyright law is to allow a creator to control how their works are disseminated. Obviously, Apple wants you to buy their hardware if you want to run their software, and they're perfectly within their rights to do so.

Say Chevy offers Radiohead $1 Million to use one of their recordings in a stupid truck ad, and Radiohead refuses. By your logic, Chevy should then have the right to use the recording anyway, because since Radiohead refused to sell them the song they're not losing any money.

You may think it's right, but hundreds of years of copyright law would disagree.

Re:

[Mr2001 (90979)]

Er, no.. the fundamental purpose of copyright law is to enrich the public domain by providing an incentive to authors to create new works, which will eventually make their way into the public domain, where anyone--yes, even Chevrolet--can use them as they wish. Granting control over distribution can be part of that incentive, but it doesn't need to be; the fundamental purpose would be served just fine if Radiohead were legally required to sell the right to use their song in a truck ad, because $1 million is

Re:That poem is scary..

[bdash (598142)]

The US Treasury would disagree with you: http://www.ustreas.gov/education/faq/currency/lega l-tender.shtml#q1 [ustreas.gov]. Then again, what do they know?

Your morals are crap.

[porkchop_d_clown (39923)]

Say I'm a black man. I go into a store to buy some bread to feed my family. The shop keep says "that bread aint for sale". I say I have a moral right to take it. Irrefutable.

Nice strawman. Because we all know, any attempt to control my property is equivalent to trying to starve a poor black family.

Your razor blade argument is equally crap. Those blades belong to the store owner. I don't care what you thought, you have no moral or legal right to steal more blades or to force him to give them to you. End of story. Irrefutable.

If you don't like it, shop somewhere else.