SlideShare a Scribd company logo

Virus Bulletin 2015: Exposing Gatekeeper

Synack
Synack

This document provides an overview of Gatekeeper, Apple's built-in macOS security feature that aims to block unauthorized code from being installed or run on a user's system. It discusses how Gatekeeper works under the hood, including how it uses file quarantine attributes and the launchservices framework to check for and potentially block execution of apps from untrusted developers. The document also examines ways that Gatekeeper's protections can be bypassed or understood in more detail.

1 of 43
Download to read offline
@patrickwardle Exposing Gatekeeper come, see, conquer!
“leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” WHOIS @patrickwardle security for the 21st century career hobby
{all aspects of gatekeeper OUTLINE Gatekeeper fixing?bypassingunderstanding
UNDERSTANDING GATEKEEPER …under the hood
...os x trojans everywhere? everywhere! LIFE BEFORE GATEKEEPER 2009 2012 gatekeeper 2006 leap-­‐a 2007 rsplug 2008 macsweeper hovdy-­‐a rkosx-­‐a jahlav-­‐a iworks-­‐a 2010 pinhead boonana opinionspy 2011 macdefender qhost PDF revir devilrobber countless OS X users infected
as there is no patch for human stupidity ;) GATEKEEPER AIMS TO PROTECT Gatekeeper is a built-in anti-malware feature of OS X (10.7+) "If a [downloaded] app was developed by an unknown developer—one with no Developer ID—or tampered with, Gatekeeper can block the app from being installed" -apple.com TL;DR  block  unauthorized  code  from  the  internet only option!
...from low-tech adversaries GATEKEEPER PROTECT USERS fake codecs fake installers/updates infected torrents rogue "AV" products ??? poor naive users! "Gatekeeper Slams the Door on Mac Malware Epidemics" -tidbits.com
...from high-tech adversaries GATEKEEPER PROTECTS USERS LittleSnitch Sophos ClamXav Q1 2015: all security software, I downloaded -> served over HTTP :( MitM + infect insecure downloads my dock
an overview HOW GATEKEEPER WORKS quarantine attributes //attributes   $  xattr  -­‐l  ~/Downloads/malware.app          com.apple.quarantine:0001;534e3038;      Safari;  B8E3DA59-­‐32F6-­‐4580-­‐8AB3...   quarantine attribute added gatekeeper settings iff quarantine attribute is set! gatekeeper in action
simply put; file metadata EXTENDED FILE ATTRIBUTES dumping quarantine attributes $  xattr  -­‐l  ~/Downloads/eicar.com.txt     com.apple.metadata:kMDItemWhereFroms:   00000000    62  70  6C  69  73  74  30  30  A2  01  02  5F  10  2B  68  74    |bplist00..._.+ht|   00000010    74  70  3A  2F  2F  77  77  77  2E  65  69  63  61  72  2E  6F    |tp://www.eicar.o|   00000020    72  67  2F  64  6F  77  6E  6C  6F  61  64  2F  65  69  63  61    |rg/download/eica|   00000030    72  2E  63  6F  6D  2E  74  78  74  5F  10  27  68  74  74  70    |r.com.txt_......|   com.apple.quarantine:  0001;55ef7b62;Google  Chrome.app;3F2688DE-­‐C34D-­‐4953-­‐8AF1-­‐4F8741FC1326 dump w/ xattr command extended attr. (com.apple.*) brief details FinderInfo information for Finder.app (such as folder colors) metadata Spotlight data, such as download location & version info quarantine indicates that file is from an 'untrusted' source (internet) Jonathan Levin "Mac OS X & iOS Internals"
realized by the com.apple.quarantine file attribute 'FILE QUARANTINE' //dictionary for quarantine attributes NSDictionary* quarantineAttributes = nil; //get attributes [fileURL getResourceValue:&quarantineAttributes forKey:NSURLQuarantinePropertiesKey error:NULL]; added in Leopard "file from internet" $  dumpAttrs  ~/Downloads/eicar.com.txt            LSQuarantineAgentBundleIdentifier  =  "com.google.Chrome";
