Mach-O (macOS/iOS) Security Rules
Rules for analyzing Mach-O binaries on macOS and iOS.
Memory Protection
| Rule |
Name |
Severity |
Description |
| AD5001 |
EnablePositionIndependentExecutableMachO |
Error |
Enable PIE for ASLR |
| AD5002 |
DoNotAllowExecutableStack |
Error |
Non-executable stack |
| AD5005 |
DoNotAllowExecutableHeap |
Warning |
Non-executable heap |
| AD5012 |
ValidateSegmentPermissions |
Warning |
Validate segment permissions |
Stack Protection
| Rule |
Name |
Severity |
Description |
| AD5003 |
EnableStackProtectorMachO |
Error |
Enable stack canaries |
| AD5004 |
UseFortifiedFunctionsMachO |
Warning |
Use FORTIFY_SOURCE |
| AD5024 |
EnableStackClashProtectionMachO |
Warning |
Stack clash protection |
Control Flow (ARM64)
| Rule |
Name |
Severity |
Description |
| AD5007 |
EnableArmPACMachO |
Warning |
ARM Pointer Authentication |
| AD5025 |
EnableControlFlowIntegrityMachO |
Warning |
Clang CFI |
| AD5026 |
EnableArmBTIMachO |
Warning |
ARM Branch Target Identification |
| AD5029 |
EnableArmMTEMachO |
Warning |
ARM Memory Tagging Extension |
Code Signing
| Rule |
Name |
Severity |
Description |
| AD5011 |
RequireCodeSignature |
Warning |
Require code signature |
| AD5031 |
CheckNotEncrypted |
Note |
Check encryption status |
Linker Settings
| Rule |
Name |
Severity |
Description |
| AD5006 |
UseTwoLevelNamespace |
Warning |
Use two-level namespace |
| AD5009 |
DoNotUseWeakDylib |
Warning |
Avoid weak dylib linking |
| AD5018 |
RequireMinimumOSVersion |
Warning |
Require minimum OS version |
| AD5019 |
UseRestrictSegment |
Note |
Use __RESTRICT segment |
Clang-Specific
| Rule |
Name |
Severity |
Description |
| AD5008 |
EnableClangSafeStackMachO |
Warning |
Enable SafeStack |
| AD5027 |
EnableSpeculativeLoadHardeningMachO |
Warning |
Speculative load hardening |
Objective-C
| Rule |
Name |
Severity |
Description |
| AD5010 |
EnableAutomaticReferenceCounting |
Warning |
Enable ARC |
Compiler & Optimization
| Rule |
Name |
Severity |
Description |
| AD5017 |
EnableLTOMachO |
Note |
Enable LTO |
| AD5028 |
EnableOptimizationMachO |
Note |
Enable optimization |
| AD5030 |
EnableExceptionHandlingMachO |
Warning |
Exception handling |
| AD5040 |
DoNotUseUncheckedOptimization |
Warning |
Safe optimizations |
Rust-Specific
| Rule |
Name |
Severity |
Description |
| AD5020 |
RustEnableSanitizersMachO |
Note |
Rust sanitizers |
| AD5021 |
RustEnableSecureSourceHashMachO |
Note |
Secure source hashing |
| AD5022 |
RustMachOEnableLTO |
Note |
Rust LTO |
Sanitizers (Development)
| Rule |
Name |
Severity |
Description |
| AD5014 |
UseAddressSanitizer |
Note |
AddressSanitizer |
| AD5023 |
EnableUBSanMachO |
Note |
UndefinedBehaviorSanitizer |
Supply Chain
| Rule |
Name |
Severity |
Description |
| AD5013 |
DoNotUseBannedApisMachO |
Warning |
Banned API usage |
| AD5015 |
DoNotStaticallyLinkOpenSSL |
Warning |
Don't statically link OpenSSL |
| AD5016 |
NoUnicodeSymbolsMachO |
Warning |
No Unicode in symbols |