How Encrypted Binaries Work In Mac OS X

An anonymous reader writes "By now we know that OS X uses encrypted binaries for some critical apps like Dock, Finder and LoginWindow. Amit Singh explains the implementation of this protection scheme which makes use of the AES crypto algorithm and a special memory pager in Mach. The so called Do Not Steal Mac OS X (DSMOS) kernel extension helps along the way by decrypting things for the special pager when apps get executed. A funny thing is that if you print the pointer at address 0xFFFF1600 in your own app you get as output Apple's karma poem for crackers! According to the article there are 8 protected binaries in OSX including Rosetta and Spotlight meta data demon. Interestingly Apple's window server is NOT one of those."

It sure was simpler back in the day!

[KlaymenDK (713149)]

This is not the first "Do not steal Mac OS" they've done, although the first version never really got tested in action.

http://www.folklore.org/StoryView.py?project=Macin tosh&story=Stolen_From_Apple.txt&sortOrder=Sort%20 by%20Date&detail=medium&search=stolen [folklore.org]

History repeating! :D

Re:

[MBGMorden (803437)]

You're saying that they "would probably not have made enough money to survive" when Microsoft ended up doing the same thing and is now one of the richest companies in the world. There is money to be made in OS sales. A LOT of it. Apple can't sustain itself on OS sales as a niche player in the market, but the whole point of the discussion was saying that if there would have been Apple clones there's a very good chance they wouldn't have ended up as a niche player.

One reason not to encrypt the windowing system

[runlevel 5 (977409)]

WM's are huge apps and decrypting one before every startup would add a lot of work that has to be done at boot. According to the article, "the SystemUIServer binary within SystemUIServer.app", is encrypted and that is presumably a larege component of the WM. Also, it's virtually useless without the the dock and finder anyway.

Re:One reason not to encrypt the windowing system

[Trillan (597339)]

No, SystemUIServer is the process that runs Apple's menu do-dads, like the battery indicator, volume menu, iChat menu, keychain menu, clock, spotlight menu... basically, everything in the top right corner. Except for menus that 3rd party applications add, which are always to the left of the SystemUIServer items.

Originally, developers could inject their own menus into it if they figured out Apple's undocumented API for it. However, Apple shut that down (in 10.2, I think) since an unstable menu would destabilize all of Apple's menus. They're all run in the same address space, presumably to allow Apple to cut some corners in their command-drag reordering system. After 10.2, some developers hacked it to allow them to inject other menus into it. Maybe that's what Apple is trying to stop.

Even so, it's a really odd pick for encryption.

Re:

[jmorris42 (1458)]

> WM's are huge apps and decrypting one before every startup would add a lot of work that has to be done at boot.

I suspect the reason is because according to the article all encrypted apps are locked into memory and unswappable. If an attempt somehow manages to be made to page part of one out the system panics. Talk about a major reason NOT to want those versions of the binaries on one's system.....

Notice though how this Apple fan manages to describe all of the details except how to remove the crap. T

Re:

[Megane (129182)]

The DSMOS extension, by definition, can't itself be encrypted so why didn't he run dump of it and either extract the key or confirm IntelMacs are using TCPA hardware so the wailing can begin?

Maybe because of this little bit of text which is in both the binary and two copies of a file called LICENSE:

Copyright (c) 2006 Apple Computer, Inc. All rights reserved.

The purpose of this Apple software is to protect Apple copyrighted materials from unauthorized copying and use. You may not copy, modify, reverse

whoa, people still like Apple?

[by Anonymous Coward]

By now we know that OS X uses encrypted binaries for some critical apps like Dock, Finder and LoginWindow.

Actually, I *didn't* know that. I'm not going to "steal" the OS, why is Apple hiding parts of it from me? What else is hiding in there?

Apple seems to be very slowly turning evil again. *sigh*

Typo?

[urbanradar (1001140)]

The so called Do Not Steal Mac OS X (DSMOS) kernel extension...

