SlideShare a Scribd company logo

Mitigating Exploits Using Apple's Endpoint Security

C
Csaba Fitzl

The document discusses methods for mitigating exploits on macOS, focusing on process injection attacks, symlink attacks, and the functionality of the endpoint security framework. It highlights various vulnerabilities, the importance of different security mechanisms, and the development process of a security application called 'shield.app'. Additionally, it covers challenges in obtaining entitlements needed for the application and emphasizes the framework's capability to detect and block logic attacks.

Technology
Related topics:
Information Security endpoint-security
1 of 44
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Mitigating exploits using Apple's Endpoint Security Csaba Fitzl Twitter: @theevilbit
whoami • author of "macOS Control Bypasses" @ Offensive Security • ex red/blue teamer • macOS researcher • husband, father • hiking 🥾 🏔 • yoga 🧘
agenda 1. process injection attacks 2. symlink attacks 3. Endpoint Security framework 4. developing the app 5. the app's logic 6. demos
process injection attacks
why important? • process injection is a big ⛔ on macOS • access to process's privileges • TCC • keychain • impersonate XPC client (XPC LPEs) • impersonate KEXT client
DYLD_INSERT_LIBRARIES • classic • SIP kills it (hardened runtime, platform binaries) • still can enable it with entitlement -> if possible don't 🙏
DYLIB hijacking and proxying • discussed in detail by Patrick Wardle in 2015 • plant a dylib the app looks for, or replace one with your own • SIP / library validation kills it • still can enable it with entitlement -> NOOOO!!!! • problem: app needs to support 3rd party plugins => bypass TCC (Apple & 3rd parties)
task for pid • inject by getting the task port • ⚠ debug builds with bad entitlement ⚠ • SIP kills this • notarization checks for `com.apple.security.get-task-allow`
Electron • so much broken • env vars • debug ports
vulnerabilities • CVE-2020-26893 - ClamXAV AntiVirus XPC LPE • CVE-2020-29621 - coreaudiod TCC bypass • CVE-2020-25736 - Acronis True Image 2021 XPC LPE • CVE-2020-24259 - Signal macOS TCC bypass • CVE-2020-14978 - F-Secure XPC • ...
symlink attacks
the approach • process running as root writes or modi fi es fi les at a user controllable location • place a symlink or hardlink, pointing to a root accessible location
vulnerabilities • CVE-2020-9900 - Crash Reporter LPE • CVE-2021-1786 - Crash Reporter arbitrary fi le deletion • CVE-2020-3855 - macOS DiagnosticMessages arbitrary fi le overwrite • CVE-2020-3762 - Adobe installer LPE • ...
MACF - Mandatory Access Control Framework
MACF • origin: TrustedBSD MAC • implemented in kernel • policy modules extend the kernel • can place hooks in supported location • very powerful
MACF • very - very powerful • was part of KDK till OS X 10.12 (never of fi cially supported) • mac.h header was removed • available in xnu: `security/mac.h`, `security/mac_framework.h` • examples: AppleMobileFileIntegrity, Sandbox, EndpointSecurity, Quarantine (=Gatekeeper)
MACF • typical callout from xnu: mac_......
MACF
MACF • MAC_CHECK • iterates over all policy frameworks • mpo_... (mac_policy.h)
Endpoint Security
ES • KEXT - MACF, kauth • dylib - C API for clients • endpointsecurityd - loading SEXT via launchd • sysextd - validation and copy • SystemExtension.framework - activation and deactivation of the extension • systemextensionsctl - basic control of sysxextd • more: Scott Knight's OBTS talk 1: Scott Knight, https://knight.sc/reverse%20engineering/2019/10/31/macos-catalina-privilege-escalation.html
ES • MACF policy (EndpointSecurity) • ~60 hooks
ES • user mode events are mapped to kernel MACF hooks • examples: • ES_EVENT_TYPE_NOTIFY_CHROOT - es_vnode_check_chroot • ES_EVENT_TYPE_NOTIFY_MOUNT - es_mount_check_mount_late • ES_EVENT_TYPE_NOTIFY_MMAP - es_ fi le_check_mmap • ES_EVENT_TYPE_AUTH_GET_TASK - es_proc_check_get_task
ES • very powerful!!! • extending MACF to user mode • MACF was never of fi cially supported • now we have in user mode ❤
Shield.app development
requirements • entitlement: com.apple.developer.endpoint-security.client • Apple's good will
getting entitled • 2020 March - requested ES entitlement • 2020 April - got developer version • 2020 - emails going to "black hole" at Apple • ... • 2021 January - got the entitlement • frustration, demotivation, annoyed, extremely bad experience - luckily I don't do this for living
sources • used Patrick Wardle's ProcessMonitor and FileMonitor • also reviewed Stephen Davis’s Crescendo
es_client
the logic
ES_EVENT_TYPE_AUTH_EXEC • checks: • argument • --inspect, --inspect-brk, --remote-debugging-port • environment variables • DYLD_INSERT_LIBRARIES • CFNETWORK_LIBRARY_PATH • RAWCAMERA_BUNDLE_PATH • ELECTRON_RUN_AS_NODE
ES_EVENT_TYPE_AUTH_GET_TASK
ES_EVENT_TYPE_AUTH_MMAP • dylib injection protection • "enforce" library validation • slow - disk I/O
ES_EVENT_TYPE_AUTH_LINK • event for hardlinks • low privilege process isn't allowed to point to high privilege location
ES_EVENT_TYPE_NOTIFY_CREATE • track symbolic links • low privilege process isn't allowed to point to high privilege location • detect only - don't know the target before creation
demo - w/o Shield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
demo
demo - w/ Shield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
Mitigating Exploits Using Apple's Endpoint Security
wrap up • injection and fi le link attacks responsible for many logic bugs • ES framework is based on MACF • ES extends MACF to user mode, very powerful • can be used to detect and block logic attacks • it's a pain to get the ES entitlement
Csaba Fitzl Twitter: @theevilbit
Further resources • Wojciech Reguła ( @_r3ggi ): Abusing and Securing XPC in macOS Apps Objective by the Sea v3 • Julia Vashchenko ( @iaronskaya ): Job(s) Bless Us! Privileged Operations on macOS Objective by the Sea v3 • Tyler Bohan ( @1blankwall1 ): OSX XPC Revisited - 3rd Party Application Flaws OffensiveCon 19 • Ian Beer ( @i41nbeer ): A deep-dive into the many fl avors of IPC available on OS X Jailbreak Security Summit 2015
Links • http://www.trustedbsd.org/mac.html • https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/ • https://www.offensive-security.com/offsec/am fi -syscall/ • https://www.semanticscholar.org/paper/New-approaches-to-operating-system-security-Watson/ f89682c6cf943ce349031270e685ee2dddee9376 • https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html • http://newosxbook.com/articles/eps.html • https://github.com/xorrior/goesf/blob/master/appmon.m • https://github.com/theevilbit/Shield
Icons • fl aticon.com • xnimrodx • Freepik

