Check for Library Validation #309

New Issue

michael · 2026-01-19T18:30:00Z

michael commented

2026-01-19 18:30:00 +00:00

Originally created by @robertgendler on GitHub.

Library Validation. This protection checks if an app's libraries are signed by Apple or the creator. Until very recently, macOS apps could load code freely from foreign sources called code libraries. With macOS 10.15, apps are no longer allowed to load libraries that weren't originally packaged with it, unless they explicitly allow it.

defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -bool false

Originally created by @robertgendler on GitHub. Library Validation. This protection checks if an app's libraries are signed by Apple or the creator. Until very recently, macOS apps could load code freely from foreign sources called code libraries. With macOS 10.15, apps are no longer allowed to load libraries that weren't originally packaged with it, unless they explicitly allow it. `defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -bool false`

michael closed this issue

2026-01-19 18:30:00 +00:00

michael commented

2026-01-19 18:30:01 +00:00

@robertgendler commented on GitHub:

It seems at least in part SIP and enabling the hardened Runtime requirement as part of the notarization process for apps maybe makes this setting useless and and with gatekeeper being set to identified developers it will put up a warning that the library can't be opened. Though non notarized apps as well as apps with the com.apple.security.cs.disable-library-validation entitlement may still be able to load malicious libraries. Not to mention AMFI is still checking the signatures of every app that is run.

https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-library-validation

Using the dylib in this article https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191

Disabling library validation key and trying to inject code using the dylib results in immediate crash due to invalid code signature.

Tried a whole lot and haven't gotten very far due to multiple levels of protection in macOS.

@robertgendler commented on GitHub: It seems at least in part SIP and enabling the hardened Runtime requirement as part of the notarization process for apps maybe makes this setting useless and and with gatekeeper being set to identified developers it will put up a warning that the library can't be opened. Though non notarized apps as well as apps with the `com.apple.security.cs.disable-library-validation` entitlement may still be able to load malicious libraries. Not to mention AMFI is still checking the signatures of every app that is run. https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-library-validation Using the dylib in this article https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191 Disabling library validation key and trying to inject code using the dylib results in immediate crash due to invalid code signature. Tried a whole lot and haven't gotten very far due to multiple levels of protection in macOS.

michael commented

2026-01-19 18:30:01 +00:00

@robertgendler commented on GitHub:

Not really a useful check.

@robertgendler commented on GitHub: Not really a useful check.

michael commented

2026-01-19 18:30:01 +00:00

@robertgendler commented on GitHub:

800-53 R5 SI-7(1), SI-3

@robertgendler commented on GitHub: 800-53 R5 SI-7(1), SI-3

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#309