DSMOS - Do Steal Mac OS?

DRM binaries eliminate competition

[GodWasAnAlien (206300)]

Microsoft would love to do the same thing,
and would I guess that they are planning to, but letting Apple pull it first, as Apple can get away with it.

Microsoft: "Apple used DRM music first, so locking everyone into our music player with DRM/Encrypted-Music is no worse".

Microsoft: "Apple used DRM binaries first, so locking everyone into our OS and Applications with DRM/Encrypted-Binaries is no worse".

Ethical way to dump Apple's hardware requirements?

[argent (18001)]

I'm getting pretty fed up with Apple's hardware. I don't like it. I don't like my Macbook Pro much at all, and if there was a legal way to run OS X on a Thinkpad I'd jump to it. Well, after dealing with bank account issues.

How about buying a Thinkpad and a Mac mini Core Duo, destroying the mini, and running that licensed copy of OS X on the Thinkpad?

Probably still illegal, but should be on firm ethical ground. Apple got their money, and I'm not running the OS on two machines.

Is this really a "feature"?

[BeBoxer (14448)]

An interpreter script is a text file that traditionally begins with the #! characters followed by a path to the interpreter. Files not containing the #! line are treated as shell scripts--not by the kernel, but by the execvP stub in the C library. If the stub gets an ENOEXEC error from the kernel when such a file's execution is attempted, it reattempts execution by using "/bin/sh" as the first argument to execve() and the file as the next argument.

I think Linux does the same thing, although I haven't checked. Somehow, this just feels wrong to me. If it's not a valid binary, and doesn't start with #!, why not just fail? Why keep trying? /bin/sh is pretty forgiving. I'm pretty sure if you told it to execute a saved email or HTML file it would happily try every line in the file looking for valid commands. It's not hard to imagine this feature being one link in the chain which enables some exploit. After all, it's relatively easily to get shell commands into a users mailbox or web cache files. Making it possible for the system to natively execute a mailbox or HTML file just seems dangerous. Maybe that's just me.

Re:

[Dogun (7502)]

Disregarding the content of your comment, you're still confusing encryption with obfuscation.

What you see here is obfuscation.

Re:Signed binaries = good, encrypted binaries = ba

[MindStalker (22827)]

So what? OSX is based on BSD and does not need GPL compliance.

Re:

[elronxenu (117773)]

I'm not talking about the GPL specifically, I'm talking about the Freedoms.

OSX is denying the user one of the fundamental Freedoms. Although it is not the worst offender (*cough microsoft cough*) it is moving in the same direction as Vista. The user is not fully in control of the computer system. There are parts of the computer system about which the user is not permitted to know.

Re:Signed binaries = good, encrypted binaries = ba

[pyite (140350)]

OSX is denying the user one of the fundamental Freedoms.

Uh, it might be a "fundamental Freedom" if you had a "fundamental Right" of some sort to do as you wish with other people's IP. Unfortunately, you don't. A significant number of people make a good living for themselves and their families working for companies that, while being very understanding and supportive of the free software movement in its proper place, gain competitive advantage over their peers by employing the best intellectual talent to solve problems with technological solutions that if copied would eliminate any sort of advantage that company may have in solving a certain problem.

Re:Signed binaries = good, encrypted binaries = ba

[Bastian (66383)]

If you purchase a physical item, do you still think of it as the seller's property after you've paid for it and taken it home?

When I purchase a car, the car is my property. Honda is not trampling on my liberties by not giving me all the CAD files and whatnot that were used to make my car.

Re:

[Pete (2228)]

Full-quoting because it was inappropriately downmodded (and it saved me having to think enough to type essentially the same thing).

anoncow:

yes, but you can reverse engineer the car if you so wish (and if you have the funds) and change it to your liking and honda can't say shit about it, except for maybe voiding your warranty.

What he said. :)

Re:

[Bastian (66383)]

I can do this with my computer, too.