        LSQuarantineAgentName  =  "Google  Chrome.app";          LSQuarantineDataURL  =  "http://www.eicar.org/download/eicar.com.txt";          LSQuarantineEventIdentifier  =  "3F2688DE-­‐C34D-­‐4953-­‐8AF1-­‐4F8741FC1326";          LSQuarantineOriginURL  =  "http://www.eicar.org/85-­‐0-­‐Download.html";          LSQuarantineTimeStamp  =  "2015-­‐09-­‐09  00:20:50  +0000";          LSQuarantineType  =  LSQuarantineTypeWebDownload; dumping a file's com.apple.quarantine attribute note; not gatekeeper file quarantine in action code to get attributes
who done it!? SETTING THE QUARANTINE ATTRIBUTE custom downloader any extended attributes? $  xattr  -­‐l  ~/Downloads/eicar.com.txt   $  dumpAttrs  ~/Downloads/eicar.com.txt   $ //button handler: download file -(IBAction)download:(id)sender { //url NSURL *remoteFile = [NSURL URLWithString:self.textField.stringValue]; //local file NSString* localFile = [NSString stringWithFormat:@"/tmp/%@", [remoteFile lastPathComponent]]; //download & save to file [[NSData dataWithContentsOfURL:remoteFile] writeToFile:localFile atomically:NO]; return; } none; huh? custom downloader's source code
apps can manually add it SETTING THE QUARANTINE ATTRIBUTE -(void)setQAttr:(NSString*)localFile { //quarantine attributes dictionary NSMutableDictionary* quarantineAttributes = [NSMutableDictionary dictionary]; //add agent bundle id quarantineAttributes[kLSQuarantineAgentBundleIdentifierKey] = [[NSBundle mainBundle] bundleIdentifier]; //add agent name quarantineAttributes[kLSQuarantineAgentNameKey] = [[[NSBundle mainBundle] infoDictionary] objectForKey:kCFBundleNameKey]; ... //manually add quarantine attributes to file [[NSURL fileURLWithPath:localFile] setResourceValues:@{NSURLQuarantinePropertiesKey: quarantineAttributes} error:NULL]; return; } $  xattr  -­‐l  ~/Downloads/eicar.com.txt
 com.apple.quarantine:   0000;55efddeb;downloader;ED9BFEA8-­‐10B1-­‐48BA-­‐87AF-­‐623EA7599481   
 $  dumpAttrs  ~/Downloads/eicar.com.txt            LSQuarantineAgentBundleIdentifier  =  "com.synack.downloader";          LSQuarantineAgentName  =  downloader;          LSQuarantineDataURL  =  "http://www.eicar.org/download/eicar.com.txt";          LSQuarantineEventIdentifier  =  "ED9BFEA8-­‐10B1-­‐48BA-­‐87AF-­‐623EA7599481";          LSQuarantineTimeStamp  =  "2015-­‐09-­‐09  07:21:15  +0000";          LSQuarantineType  =  LSQuarantineTypeWebDownload; consts in LSQuarantine.h manually set, quarantine attribute code to set a file's quarantine attribute
or, apps can generically tell the OS to add it SETTING THE QUARANTINE ATTRIBUTE $  xattr  -­‐l  ~/Downloads/eicar.com.txt   com.apple.quarantine:  0000;55f139c4;downloader.app;   
 $  dumpAttrs  ~/Downloads/eicar.com.txt            LSQuarantineAgentName  =  "downloader.app";          LSQuarantineTimeStamp  =  "2015-­‐09-­‐10  08:05:24  +0000"; automatically (OS) set, quarantine attribute Info.plist keys: LSFileQuarantineEnabled "When the value of this key is true, all files created by the application process will be quarantined by OS X" -apple.com app's Info.plist file updated (LSFileQuarantineEnabled) $  grep  -­‐A  1  LSFileQuarantineEnabled  Info.plist      <key>LSFileQuarantineEnabled</key>      <true/>
an overview GATEKEEPER IN ACTION Finder.app LaunchServices framework Quarantine.kext XPC request XPC request CoreServicesUIAgent XProtect framework Launchd
handled by the launchservices framework LAUNCHING THE BINARY/APP Finder.app LaunchServices framework libxpc.dylib`_spawn_via_launchd LaunchServices`LaunchApplicationWithSpawnViaLaunchD LaunchServices`_LSLaunchApplication LaunchServices`_LSLaunch LaunchServices`_LSOpenApp LaunchServices`_LSOpenStuffCallLocal LaunchServices`_LSOpenStuff LaunchServices`_LSOpenURLsWithRole_Common LaunchServices`LSOpenURLsWithRole pid_t  _spawn_via_launchd(      const  char  *label,        const  char  *const  *argv,        const  struct  spawn_via_launchd_attr  *spawn_attrs,        int  struct_version     ); launch_priv.h (lldb)  x/s  $rdi   "[0x0-­‐0xb92b92].com.nsa.malware"   
 (lldb)  print  *(char**)$rsi   "~/Downloads/Malware.app/Contents/MacOS/Malware"
 
