Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The GateKeeper feature enforces signatures from legitimate developers in order to run. This prevents malware being spread under a legit name and the code simply being modified. This is also used to make sure only certified developer can run code on the system.

A second feature, that was recently added, is notarization. This validates that the code does not contain any known malware; this review process is separate from the app review.

The final piece to the puzzle is macOS quarantine. This file extended file attribute is used to determine if an extra pop up should open prior to executing the file. Many web browsers voluntarily set this flag when downloading things from the internet.

While testing the length of file names in an application they were building, they found an interesting bug! If a file had a VERY large hierarchy (larger than PATH_MAX value), the extraction process for the archive utility would get confused.

While messing around with zipping and unzipping archives with too long of paths, they noticed that the quarantine attribute was missing on some of the files. This seems bad!

The author needed an un-archived structure that would be opened by un-archive utility but NOT by Safari. Long enough to fail the quarantine attribute. Short enough to execute the binary. Finally, short enough to be found by finder.

The final item (browsable) could be done via a symbolic link. Everything else was done by creating a structure that was barely longer than the PATH_MAX.

There is a second article that does a complete breakdown of this bug. The 'tldr;' is that the parser exits out early if the PATH_MAX is found length is found out the attribute setting.

This was a really interesting bug that was found by complete accident, where I had two main take-aways. Be observant, as you will find many things by just noticing odd things with giving weird inputs. Error handling is hard, especially on the threshold of what is allowed.