CF
Uploaded byCsaba Fitzl
PDF, PPTX465 views

Mitigating Exploits Using Apple's Endpoint Security

The document discusses methods for mitigating exploits on macOS, focusing on process injection attacks, symlink attacks, and the functionality of the endpoint security framework. It highlights various vulnerabilities, the importance of different security mechanisms, and the development process of a security application called 'shield.app'. Additionally, it covers challenges in obtaining entitlements needed for the application and emphasizes the framework's capability to detect and block logic attacks.

Embed presentation

Download as PDF, PPTX
Mitigating exploits using Apple's Endpoint Security Csaba Fitzl Twitter: @theevilbit
whoami • author of "macOS Control Bypasses" @ Offensive Security • ex red/blue teamer • macOS researcher • husband, father • hiking 🥾 🏔 • yoga 🧘
agenda 1. process injection attacks 2. symlink attacks 3. Endpoint Security framework 4. developing the app 5. the app's logic 6. demos
process injection attacks
why important? • process injection is a big ⛔ on macOS • access to process's privileges • TCC • keychain • impersonate XPC client (XPC LPEs) • impersonate KEXT client
DYLD_INSERT_LIBRARIES • classic • SIP kills it (hardened runtime, platform binaries) • still can enable it with entitlement -> if possible don't 🙏
DYLIB hijacking and proxying • discussed in detail by Patrick Wardle in 2015 • plant a dylib the app looks for, or replace one with your own • SIP / library validation kills it • still can enable it with entitlement -> NOOOO!!!! • problem: app needs to support 3rd party plugins => bypass TCC (Apple & 3rd parties)
task for pid • inject by getting the task port • ⚠ debug builds with bad entitlement ⚠ • SIP kills this • notarization checks for `com.apple.security.get-task-allow`
Electron • so much broken • env vars • debug ports
vulnerabilities • CVE-2020-26893 - ClamXAV AntiVirus XPC LPE • CVE-2020-29621 - coreaudiod TCC bypass • CVE-2020-25736 - Acronis True Image 2021 XPC LPE • CVE-2020-24259 - Signal macOS TCC bypass • CVE-2020-14978 - F-Secure XPC • ...
symlink attacks
the approach • process running as root writes or modi fi es fi les at a user controllable location • place a symlink or hardlink, pointing to a root accessible location
vulnerabilities • CVE-2020-9900 - Crash Reporter LPE • CVE-2021-1786 - Crash Reporter arbitrary fi le deletion • CVE-2020-3855 - macOS DiagnosticMessages arbitrary fi le overwrite • CVE-2020-3762 - Adobe installer LPE • ...
MACF - Mandatory Access Control Framework
MACF • origin: TrustedBSD MAC • implemented in kernel • policy modules extend the kernel • can place hooks in supported location • very powerful
MACF • very - very powerful • was part of KDK till OS X 10.12 (never of fi cially supported) • mac.h header was removed • available in xnu: `security/mac.h`, `security/mac_framework.h` • examples: AppleMobileFileIntegrity, Sandbox, EndpointSecurity, Quarantine (=Gatekeeper)
MACF • typical callout from xnu: mac_......
MACF
MACF • MAC_CHECK • iterates over all policy frameworks • mpo_... (mac_policy.h)
Endpoint Security
ES • KEXT - MACF, kauth • dylib - C API for clients • endpointsecurityd - loading SEXT via launchd • sysextd - validation and copy • SystemExtension.framework - activation and deactivation of the extension • systemextensionsctl - basic control of sysxextd • more: Scott Knight's OBTS talk 1: Scott Knight, https://knight.sc/reverse%20engineering/2019/10/31/macos-catalina-privilege-escalation.html
ES • MACF policy (EndpointSecurity) • ~60 hooks
ES • user mode events are mapped to kernel MACF hooks • examples: • ES_EVENT_TYPE_NOTIFY_CHROOT - es_vnode_check_chroot • ES_EVENT_TYPE_NOTIFY_MOUNT - es_mount_check_mount_late • ES_EVENT_TYPE_NOTIFY_MMAP - es_ fi le_check_mmap • ES_EVENT_TYPE_AUTH_GET_TASK - es_proc_check_get_task
ES • very powerful!!! • extending MACF to user mode • MACF was never of fi cially supported • now we have in user mode ❤
Shield.app development
requirements • entitlement: com.apple.developer.endpoint-security.client • Apple's good will
getting entitled • 2020 March - requested ES entitlement • 2020 April - got developer version • 2020 - emails going to "black hole" at Apple • ... • 2021 January - got the entitlement • frustration, demotivation, annoyed, extremely bad experience - luckily I don't do this for living
sources • used Patrick Wardle's ProcessMonitor and FileMonitor • also reviewed Stephen Davis’s Crescendo
es_client
the logic
ES_EVENT_TYPE_AUTH_EXEC • checks: • argument • --inspect, --inspect-brk, --remote-debugging-port • environment variables • DYLD_INSERT_LIBRARIES • CFNETWORK_LIBRARY_PATH • RAWCAMERA_BUNDLE_PATH • ELECTRON_RUN_AS_NODE
ES_EVENT_TYPE_AUTH_GET_TASK
ES_EVENT_TYPE_AUTH_MMAP • dylib injection protection • "enforce" library validation • slow - disk I/O
ES_EVENT_TYPE_AUTH_LINK • event for hardlinks • low privilege process isn't allowed to point to high privilege location
ES_EVENT_TYPE_NOTIFY_CREATE • track symbolic links • low privilege process isn't allowed to point to high privilege location • detect only - don't know the target before creation
demo - w/o Shield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
demo
demo - w/ Shield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
wrap up • injection and fi le link attacks responsible for many logic bugs • ES framework is based on MACF • ES extends MACF to user mode, very powerful • can be used to detect and block logic attacks • it's a pain to get the ES entitlement
Csaba Fitzl Twitter: @theevilbit
Further resources • Wojciech Reguła ( @_r3ggi ): Abusing and Securing XPC in macOS Apps Objective by the Sea v3 • Julia Vashchenko ( @iaronskaya ): Job(s) Bless Us! Privileged Operations on macOS Objective by the Sea v3 • Tyler Bohan ( @1blankwall1 ): OSX XPC Revisited - 3rd Party Application Flaws OffensiveCon 19 • Ian Beer ( @i41nbeer ): A deep-dive into the many fl avors of IPC available on OS X Jailbreak Security Summit 2015
Links • http://www.trustedbsd.org/mac.html • https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/ • https://www.offensive-security.com/offsec/am fi -syscall/ • https://www.semanticscholar.org/paper/New-approaches-to-operating-system-security-Watson/ f89682c6cf943ce349031270e685ee2dddee9376 • https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html • http://newosxbook.com/articles/eps.html • https://github.com/xorrior/goesf/blob/master/appmon.m • https://github.com/theevilbit/Shield
Icons • fl aticon.com • xnimrodx • Freepik