It's worth pointing out that reverse engineering and disassembling/decompiling are not the same thing. The latter might be useful for helping with the former, but the law doesn't say that anybody is required to make sure reverse engineering will be easy. It just says that that you're allowed to do it for various reasons. Nor do I think anyone has an ethical responsibility to make reverse engineering easy. In fact, if you're looking to reverse engineer something it's p

Re:

[zootm (850416)]

Probably. The problem here is that, whether we like it or not, software is sold as a licence rather than as a product. I'd personally expect EULAs to stand up in court simply because there'd be legal and financial pressure upon them to do so; at the moment, they're just "expected" to be valid.

I don't think contracts are going to leave, though. If EULAs are found to be invalid, it'll just change the way that they are distributed to something that's more legally sound, and very little else.

Underhanded? Prob

Re:

[tlhIngan (30335)]

The problem with signed binaries is that you either have a list of binaries that are signed, that is hardcoded into the kernel to check (BAD), or all binaries have to be signed (BAD). The only workable alternative is have a list of files and have that file signed.

What MacOS X does, is try to start the application. If it's encrypted, it's decrypted as part of the load process into memory. If not, well, it's not. I'm certain you can replace OS X's encrypted binaries with unencrypted ones of equivalent functio

Re:

[rekoil (168689)]

Everyone, including Apple, knows that no copy/license protection system is foolproof. The best you can ask for is something that's difficult enough to break that it effectively deters the mainstream "casual pirate" - remember, even bank vaults are rated on how long it would take a skilled safecracker to open the lock, and never guaranteed to be impenetrable.

Re:

[jZnat (793348)]

So why don't you have to jump through hoops to install OS X? It has no annoying activation or some Apple Genuine Advantage (tm) daemon or anything. All they really do is request you don't illegally redistribute it instead of assuming that you're going to redistribute it and stopping you at any cost.

How hard is reverse engineering?

[s20451 (410424)]

Even though the source is not available, binaries can be reverse-engineered

Just wondering. How easy is it to reverse-engineer a massive closed-source piece of software (like, say, MS Windows)?

Such a reverse-engineering job would be of obvious commercial interest (especially to parties who work in countries with lax regulatory regimes), so there is an obvious incentive to do it.

However, my "armchair" estimation is that it is nearly impossible, since there exist parts of the world with large numbers of skill

Re:

[Proud like a god (656928)]

What about ReactOS [wikipedia.org] or the work of various compatabitity programs like Wine, or virtual machines?

Re:

[dwandy (907337)]

Just wondering. How easy is it to reverse-engineer a massive closed-source piece of software (like, say, MS Windows)?

Trivial ... just takes time to "re-code" it ... a lot of time ... check out http://www.winehq.com/ [winehq.com] who are in fact reverse engineering Windows.

Such a reverse-engineering job would be of obvious commercial interest (especially to parties who work in countries with lax regulatory regimes), so there is an obvious incentive to do it.

Why reverse engineer when you can just print copies? There's

Re:

[prockcore (543967)]

Are there any experts out there who can enlighten me? I'm rather curious.

You would never use RE to write a windows clone.. it is, indeed, just too large. Reverse engineering is better used to solve specific tasks.

You could use reverse engineering to find details on things in windows, like codecs, file formats, protocols, etc.

For example, I used reverse engineering to discover the iTMS AES key. It took about an hour to find and step through the relevant code to discover out how it is generated (it's not st

Re:

[s20451 (410424)]

So you want to RE a proprietary solution specifically to sell it in a region which is known for its "loose" ethics toward piracy?

I'm not interested in re-selling the proprietary solution. I'm interested in selling detailed information about the proprietary solution.

Reverse engineering makes security holes more obvious (does it not? Otherwise, how do hackers find security holes?). This is of obvious interest to "industrial" crackers -- the ones who harness large botnets and sell them to the highest bidder.

why bother?

