Mach-O
What is Mach-O?
Mach-OMach-O is the native executable, object, and shared library format used by macOS, iOS, watchOS, and tvOS for binaries built with Apple's toolchain.
Mach-O (Mach Object) is the binary format used by Apple operating systems including macOS, iOS, watchOS, and tvOS. A Mach-O file contains a header, a list of load commands describing segments, dynamic linker information, symbol tables, and code-signature blobs. Universal (fat) binaries bundle slices for multiple architectures such as x86_64 and arm64. From a security perspective Mach-O carries code signing requirements enforced by AMFI and Gatekeeper, hardened-runtime entitlements, and notarization metadata; malware analysts inspect load commands, embedded LC_CODE_SIGNATURE, and dyld behavior to identify injection, dylib hijacking, and tampering.
● Examples
- 01
Inspecting a malicious .app bundle with otool -l and codesign --display to detect a tampered LC_CODE_SIGNATURE.
- 02
An attacker using DYLD_INSERT_LIBRARIES on an unsigned Mach-O to load a malicious dylib.
● Frequently asked questions
What is Mach-O?
Mach-O is the native executable, object, and shared library format used by macOS, iOS, watchOS, and tvOS for binaries built with Apple's toolchain. It belongs to the Application Security category of cybersecurity.
What does Mach-O mean?
Mach-O is the native executable, object, and shared library format used by macOS, iOS, watchOS, and tvOS for binaries built with Apple's toolchain.
How does Mach-O work?
Mach-O (Mach Object) is the binary format used by Apple operating systems including macOS, iOS, watchOS, and tvOS. A Mach-O file contains a header, a list of load commands describing segments, dynamic linker information, symbol tables, and code-signature blobs. Universal (fat) binaries bundle slices for multiple architectures such as x86_64 and arm64. From a security perspective Mach-O carries code signing requirements enforced by AMFI and Gatekeeper, hardened-runtime entitlements, and notarization metadata; malware analysts inspect load commands, embedded LC_CODE_SIGNATURE, and dyld behavior to identify injection, dylib hijacking, and tampering.
How do you defend against Mach-O?
Defences for Mach-O typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Mach-O?
Common alternative names include: Mach Object, Mach-O binary.
● Related terms
- appsec№ 373
ELF Binary Format
Executable and Linkable Format, the standard binary container for executables, object files, and shared libraries on Linux, BSD, and most System V Unix derivatives.
- appsec№ 809
PE Executable Format
Portable Executable, the Windows binary file format used by .exe, .dll, .sys, and .ocx files and derived from the older COFF object format.
- attacks№ 331
DLL Hijacking
An attack that abuses Windows DLL search order to make a legitimate program load an attacker-controlled library instead of the intended one.
- forensics-ir№ 650
Malware Analysis
The structured study of a malicious sample to understand its functionality, origin, indicators of compromise, and impact on affected systems.
- forensics-ir№ 926
Reverse Engineering
The process of disassembling and analyzing compiled software, firmware, or hardware to recover its design, behavior, and inner workings.