More Related Content

PDF
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
 
PDF
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
PDF
Exploiting XPC in AntiVirus
Csaba Fitzl
 
PPTX
Time-Travel.pptx
BhagyaLakshmi425734
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
PDF
Harnessing the Power of Optimizer Hints
Maria Colgan
 
PDF
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 
PPTX
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
 
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
Exploiting XPC in AntiVirus
Csaba Fitzl
 
Time-Travel.pptx
BhagyaLakshmi425734
 
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Harnessing the Power of Optimizer Hints
Maria Colgan
 
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 

What's hot (15)

PPTX
Continuous DB Changes Delivery With Liquibase
Aidas Dragūnas
 
PPTX
Dangling DNS records takeover at scale
Chandrapal Badshah
 
PDF
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
PDF
The top 10 windows logs event id's used v1.0
Michael Gough
 
PPT
XXE injection - Nguyễn Tăng Hưng
Võ Thái Lâm
 
PDF
Attack-driven defense
Zane Lackey
 
PPTX
SQL Server Database Backup and Restore Plan
Hamid J. Fard
 
PPTX
Optimizing Alert Monitoring with Oracle Enterprise Manager
Datavail
 
PPT
Introduction to PowerShell
Salaudeen Rajack
 
PDF
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
PPTX
Unix shell scripting basics
Manav Prasad
 
PDF
CNIT 126 11. Malware Behavior
Sam Bowne
 
PPTX
Client side attacks using PowerShell
Nikhil Mittal
 
PPTX
Phases of penetration testing
Abdul Rahman
 
Continuous DB Changes Delivery With Liquibase
Aidas Dragūnas
 
Dangling DNS records takeover at scale
Chandrapal Badshah
 
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
The top 10 windows logs event id's used v1.0
Michael Gough
 
XXE injection - Nguyễn Tăng Hưng
Võ Thái Lâm
 
Attack-driven defense
Zane Lackey
 
SQL Server Database Backup and Restore Plan
Hamid J. Fard
 
Optimizing Alert Monitoring with Oracle Enterprise Manager
Datavail
 
Introduction to PowerShell
Salaudeen Rajack
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Unix shell scripting basics
Manav Prasad
 
CNIT 126 11. Malware Behavior
Sam Bowne
 
Client side attacks using PowerShell
Nikhil Mittal
 
Phases of penetration testing
Abdul Rahman
 
Ad

Similar to Mitigating Exploits Using Apple's Endpoint Security (20)