More Related Content

PDF
macOS Vulnerabilities Hiding in Plain Sight
byCsaba Fitzl
 
PDF
20+ ways to bypass your mac os privacy mechanisms
byCsaba Fitzl
 
PDF
Exploiting XPC in AntiVirus
byCsaba Fitzl
 
PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
PDF
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
PDF
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
PPTX
Security Testing Training With Examples
byAlwin Thayyil
 
macOS Vulnerabilities Hiding in Plain Sight
byCsaba Fitzl
 
20+ ways to bypass your mac os privacy mechanisms
byCsaba Fitzl
 
Exploiting XPC in AntiVirus
byCsaba Fitzl
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
Security Testing Training With Examples
byAlwin Thayyil
 

What's hot

PDF
A plenarily integrated SIEM solution and it’s Deployment
byBangladesh Network Operators Group
 
PDF
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PPTX
Windows privilege escalation by Dhruv Shah
byOWASP Delhi
 
PDF
Certified Pre-Owned
byWill Schroeder
 
PDF
ReCertifying Active Directory
byWill Schroeder
 
PPTX
File inclusion
byAaftabKhan14
 
PDF
Hacking SIP Like a Boss!
byFatih Ozavci
 
PDF
The Hacker's Guide to Kubernetes
byPatrycja Wegrzynowicz
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PDF
OWASP Mobile Top 10
byNowSecure
 
PPTX
Docker Container Security
bySuraj Khetani
 
PPTX
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PDF
Siber Saldırı Aracı Olarak DDoS
byBGA Cyber Security
 
PDF
The fundamentals of Android and iOS app security
byNowSecure
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
PPTX
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
ODP
Virtual Box Presentation
byPete DuMelle
 
A plenarily integrated SIEM solution and it’s Deployment
byBangladesh Network Operators Group
 
