EndpointSecurity API should ensure against TOCTOU when delivering process authorization events

Number:rdar://FB8352031 Date Originated:2020-08-11
Status:Open Resolved:
Product:macOS Product Version:10.15.6
Classification:Suggestion Reproducible:n/a
When authorizing macOS execution events, the resource being checked is the executable file, which is mapped into memory before executing. Here’s one Time-of-Check-Time-of-Use (TOCTOU) attack scenario:

A malicious actor executes Bad.app. The bad executables are mapped into memory and an execution authorization event is emitted by EndpointSecurity. But then the attacker immediately replaces or modifies the executable file to make it Good.app. The EndpointSecurity client gets the event, verifies that the bundle and its files all look good, and allows the execution.

This problem is not unique to EndpointSecurity, and was always a risk with the KAuth framework that preceded it.

The EndpointSecurity client can attempt to monitor file events to catch TOCTOU attacks, but it would have been much easier if Apple handled this responsibility within the EndpointSecurity API itself.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!