[oohshiny (998054)]

It doesn't really matter what they protect, they are simply trying to make copying OS X wholesale more cumbersome. Functionally, there is nothing in OS X that would be worth disassembling for anybody: there are already open source implementations of Spotlight, Finder, SystemUIServer, Doc, and all the other stuff, and arguably, the open source versions are technically better. The thing that makes Macs shine and sell is the packaging and integration, not the technology.

It's easy to make up freedom definitions

[tm2b (42473)]

"Freedom is when you don't have to do nothing or pay for nothing,
I want to be free!" - Frank Zappa, "Teenage Wind"

Re:Signed binaries = good, encrypted binaries = ba

[AxelTorvalds (544851)]

What if the CPU does the decryption in realtime? Then you can use encrypted binaries to prevent certain types of attacks because the attacker would have to inject encrypted instructions in to an overflow...

I think a patent was just filed for this kind of technology.

Re:Signed binaries = good, encrypted binaries = ba

[Wizard Drongo (712526)]

Actually they're up to about 6% marketshare in the USA, and I think about 8% in the EU. And as for relevance, Apple, like Google are figureheads. When Apple do something, the rest of the market take notice. Like Widgets in OS X 10.4.....after Apple released this, Microsoft weighed in with 'Gadgets' (Yes, I know widgets come from Konfabulator, but Apple made them famous, and after Apple did so, Yahoo! bought Konfabulator, something that wouldn't have happened without Apple copying it in Tiger). So what Apple do is important because you tend to find 6 months after Apple do something, everyone else does too. I wouldn't be at all surprised if Microsoft use the encrypted binary idea in Vista SP1 or whatever comes after Vista (too late to put in Vista). I also wouldn't be at all surprised if Microsoft totally screw it up.

Re:

[DurendalMac (736637)]

The thing is, Apple's implementation of Widgets is very well done. 10.5 is going to improve it with better memory management and the easy creation of widgets from any section of a webpage. The MS sidebar is a clunky and cumbersome implementation, probably because MS can't design a really good user interface to save their lives.

Re:

[jcr (53032)]

They nicked it from Xerox.

Correction: Apple LICENSED technology from Xerox, and develeoped the GUI far beyond what Xerox had done.

-jcr

Re:

[fsterman (519061)]

GUIs were around in academia long before Xerox. Xerox, not knowing what to do with all this stuff coming from the lab, invested in Apple and let them wander through. None of that made it into the myth, kinda anti-climatic.

Re:

[Em Adespoton (792954)]

Wow... and this comment posted only a week or so after an article on Slashdot reported that Apple has seen a marketshare increase yet again, to something like 4.6%.

I know... I shouldn't feed trolls.... Maybe I should have taken offense at the insinuation that all GNU freaks have beards (including the women) instead....

Re:Oh look, we can scramble a binary.

[binarybum (468664)]

"Hi, I'm a PC."
"And I'm a Mac. My insides are all scrambled up. It protects me from dangerous crackers."
"All scrambled up?"
"Yep, that's right, my most important parts are very heavily scrambled."
"Does it hurt when you poop?"
"like you wouldn't believe"

Re:Oh look, we can scramble a binary.

[sokoban (142301)]

Where do you think iPods come from?

Re:

[ettlz (639203)]

Thank-you. Maybe I should expand on the question as: "This is a curious little piece of technology, and something similar could no-doubt be hacked into Linux or BSD with an a few hours' coding, but I doubt ordinary users of said OSs would use or tolerate such a thing. So, other than discouraging reverse-engineering and attempts to run OS X on non-Apple hardware, precisely how does this benefit those who will use the system? And does this really merit a Slashdot story?"

Re:

[Overzeetop (214511)]

Actually, it's copy protection written into the firmware. By locking down the hardware side, and making their software incompatible with anything else, they've DRM'd the software while making you feel fresh all day. But we all know what that smell is covering up.

Re:

[xjerky (128399)]

The point is that if you are an Apple hardware buyer, then you'll never have to deal with false positives disabling your system, unlike WGA.