PDF
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
 
PDF
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
PDF
Metasploitation part-1 (murtuja)
ClubHack
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PPTX
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
PDF
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
PDF
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
PDF
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
PDF
Watch How The Giants Fall: Learning from Bug Bounty Results
jtmelton
 
PDF
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
PPTX
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
PDF
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
Ortus Solutions, Corp
 
PDF
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
PPTX
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
PDF
Kafka Security 101 and Real-World Tips
confluent
 
PDF
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
PPTX
InSpec Workflow for DevOpsDays Riga 2017
Mandi Walls
 
PPTX
Defcon - Veil-Pillage
VeilFramework
 
PDF
WTF my container just spawned a shell!
Sysdig
 
PDF
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
Metasploitation part-1 (murtuja)
ClubHack
 
Security research over Windows #defcon china
Peter Hlavaty
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Watch How The Giants Fall: Learning from Bug Bounty Results
jtmelton
 
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
Ortus Solutions, Corp
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
Kafka Security 101 and Real-World Tips
confluent
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
InSpec Workflow for DevOpsDays Riga 2017
Mandi Walls
 
Defcon - Veil-Pillage
VeilFramework
 
WTF my container just spawned a shell!
Sysdig
 
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Ad

More from Csaba Fitzl (9)

PDF
The Final Chapter - Unlimited Ways to Bypass Your macOS Privacy Mechanisms
Csaba Fitzl
 
PDF
Launch and Environment Constraints Overview
Csaba Fitzl
 
PDF
SecurityFest-22-Fitzl-beyond.pdf
Csaba Fitzl
 
PDF
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
PDF
GateKeeper - bypass or not bypass?
Csaba Fitzl
 
PDF
Getting root with benign app store apps
Csaba Fitzl
 
PDF
Exploit generation and javascript analysis automation with WinDBG lu
Csaba Fitzl
 
PDF
Exploit generation automation with WinDBG (Hacktivity 2017)
Csaba Fitzl
 
PDF
How to convince a malware to avoid us
Csaba Fitzl
 
The Final Chapter - Unlimited Ways to Bypass Your macOS Privacy Mechanisms
Csaba Fitzl
 
Launch and Environment Constraints Overview
Csaba Fitzl
 
SecurityFest-22-Fitzl-beyond.pdf
Csaba Fitzl
 
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
GateKeeper - bypass or not bypass?
Csaba Fitzl
 
Getting root with benign app store apps
Csaba Fitzl
 
Exploit generation and javascript analysis automation with WinDBG lu
Csaba Fitzl
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Csaba Fitzl
 
How to convince a malware to avoid us
Csaba Fitzl
 

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Cloud computing and distributed systems.
kkkkkhan
 
Encapsulation theory and applications.pdf
gurumoop
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Teaching material agriculture food technology
LiaRayya
 
KodekX | Application Modernization Development
KodekX
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Approach and Philosophy of On baking technology
30anthuong17
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 