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
Windows privilege escalation by Dhruv Shah
byOWASP Delhi
 
Certified Pre-Owned
byWill Schroeder
 
ReCertifying Active Directory
byWill Schroeder
 
File inclusion
byAaftabKhan14
 
Hacking SIP Like a Boss!
byFatih Ozavci
 
The Hacker's Guide to Kubernetes
byPatrycja Wegrzynowicz
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
OWASP Mobile Top 10
byNowSecure
 
Docker Container Security
bySuraj Khetani
 
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
Attacking thru HTTP Host header
bySergey Belov
 
Siber Saldırı Aracı Olarak DDoS
byBGA Cyber Security
 
The fundamentals of Android and iOS app security
byNowSecure
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
Virtual Box Presentation
byPete DuMelle
 

Similar to Mitigating Exploits Using Apple's Endpoint Security

PDF
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
byMITRE ATT&CK
 
PDF
Csaba fitzl - Mount(ain) of Bugs
byCsaba Fitzl
 
PDF
Abusing & Securing XPC in macOS apps
bySecuRing
 
PDF
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
byStefan Esser
 
PDF
Qubes os presentation_to_clug_20150727
bycsirac2
 
PDF
20+ Ways to Bypass Your macOS Privacy Mechanisms
bySecuRing
 
PDF
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
byPriyanka Aash
 
PDF
Bash-ing brittle indicators: Red teaming mac-os without bash or python
byCody Thomas
 
PDF
Linux Kernel Security Overview - KCA 2009
byJames Morris
 
PDF
Synack Shakacon OSX Malware Persistence
byIvan Einstein
 
PDF
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
byFelipe Prado
 
PDF
Exploiting Directory Permissions on macOS
byCsaba Fitzl
 
PDF
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
byDefconRussia
 
PDF
0-Day Up Your Sleeve - Attacking macOS Environments
bySecuRing
 
PPTX
Nullbyte 6ed. 2019
byRicardo L0gan
 
PDF
RSA OSX Malware
bySynack
 
PDF
OS X Malware: Let's Play Doctor
bySynack
 
PDF
NYU Hacknight: iOS and OSX ABI
byMikhail Sosonkin
 
PDF
I can be apple and so can you
byShakacon
 
PDF
DEF CON 24 - Patrick Wardle - 99 problems little snitch
byFelipe Prado
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
byMITRE ATT&CK
 
Csaba fitzl - Mount(ain) of Bugs
byCsaba Fitzl
 
Abusing & Securing XPC in macOS apps
bySecuRing
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
byStefan Esser
 
Qubes os presentation_to_clug_20150727
bycsirac2
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
bySecuRing
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
byPriyanka Aash
 
Bash-ing brittle indicators: Red teaming mac-os without bash or python
byCody Thomas
 
Linux Kernel Security Overview - KCA 2009
byJames Morris
 
Synack Shakacon OSX Malware Persistence
byIvan Einstein
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
byFelipe Prado
 
Exploiting Directory Permissions on macOS
byCsaba Fitzl
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
byDefconRussia
 
0-Day Up Your Sleeve - Attacking macOS Environments
bySecuRing
 
Nullbyte 6ed. 2019
byRicardo L0gan
 
RSA OSX Malware
bySynack
 
OS X Malware: Let's Play Doctor
bySynack
 
NYU Hacknight: iOS and OSX ABI
byMikhail Sosonkin
 
I can be apple and so can you
byShakacon
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
byFelipe Prado
 

More from Csaba Fitzl

PDF
SecurityFest-22-Fitzl-beyond.pdf
byCsaba Fitzl
 
PDF
Launch and Environment Constraints Overview
byCsaba Fitzl
 
PDF
How to convince a malware to avoid us
byCsaba Fitzl
 
PDF
Getting root with benign app store apps vsecurityfest
byCsaba Fitzl
 
PDF
The Final Chapter - Unlimited Ways to Bypass Your macOS Privacy Mechanisms
byCsaba Fitzl
 
PDF
Exploit generation automation with WinDBG (Hacktivity 2017)
byCsaba Fitzl
 
PDF
Getting root with benign app store apps
byCsaba Fitzl
 
PDF
GateKeeper - bypass or not bypass?
byCsaba Fitzl
 
PDF
Exploit generation and javascript analysis automation with WinDBG lu
byCsaba Fitzl
 