And if you are not an Apple hardware buyer, then they don't want you as a potential customer anyway.

Re:

[by Anonymous Coward]

I'm running 10.2.8 - quite old. Printing 0xFFFF1600 as a string with printf causes a seg. fault on my box.

well that's one hell of an Easter egg!

Re:

[pclminion (145572)]

Same here, version 10.3.9.

Re:Love mac - hate some of the choices

[frdmfghtr (603968)]

I also can't stand spotlight. It is a resource hog and doesn't work well, plus it takes up critical real estate on the menu bar.

"Critical real estate on the menu bar"? Exactly how big is your Spotlight icon? Mine is less than half the size of my little fingernail on my 12" iBook, as big across as the menu bar is thick. I hardly call that "critical" but if that's your opinion, then so be it.

Re:

[iphayd (170761)]

The Spotlight menu bar item is infinitely large, as it occupies the top right corner (Fitt's Law).

The grandparent poster is aware of this, and would apparently like to populate it with something that they would utilize more than spotlight. Frankly, I agree, as I tend to key command to spotlight anyhow, then always bring up the window because I want to see the file path, not open the file.

Now, so that you understand why it is infinitely large:

Close your eyes. Move your mouse to the top and right. Give it

Re:That poem is scary..

[astrosmash (3561)]

The fundamental purpose of Copyright law is to allow a creator to control how their works are disseminated. Obviously, Apple wants you to buy their hardware if you want to run their software, and they're perfectly within their rights to do so.

Say Chevy offers Radiohead $1 Million to use one of their recordings in a stupid truck ad, and Radiohead refuses. By your logic, Chevy should then have the right to use the recording anyway, because since Radiohead refused to sell them the song they're not losing any money.

You may think it's right, but hundreds of years of copyright law would disagree.

Re:

[Mr2001 (90979)]

Er, no.. the fundamental purpose of copyright law is to enrich the public domain by providing an incentive to authors to create new works, which will eventually make their way into the public domain, where anyone--yes, even Chevrolet--can use them as they wish. Granting control over distribution can be part of that incentive, but it doesn't need to be; the fundamental purpose would be served just fine if Radiohead were legally required to sell the right to use their song in a truck ad, because $1 million is

Re:That poem is scary..

[bdash (598142)]

The US Treasury would disagree with you: http://www.ustreas.gov/education/faq/currency/lega l-tender.shtml#q1 [ustreas.gov]. Then again, what do they know?

They don't always even have to take cash.

[Kadin2048 (468275)]

The moment I ask "how much?" and they tell me, they have entered into a contract to supply the goods at that price or a lower price if they can't make change.

I'm calling shenanigans on this. (Unless you're located in some dollar-using country besides the U.S., in which case I think you're an idiot for not making that more clear, since you had to know it would be assumed.)

The right of a vendor to refuse sale to any person, excepting a few prescribed categories (e.g. racial discrimination) has been long estab

Your morals are crap.

[porkchop_d_clown (39923)]

Say I'm a black man. I go into a store to buy some bread to feed my family. The shop keep says "that bread aint for sale". I say I have a moral right to take it. Irrefutable.

Nice strawman. Because we all know, any attempt to control my property is equivalent to trying to starve a poor black family.

Your razor blade argument is equally crap. Those blades belong to the store owner. I don't care what you thought, you have no moral or legal right to steal more blades or to force him to give them to you. End of story. Irrefutable.

If you don't like it, shop somewhere else.

Apparently the pages are actually encrypted

[porkchop_d_clown (39923)]

The way I read it, portions of the app are actually encrypted with AES; which is interesting because it implies the decryption key must be part of the kernel, which implies the key is fixed.

So, I'm not sure what this actually accomplishes - I mean, it prevents you from easily disassembling binary, but how does it prevent you from running on non-Apple hardware?

Maybe the key is physically burned on some chip in the hardware?