What kind of dynamic code modification does dynamic code validity check protects against?

Question

SecCodeCheckValidity:

Performs dynamic validation of signed code.

SecStaticCodeCheckValidity

Validates a static code object.

This function obtains and verifies the signature on the code specified by the code object. It checks the validity of all sealed components, including resources (if any). It validates the code against a code requirement if one is specified. The call succeeds if all these conditions are satisfactory. This call is only secure if the code is not subject to concurrent modification, and the outcome is only valid as long as the code remains unmodified. If the underlying file system has dynamic characteristics, such as a network file system, union mount, or FUSE, you must consider how secure the code is from modification after validation.

So given this description for codesigning document from Apple, it is not clear what do they mean "dynamic characaterstics" here.

Answer 1

SecStaticCodeCheckValidity verifies if the application on-disk. In contrast, SecCodeCheckValidity verifies the application in-memory against the same requirements while it is running.

This attempts to prevent modification via hijacking, injection or other traditional methods of mutating in-memory code by checking if it is still code-signed with a valid signature.

I remember hearing that distinction somewhere during WWDC '09, correct me if I am wrong.

If you want to check whether some running code is signed by Apple and not some designated requirement specified by the programmer, you want:

SecRequirementCreateWithString(CFSTR("anchor apple"), ...)

and then pass the result from SecRequirementRef to SecCodeCheckValidity. There is no need to interact with the designated requirement in this case, since you've already decided what code is acceptable to you, which is anything signed by Apple.

In production code, you can use csreq(1) to compile a binary version of "anchor apple" and use SecRequirementCreateWithData instead of SecRequirementCreateWithString, which is faster.