SecurityFest-22-Fitzl-beyond.pdf
byCsaba Fitzl
 
Launch and Environment Constraints Overview
byCsaba Fitzl
 
How to convince a malware to avoid us
byCsaba Fitzl
 
Getting root with benign app store apps vsecurityfest
byCsaba Fitzl
 
The Final Chapter - Unlimited Ways to Bypass Your macOS Privacy Mechanisms
byCsaba Fitzl
 
Exploit generation automation with WinDBG (Hacktivity 2017)
byCsaba Fitzl
 
Getting root with benign app store apps
byCsaba Fitzl
 
GateKeeper - bypass or not bypass?
byCsaba Fitzl
 
Exploit generation and javascript analysis automation with WinDBG lu
byCsaba Fitzl
 

Recently uploaded

PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
PDF
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PDF
Linux Professional Institute LPIC-1 Exam.pdf
byLinuxCert Guru
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PPTX
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PDF
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
PPTX
Explaining ourselves – people, computers and AI
byAlan Dix
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
PDF
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
PPTX
Redcentric Data Centres: vision, mission and values
byRedcentric
 
PDF
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
Linux Professional Institute LPIC-1 Exam.pdf
byLinuxCert Guru
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
Explaining ourselves – people, computers and AI
byAlan Dix
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
Redcentric Data Centres: vision, mission and values
byRedcentric
 
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
In this document
Powered by AI

Introduction to the speaker and presentation agenda covering exploits and endpoint security.

Detailed insights on process injection attacks, their significance on macOS, and specific vulnerabilities.

Introduction to symlink attacks, their mechanisms, and associated vulnerabilities.

Overview of MACF, its implementation, power, and its relation to system security.

Explanation of the Endpoint Security framework and its integration with MACF.

Development process for Shield.app detailing entitlement requirements and challenges faced.

Discussion of the application's logic, handling various events related to security.Live demonstrations showcasing the vulnerabilities and how Shield.app mitigates these attacks.

Summary of the presentation points, importance of ES framework, and additional resources for further learning.

