Objective-C Plugin Architecture Security (Mac, not iPhone)

Question

I'm possibly writing a plugin system for a Cocoa application (Mac, not iPhone).

A common approach is the make each plugin a bundle, then inject the bundle into the main application. I'm concerned with the security implications of doing this, as the bundle will have complete access to the Objective-C runtime. I am especially concerned with a plugin having access to the code that handles registration and serial keys.

Another plugin system we are considering is based on distributed notifications. Basically, each plugin will be a separate process, and they will communicate via distributed notifications only.

Is there a way to load bundles securely (e.g. sandboxing)? If not, do you see any problems with using distributed notifications? Are there any other plugin architectures that would be better?

Answer 1

Yes, OS X has sandboxing support on a per-process level. The only open-source third-party client I'm aware of is Chrome. You could also investigate a wrapper such as Native Client.

That said, there's really no point in trying to sandbox plugins for security reasons, unless you're loading untrusted plugins or content over the network (i.e. a web browser). If someone wants to crack your application locally, they can just use a debugger, DTrace, etc.

What IPC mechanism you use between your app and plugin processes really depends on the type of communication you're doing. Intermachine Distributed Objects (I assume that's what you meant to write) is certainly not a bad choice for most purposes, but you wouldn't want to send video over it. You might check out CoreIPC, which the under-development WebKit2 uses; it works over Mach ports.