Set up a macOS Parallels Virtual Machine for security research Nov 16 2020

macOS comes with a good set of predefined security features designed to keep us safe, e.g. System Integrity Protection. These security features are great for everyday use, but they get in the way when we are trying to analyse what processes are doing, for example, attaching to a process using lldb. In this post, I'll show you how to set up a Virtual Machine (VM) using Parallels Desktop and Disable SIP so you can use the VM as your research lab.

Installing macOS

Assuming you already have Parallels Desktop installed in your computer, the next step is to create a VM and install macOS. The installation process is simple:

1. Select File > New ... this will open the "Installation Assistant"
2. Scroll to the right and select "Install macOS using the recovery partition"
3. Follow the steps to do a typical installation of macOS

Disable SIP

Let's disable SIP. To do this, we need to enter recovery mode. We'll need to change the boot arguments for the VM:

1. Select the VM in Control Center
2. Go to Hardware
3. Select Boot Order
4. Open Advance Settings
5. Add the following Boot flags:

1
vm.efi.mac_recovery=1

From the Recovery Menu, select Utilities > Terminal. To disable SIP run the following command:

1
$ csrutil disable

That will disable SIP. Shutdown the VM and remove the Boot flags. You can do this by running:

1
$ shutdown -h now

Or by clicking the shutdown option on the menu. Again, navigate to the "Boot flags" option in the VM settings and remove the vm.efi.mac_recovery=1 text we added so the VM boots normally.

After restarting your VM, you can verify that that SIP is disabled by running the following command:

1
$ csrutil status

You should see:

1
System Integrity Protection status: disabled.

That should be enough to attach a debugger to running processes and to use Dtrace. Let's disable AMFI if you are developing system extensions.

Disable AMFI

If you are developing an application that makes use of the Endpoint Security framework, you'll also need to disable the Apple Mobile File Integrity (AMFI). To do that in a Parallels VM, you should add the following boot arguments:

1
amfi_get_out_of_my_way=0x1

Replacing the boot-arguments might not be something you want to completely overwrite so maybe it is a good idea to check your current boot arguments and then append your new argument to the list. To obtain the current boot-arguments run the following command:

1
$ nvram boot-args

In my VM I got:

1
keepsyms=1 -serial=0x2

So I'll append the new argument to the list.

To pass boot arguments to a Parallels VM, you use the Boot flags setting as we previously did for booting into Recovery mode.

1. Select the VM in Control Center
2. Go to Hardware
3. Select Boot Order
4. Open Advance Settings
5. Add the following Boot flags:

1
devices.mac.boot_args="amfi_get_out_of_my_way=0x1"

Because I want to preserve my previous arguments this is how the flags look for my VM:

1
devices.mac.boot_args="keepsyms=1 -serial=0x2 amfi_get_out_of_my_way=0x1"

Final Thoughts

With this setup, you'll be able to attach debuggers like lldb to other processes, and also to test your applications that provide system extensions, like the Endpoint security framework. Don't do this to your work computer, the SIP and AMFI offer a fair amount of protection.

It is hard to make everyone happy. Some say that macOS with SIP is too restrictive and that it doesn't allow you to do whatever you want in your computer. In reality, you can remove these security features, but you'll end up having a vulnerable system, so at the moment you can't have the best of both worlds unless you use a VM. I believe it's a fair tradeoff.