System Integrity Protection Explained

Developer:Apple Inc.
Operating System:macOS
Included With:OS X El Capitan (OS X 10.11) and later
Genre:Computer security software

System Integrity Protection (SIP,[1] sometimes referred to as rootless[2] [3]) is a security feature of Apple's macOS operating system introduced in OS X El Capitan (2015) (OS X 10.11). It comprises a number of mechanisms that are enforced by the kernel. A centerpiece is the protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when executed by the root user or a user with root privileges (sudo).

Apple says that the root user can be a significant risk to the system's security, especially on a system with a single user account on which that user is also the administrator. SIP is enabled by default but can be disabled.[4] [5]

Justification

Apple says that System Integrity Protection is a necessary step to ensure a high level of security. In one of the WWDC developer sessions, Apple engineer Pierre-Olivier Martel described unrestricted root access as one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password or vulnerability away from taking full control of the device". He stated that most installations of macOS have only one user account that necessarily carries administrative credentials with it, which means that most users can grant root access to any program that asks for it. Whenever a user on such a system is prompted and enters their account passwordwhich Martel says is often weak or non-existentthe security of the entire system is potentially compromised. Restricting the power of root is not unprecedented on macOS. For instance, versions of macOS prior to Mac OS X Leopard enforce of securelevel, a security feature that originates in BSD and its derivatives upon which macOS is partially based.[6]

Functions

System Integrity Protection comprises the following mechanisms:

System Integrity Protection protects system files and directories that are flagged for protection. This happens either by adding an extended file attribute to a file or directory, by adding the file or directory to or both. Among the protected directories are: ,,, (but not).[7] The symbolic links from, and to, and are also protected, although the target directories are not themselves protected. Most preinstalled Apple applications in are protected as well. The kernel, XNU, prevents processes without specific entitlements from modifying the permissions and contents of flagged files and directories and also prevents code injection, runtime attachment and DTrace with respect to protected executables.[8]

Since OS X Yosemite, kernel extensions, such as drivers, have to be code-signed with a particular Apple entitlement. Developers have to request a developer ID with such an entitlement from Apple.[9] The kernel refuses to boot if unsigned extensions are present, showing the user a prohibition sign instead. This mechanism, called "kext signing", was integrated into System Integrity Protection.[10]

System Integrity Protection will also sanitize certain environmental variables when calling system programs when SIP is in effect. For example, SIP will sanitize and before calling a system program like to avoid code injections into the Bash process.[11]

Configuration

The directories protected by SIP by default include:[12]

/usr is protected with the exception of /usr/local subdirectory. /Applications is protected for apps that are pre-installed with macOS, such as Calendar, Photos, Safari, Terminal, Console, App Store, and Notes.

System Integrity Protection can only be disabled (either wholly or partly) from outside of the system partition. To that end, Apple provides the command-line utility which can be executed from a Terminal window within the recovery system or a bootable macOS installation disk, which adds a boot argument to the device's NVRAM. This applies the setting to all of the installations of El Capitan or macOS Sierra on the device. Upon installation of macOS, the installer moves any unknown components within flagged system directories to . By preventing write access to system directories, the system file and directory permissions are maintained automatically during Apple software updates. As a result, permissions repair is not available in Disk Utility[13] and the corresponding operation.

Reception

Reception of System Integrity Protection has been mixed. Macworld expressed the concern that Apple could take full control away from users and developers in future releases and move the security policy of macOS slowly toward that of Apple's mobile operating system iOS, whereupon the installation of many utilities and modifications requires jailbreaking.[14] Some applications and drivers will not work to their full extent or cannot be operated at all unless the feature is disabled, either temporarily or permanently. Ars Technica suggested that this could affect smaller developers disproportionately, as larger ones may be able to work with Apple directly. However, they also remarked that by far most users, including power users, will not have a reason to turn the feature off, saying that there are "almost no downsides" to it.

See also

Notes and References

  1. Web site: OS X 10.11 El Capitan: The Ars Technica Review—System Integrity Protection. September 29, 2015. September 29, 2015. Ars Technica. Cunningham. Andrew. Hutchinson. Lee.
  2. Web site: First look: OS X El Capitan brings a little Snow Leopard to Yosemite. June 17, 2015. June 18, 2015. Ars Technica. Cunningham. Andrew.
  3. Web site: OS X El Capitan Opens Door to TRIM Support on Third-Party SSDs for Improved Performance. June 12, 2015. June 18, 2015. MacRumors. Slivka. Eric.
  4. Web site: Security and Your Apps. Martel. Pierre-Olivier. June 2015. Apple Developer. 8–54. PDF. https://web.archive.org/web/20160423080251/http://devstreaming.apple.com/videos/wwdc/2015/706nu20qkag/706/706_security_and_your_apps.pdf. April 23, 2016. live. September 30, 2016.
  5. Web site: Configuring System Integrity Protection. September 16, 2015. Mac Developer Library. Apple. https://web.archive.org/web/20160817140027/https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html. August 17, 2016. live. September 30, 2016.
  6. Book: Garfinkel, Simon. Practical UNIX and Internet Security. O'Reilly Media. 2003. 9780596003234. 118–9. Spafford. Gene. Schwartz. Alan. Gene Spafford.
  7. Web site: About System Integrity Protection on your Mac. May 30, 2016. Apple Support. https://web.archive.org/web/20160320071718/https://support.apple.com/en-us/HT204899. March 20, 2016. live. September 30, 2016.
  8. Web site: What's New In OS X - OS X El Capitan v10.11. Mac Developer Library. Apple. https://web.archive.org/web/20160304111549/https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html. March 4, 2016. live. September 30, 2016. Code injection and runtime attachments to system binaries are no longer permitted..
  9. Web site: Kernel Extensions. September 16, 2015. Mac Developer Library. Apple. https://web.archive.org/web/20160817085001/https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html. August 17, 2016. live. September 29, 2016.
  10. Web site: Trim in Yosemite. June 18, 2015. Cindori.
  11. Nettle 3.5.1 and OS X 10.12 patch . March 28, 2020 . 13 July 2020 . nettle-bugs . Walton . Jeffrey . https://web.archive.org/web/20200714071608/https://lists.lysator.liu.se/pipermail/nettle-bugs/2020/008860.html . July 14, 2020 . dead.
  12. Web site: How to Check if System Integrity Protection (SIP) is Enabled on Mac . . . August 1, 2018 . March 6, 2021.
  13. Web site: OS X El Capitan Developer Beta 2 Release Notes. June 22, 2015. Mac Developer Library. Apple. At section Notes and Known Issues.. https://web.archive.org/web/20150626162444/https://developer.apple.com/library/prerelease/mac/releasenotes/General/rn-osx-10.11/index.html. June 26, 2015. live. June 29, 2015.
  14. Web site: Private I: El Capitan's System Integrity Protection will shift utilities' functions. July 15, 2015. July 22, 2015. Macworld. Fleishman. Glenn.