Mitigating Exploits Using Apple's Endpoint Security

  • 1.
    Mitigating exploits using Apple'sEndpoint Security Csaba Fitzl Twitter: @theevilbit
  • 2.
    whoami • author of"macOS Control Bypasses" @ Offensive Security • ex red/blue teamer • macOS researcher • husband, father • hiking 🥾 🏔 • yoga 🧘
  • 3.
    agenda 1. process injectionattacks 2. symlink attacks 3. Endpoint Security framework 4. developing the app 5. the app's logic 6. demos
  • 4.
  • 5.
    why important? • processinjection is a big ⛔ on macOS • access to process's privileges • TCC • keychain • impersonate XPC client (XPC LPEs) • impersonate KEXT client
  • 6.
    DYLD_INSERT_LIBRARIES • classic • SIPkills it (hardened runtime, platform binaries) • still can enable it with entitlement -> if possible don't 🙏
  • 7.
    DYLIB hijacking andproxying • discussed in detail by Patrick Wardle in 2015 • plant a dylib the app looks for, or replace one with your own • SIP / library validation kills it • still can enable it with entitlement -> NOOOO!!!! • problem: app needs to support 3rd party plugins => bypass TCC (Apple & 3rd parties)
  • 8.
    task for pid •inject by getting the task port • ⚠ debug builds with bad entitlement ⚠ • SIP kills this • notarization checks for `com.apple.security.get-task-allow`
  • 9.
    Electron • so muchbroken • env vars • debug ports
  • 10.
    vulnerabilities • CVE-2020-26893 -ClamXAV AntiVirus XPC LPE • CVE-2020-29621 - coreaudiod TCC bypass • CVE-2020-25736 - Acronis True Image 2021 XPC LPE • CVE-2020-24259 - Signal macOS TCC bypass • CVE-2020-14978 - F-Secure XPC • ...
  • 11.
  • 12.
    the approach • processrunning as root writes or modi fi es fi les at a user controllable location • place a symlink or hardlink, pointing to a root accessible location
  • 13.
    vulnerabilities • CVE-2020-9900 -Crash Reporter LPE • CVE-2021-1786 - Crash Reporter arbitrary fi le deletion • CVE-2020-3855 - macOS DiagnosticMessages arbitrary fi le overwrite • CVE-2020-3762 - Adobe installer LPE • ...
  • 14.
  • 15.
    MACF • origin: TrustedBSDMAC • implemented in kernel • policy modules extend the kernel • can place hooks in supported location • very powerful
  • 16.
    MACF • very -very powerful • was part of KDK till OS X 10.12 (never of fi cially supported) • mac.h header was removed • available in xnu: `security/mac.h`, `security/mac_framework.h` • examples: AppleMobileFileIntegrity, Sandbox, EndpointSecurity, Quarantine (=Gatekeeper)
  • 17.
    MACF • typical calloutfrom xnu: mac_......
  • 18.
  • 19.
    MACF • MAC_CHECK • iteratesover all policy frameworks • mpo_... (mac_policy.h)
  • 20.
  • 21.
    ES • KEXT -MACF, kauth • dylib - C API for clients • endpointsecurityd - loading SEXT via launchd • sysextd - validation and copy • SystemExtension.framework - activation and deactivation of the extension • systemextensionsctl - basic control of sysxextd • more: Scott Knight's OBTS talk 1: Scott Knight, https://knight.sc/reverse%20engineering/2019/10/31/macos-catalina-privilege-escalation.html
  • 22.
    ES • MACF policy(EndpointSecurity) • ~60 hooks
  • 23.
    ES • user modeevents are mapped to kernel MACF hooks • examples: • ES_EVENT_TYPE_NOTIFY_CHROOT - es_vnode_check_chroot • ES_EVENT_TYPE_NOTIFY_MOUNT - es_mount_check_mount_late • ES_EVENT_TYPE_NOTIFY_MMAP - es_ fi le_check_mmap • ES_EVENT_TYPE_AUTH_GET_TASK - es_proc_check_get_task
  • 24.
    ES • very powerful!!! •extending MACF to user mode • MACF was never of fi cially supported • now we have in user mode ❤
  • 25.
  • 26.
  • 27.
    getting entitled • 2020March - requested ES entitlement • 2020 April - got developer version • 2020 - emails going to "black hole" at Apple • ... • 2021 January - got the entitlement • frustration, demotivation, annoyed, extremely bad experience - luckily I don't do this for living
  • 28.
    sources • used PatrickWardle's ProcessMonitor and FileMonitor • also reviewed Stephen Davis’s Crescendo
  • 29.
  • 30.
  • 31.
    ES_EVENT_TYPE_AUTH_EXEC • checks: • argument •--inspect, --inspect-brk, --remote-debugging-port • environment variables • DYLD_INSERT_LIBRARIES • CFNETWORK_LIBRARY_PATH • RAWCAMERA_BUNDLE_PATH • ELECTRON_RUN_AS_NODE
  • 32.
  • 33.
    ES_EVENT_TYPE_AUTH_MMAP • dylib injectionprotection • "enforce" library validation • slow - disk I/O
  • 34.
    ES_EVENT_TYPE_AUTH_LINK • event forhardlinks • low privilege process isn't allowed to point to high privilege location
  • 35.
    ES_EVENT_TYPE_NOTIFY_CREATE • track symboliclinks • low privilege process isn't allowed to point to high privilege location • detect only - don't know the target before creation
  • 36.
    demo - w/oShield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
  • 37.
  • 38.
    demo - w/Shield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
  • 40.
    wrap up • injectionand fi le link attacks responsible for many logic bugs • ES framework is based on MACF • ES extends MACF to user mode, very powerful • can be used to detect and block logic attacks • it's a pain to get the ES entitlement
  • 41.
  • 42.
    Further resources • WojciechReguła ( @_r3ggi ): Abusing and Securing XPC in macOS Apps Objective by the Sea v3 • Julia Vashchenko ( @iaronskaya ): Job(s) Bless Us! Privileged Operations on macOS Objective by the Sea v3 • Tyler Bohan ( @1blankwall1 ): OSX XPC Revisited - 3rd Party Application Flaws OffensiveCon 19 • Ian Beer ( @i41nbeer ): A deep-dive into the many fl avors of IPC available on OS X Jailbreak Security Summit 2015
  • 43.
    Links • http://www.trustedbsd.org/mac.html • https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/ •https://www.offensive-security.com/offsec/am fi -syscall/ • https://www.semanticscholar.org/paper/New-approaches-to-operating-system-security-Watson/ f89682c6cf943ce349031270e685ee2dddee9376 • https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html • http://newosxbook.com/articles/eps.html • https://github.com/xorrior/goesf/blob/master/appmon.m • https://github.com/theevilbit/Shield
  • 44.