APFS has become the de facto file system for MacOS and iOS as for 10.13/10.3- but what do we really know about it? Apple has promised the spec would be released "later this year" ... over two years ago!
Reversing the complex filesystem structures, container blocks, snapshots and trees is a lousy job, but someone had to do it. Jonathan will present the unofficial APFS specification as it appears in Volume II of the "*OS Internals" trilogy, and present a free tool for inspecting and traversing APFS partitions and disk images for MacOS, iOS - and Linux.
From a security point of view, many see Apple's 'walled garden' ecosystem as paradise on earth. And to be fair, Cupertino's products have never suffered from a global epidemic nor are as commonly infected as their Windows counterparts. But is this security, at least on macOS, a facade? Perhaps!
In this talk, we'll start by looking at the public malware threats currently targeting macOS in 2018. Though these specimens are rather unsophisticated, things could much worse. To support this claim, we'll discuss a myriad of recent security flaws in macOS, many such as #iamroot, that should have never have made it into production code! And what about 0days? Maybe we'll drop one as well ;)
Luckily it's not all doom and gloom for Mac users, as Mojave promises to be the most secure version of macOS ever. After examining some of the baked-in security mechanisms of this new OS we'll discuss how 3rd-party security tools still play an essential role ensuring that the Garden remains secure!
Macintosh applications are almost always code signed today, which is a very good thing. Unfortunately, there is a serious flaw in how macOS handles code signatures that can lead to a false sense of security. Most Mac users, and even most Mac admins, are unaware of these flaws.
Because macOS checks code signatures very infrequently, it is easily possible to hijack a legitimate application that is already installed on the system without triggering any kind of code signature check. Worse, most developers are not aware of this, and do not add their own code signature self-checks. This means that there are countless vulnerable Mac applications in existence on the market.
This is extremely easy to exploit, as will be demonstrated. Fortunately, there are also steps that will be described that developers can take to prevent their apps from being abused in this manner, as well as some ways that admins can flag potential problems with applications on their endpoints, or that techs can use while troubleshooting issues.
Although there is currently no malware known to be taking advantage of this issue, it could easily happen in the future. As macOS appears to be behaving as designed, it will fall on the shoulders of developers to ensure their apps are not vulnerable to such threats.
Pattern-of-life data can provide a story about how a device and its user interact with each other. A user using their Mac or iPhone may have no idea how intimate of a picture can be extracted from the analytical data on their devices. An extremely creepy and granular picture in many cases. This data can be used in a variety of forensic investigations from criminal matters to device intrusions but may end of being a privacy nightmare if the data were to fall into the wrong hands.
This data tends to be stored in in a variety of databases and correlation of this data for analysis purposes can be difficult. Each database can hold different type of data, retain it for a different period of time, and have different storage mechanisms for its entries.
Each small seed of data can grow into a database providing delicious fruit that can be harvested to create a damn good apple pie. This presentation will show were each seed is stored, what type of apple it is, how to make the most out of it.
Macs are becoming commonplace in corporate environments as a alternative to Windows systems. Developers, security teams, and executives alike favor the ease of use and full administrative control Macs provide. However, their systems are often joined to an active directory domain and ripe for attackers to leverage for initial access and lateral movement.
Mac malware is evolving as Apple computers continue to grow in popularity. As a result, there is a need for proactive detection of attacks targeting MacOS systems in a enterprise environment. Despite advancements in MacOS security tooling for a single user/endpoint, little is known and discussed regarding detection at a enterprise level.
This talk will discuss common tactics, techniques and procedures used by attackers on MacOS systems, as well as methods to detect adversary activity. We will take a look at known malware, mapping the techniques utilized to the MITRE ATT&CK framework. Attendees will leave equipped to begin hunting for evil lurking within their MacOS fleet.
Apple has greatly improved macOS security in recent years, but many attack surfaces remain largely ignored. For example: is it possible to elevate privileges by crashing maliciously? I decided to investigate how crash handling is implemented and whether it poses a viable attack vector. What began as a seemingly absurd question ended with full userspace control and a SIP bypass.
In this talk, I will share how I reverse engineered a system service to find a critical Mach port replacement vulnerability and how to exploit the bug to execute code with full system privileges, including the task_for_pid-allow entitlement which grants control over any userspace process. Using this technique, we can then spawn a "rootless shell" in which SIP's filesystem protections are disabled.
The talk will assume basic familiarity with macOS but I'll cover the concepts we'll need (Mach ports, MIG, launchd) before diving into the core of the vulnerability. The complete exploit code and documentation is available online.
It is well understood that traditional anti-virus products struggle to detect advanced Mac malware. To uncover such threats, clearly a behavior-based approach is needed.
We'll begin this talk, by discussing our open-source monitoring framework ('MonitorKit') which passively collects a myriad of system events.
But what good are a steady stream of events, if they cannot be intelligently and efficiently processed? Enter: Apple's built-in game engine. By means of this highly optimized logic engine, we can quickly and efficiently apply analytics against these collected events to detect both anomalous and malicious events!
End result? A comprehensive, extensible detection, response and threat hunting platform. To illustrate the real-world efficacy of this novel approach, we'll pit it against recent Mac malware, which honestly never stood a chance!
In the last few years, MacOS backdoors have become a hot topic in the industry. What used to be a rare occurrence in the wild is happening more and more frequently. As this topic grows in popularity the details on post-exploitation of Mac intrusions remain a mystery.
This talk aims to fill that gap by showing attendees a full Mac intrusion performed by a hostile adversary. Process visualizations, command lines, and other artifacts will be shared from real world intrusions revealing how they got in, what commands were used to move laterally, and how they manually set up their backdoors while trying to fly under the radar. Some Linux attack details will be shared as well due to a lot of tools, techniques, and procedures being cross-platform.
From banking details to glimpses of passwords, there are lots valuable
data elements on your screen. Unfortunately, as far as Apple’s Mac is
concerned this information is up for grabs to whoever gets there
first. This is due to the lack of protections surrounding the pixel
grabbing API’s of the operating system. With ease of access to
computer vision libraries and services, attackers can track screens at
scale to pick out only the useful information.
Apple ships a screen capture utility to make it easy for the user to
take screenshots. In this presentation, we will lift the bonnet of
this utility to learn about the API’s surrounding screen grabbing.
Armed with the knowledge, we will explore discovered malware that
takes screenshots. Then, we will build better, stealthier malware as
an educational exercise. And finally, we will explore some options for
improving security of the operating system so that the user can
continue enjoying the convenience of taking screenshots but malware
would have to work harder.