Skip to content
macsyscalls

Glossary

AMFI

Apple Mobile File Integrity — the kernel extension that enforces code signing on macOS and iOS, and the gatekeeper for most security-sensitive syscalls.

AMFI ("Apple Mobile File Integrity") is the kernel extension that owns code-signing enforcement on Apple platforms. Its name reflects its iOS origins, but it's just as central on macOS — it's loaded as a built-in kext on every boot.

AMFI's responsibilities include:

  • Verifying code signatures before any Mach-O binary is allowed to execute. Bad signature → AMFI vetoes the exec.
  • Enforcing the library-validation flag. A process with library-validation set rejects dylibs that aren't signed by the same Team ID — the mechanism that defeats most DYLD_INSERT_LIBRARIES injection.
  • Evaluating entitlements. When code asks the kernel for a privileged operation — task_for_pid, csops, debug ports — AMFI is the one that checks "does the caller have the entitlement?".
  • Gating dyld shared-cache reslide and other hardening primitives.

AMFI runs as a MACF policy module, so it plugs into the same hook framework as TCC, the sandbox, and Endpoint Security. Multiple modules can vote on each operation; a single deny blocks it.

For security research, AMFI is the wall you keep hitting. Most of macOS's "this is private to Apple binaries" behaviour is enforced here, by checking the caller's entitlement set against an Apple-only entitlement like com.apple.system-task-ports or com.apple.private.tcc.allow.