Table of Contents
The Mach Object (Mach-O) is the binary format used on Apple’s operating systems for executables, libraries, and object code. It was created for the Mach kernel (hence the name) and introduced in NeXTSTEP, the predecessor to macOS, as a replacement for the a.out format.
Mach-O’s design supports multiple architectures (via universal binaries), and contains metadata via load commands.
In this post, we’ll explore Mach-O’s layout and history. Then, we will examine how macs use Mach-O for code signing integrity and for Pointer Authentication Codes (PAC) on ARM64e systems.
🌸👋🏻 Join 10,000+ followers! Let’s take this to your inbox. You’ll receive occasional emails about whatever’s on my mind—offensive security, open source, academics, boats, software freedom, you get the idea.
Mach-O structure and format basics
A Mach-O is organized into three regions: a reader, a list of load commands, and the data segments/sections.
Mach-O header
The header identifies the file as Mach-O and specifies the target architecture and binary type. It begins with a magic number (e.g., 0xfeedfacf for 64-bit Mach-O) to indicate endianness and 32/64-bit format. It also contains the CPU type and CPU subtype, which show the required architecture (e.g., CPU_TYPE_X86_64 or CPU_TYPE_ARM64 ).
For example, Apple Silicon binaries often use CPU type ARM64 with subtype ARM64e for PAC support.
... continue reading