Mitigating Exploits Using Apple's Endpoint Security

  • 1. Mitigating exploits using Apple's Endpoint Security Csaba Fitzl Twitter: @theevilbit
  • 2. whoami • author of "macOS Control Bypasses" @ Offensive Security • ex red/blue teamer • macOS researcher • husband, father • hiking 🥾 🏔 • yoga 🧘
  • 3. agenda 1. process injection attacks 2. symlink attacks 3. Endpoint Security framework 4. developing the app 5. the app's logic 6. demos
  • 5. why important? • process injection is a big ⛔ on macOS • access to process's privileges • TCC • keychain • impersonate XPC client (XPC LPEs) • impersonate KEXT client
  • 6. DYLD_INSERT_LIBRARIES • classic • SIP kills it (hardened runtime, platform binaries) • still can enable it with entitlement -> if possible don't 🙏
  • 7. DYLIB hijacking and proxying • discussed in detail by Patrick Wardle in 2015 • plant a dylib the app looks for, or replace one with your own • SIP / library validation kills it • still can enable it with entitlement -> NOOOO!!!! • problem: app needs to support 3rd party plugins => bypass TCC (Apple & 3rd parties)
  • 8. task for pid • inject by getting the task port • ⚠ debug builds with bad entitlement ⚠ • SIP kills this • notarization checks for `com.apple.security.get-task-allow`
  • 9. Electron • so much broken • env vars • debug ports
  • 10. vulnerabilities • CVE-2020-26893 - ClamXAV AntiVirus XPC LPE • CVE-2020-29621 - coreaudiod TCC bypass • CVE-2020-25736 - Acronis True Image 2021 XPC LPE • CVE-2020-24259 - Signal macOS TCC bypass • CVE-2020-14978 - F-Secure XPC • ...
  • 12. the approach • process running as root writes or modi fi es fi les at a user controllable location • place a symlink or hardlink, pointing to a root accessible location
  • 13. vulnerabilities • CVE-2020-9900 - Crash Reporter LPE • CVE-2021-1786 - Crash Reporter arbitrary fi le deletion • CVE-2020-3855 - macOS DiagnosticMessages arbitrary fi le overwrite • CVE-2020-3762 - Adobe installer LPE • ...
  • 15. MACF • origin: TrustedBSD MAC • implemented in kernel • policy modules extend the kernel • can place hooks in supported location • very powerful
  • 16. MACF • very - very powerful • was part of KDK till OS X 10.12 (never of fi cially supported) • mac.h header was removed • available in xnu: `security/mac.h`, `security/mac_framework.h` • examples: AppleMobileFileIntegrity, Sandbox, EndpointSecurity, Quarantine (=Gatekeeper)
  • 17. MACF • typical callout from xnu: mac_......
  • 18. MACF
  • 19. MACF • MAC_CHECK • iterates over all policy frameworks • mpo_... (mac_policy.h)
  • 21. ES • KEXT - MACF, kauth • dylib - C API for clients • endpointsecurityd - loading SEXT via launchd • sysextd - validation and copy • SystemExtension.framework - activation and deactivation of the extension • systemextensionsctl - basic control of sysxextd • more: Scott Knight's OBTS talk 1: Scott Knight, https://knight.sc/reverse%20engineering/2019/10/31/macos-catalina-privilege-escalation.html
  • 22. ES • MACF policy (EndpointSecurity) • ~60 hooks
  • 23. ES • user mode events are mapped to kernel MACF hooks • examples: • ES_EVENT_TYPE_NOTIFY_CHROOT - es_vnode_check_chroot • ES_EVENT_TYPE_NOTIFY_MOUNT - es_mount_check_mount_late • ES_EVENT_TYPE_NOTIFY_MMAP - es_ fi le_check_mmap • ES_EVENT_TYPE_AUTH_GET_TASK - es_proc_check_get_task
  • 24. ES • very powerful!!! • extending MACF to user mode • MACF was never of fi cially supported • now we have in user mode ❤
  • 27. getting entitled • 2020 March - requested ES entitlement • 2020 April - got developer version • 2020 - emails going to "black hole" at Apple • ... • 2021 January - got the entitlement • frustration, demotivation, annoyed, extremely bad experience - luckily I don't do this for living
  • 28. sources • used Patrick Wardle's ProcessMonitor and FileMonitor • also reviewed Stephen Davis’s Crescendo
  • 31. ES_EVENT_TYPE_AUTH_EXEC • checks: • argument • --inspect, --inspect-brk, --remote-debugging-port • environment variables • DYLD_INSERT_LIBRARIES • CFNETWORK_LIBRARY_PATH • RAWCAMERA_BUNDLE_PATH • ELECTRON_RUN_AS_NODE
  • 33. ES_EVENT_TYPE_AUTH_MMAP • dylib injection protection • "enforce" library validation • slow - disk I/O
  • 34. ES_EVENT_TYPE_AUTH_LINK • event for hardlinks • low privilege process isn't allowed to point to high privilege location
  • 35. ES_EVENT_TYPE_NOTIFY_CREATE • track symbolic links • low privilege process isn't allowed to point to high privilege location • detect only - don't know the target before creation
  • 36. demo - w/o Shield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
  • 37. demo
  • 38. demo - w/ Shield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
  • 40. wrap up • injection and fi le link attacks responsible for many logic bugs • ES framework is based on MACF • ES extends MACF to user mode, very powerful • can be used to detect and block logic attacks • it's a pain to get the ES entitlement
  • 42. Further resources • Wojciech Reguła ( @_r3ggi ): Abusing and Securing XPC in macOS Apps Objective by the Sea v3 • Julia Vashchenko ( @iaronskaya ): Job(s) Bless Us! Privileged Operations on macOS Objective by the Sea v3 • Tyler Bohan ( @1blankwall1 ): OSX XPC Revisited - 3rd Party Application Flaws OffensiveCon 19 • Ian Beer ( @i41nbeer ): A deep-dive into the many fl avors of IPC available on OS X Jailbreak Security Summit 2015
  • 43. Links • http://www.trustedbsd.org/mac.html • https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/ • https://www.offensive-security.com/offsec/am fi -syscall/ • https://www.semanticscholar.org/paper/New-approaches-to-operating-system-security-Watson/ f89682c6cf943ce349031270e685ee2dddee9376 • https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html • http://newosxbook.com/articles/eps.html • https://github.com/xorrior/goesf/blob/master/appmon.m • https://github.com/theevilbit/Shield