 (lldb)print  *(struct  spawn_via_launchd_attr*)$rdx   {          spawn_flags  =  SPAWN_VIA_LAUNCHD_STOPPED          ...   } call stack _spawn_via_launchd() XPC request 'spawn' attributes, etc.
kernel-mode mac component POLICY ENFORCEMENT WITH QUARANTINE.KEXT Quarantine`hook_vnode_check_exec kernel`mac_vnode_check_exec kernel`exec_activate_image kernel`exec_activate_image kernel`posix_spawn kernel`unix_syscall64 kernel`hndl_unix_scall64 call stack Quarantine.kext Launchd XPC request hook_vnode_check_exec //bail if sandbox'ing not enforced cmp cs:_sandbox_enforce, 0 jz leaveFunction
 //bail if file previously approved call _quarantine_get_flags and eax, 40h jnz leaveFunction
 //bail if file is on read-only file system
 call _vfs_flags ; mnt flags test al, MNT_RDONLY
 jnz leaveFunction hook_vnode_check_exec (lldb)  print  *(struct  mac_policy_conf*)0xFFFFFF7F8B447110      mpc_name  =  0xffffff7f8b446c3a  "Quarantine"      mpc_fullname  =  0xffffff7f8b446cb0  "Quarantine  policy"      ...   quarantine policy
first, the xpc request USER INTERACTION VIA CORESERVICESUIAGENT LaunchServices framework XPC request CoreServicesUIAgent (lldb)  po  $rax   {          LSQAllowUnsigned  =  0;          LSQAppPSN  =  3621748;          LSQAppPath  =  "/Users/patrick/Downloads/Malware.app";          LSQAuthorization  =  <bed76627  c7cc0ae4  a6860100  00000000  ...          LSQRiskCategory  =  LSRiskCategoryUnsafeExecutable;   } void ____LSAgentGetConnection_block_invoke(void * _block) { rax = xpc_connection_create_mach_service("com.apple.coreservices.quarantine-resolver", dispatch_get_global_queue(0x0, 0x0), 0x0); xpc_connection_set_event_handler(rax, void ^(void * _block, void * arg1) { return; }); xpc_connection_resume(rax); return; } getting XPC connection to CoreServicesUIAgent XPC message contents pseudo code
-[CSUIController handleIncomingXPCMessage:clientConnection:]
 -[GKQuarantineResolver resolve] -[GKQuarantineResolver malwareChecksBegin] -[GKQuarantineResolver malwareCheckNextItem] mov rdi, cs:classRef_XProtectAnalysis mov rsi, cs:selRef_alloc call r15 ; _objc_msgSend mov rdi, rax mov rsi, cs:selRef_initWithURL_ mov rdx, r14 ;path to app call r15 ; _objc_msgSend -[XProtectAnalysis beginAnalysisWithDelegate:didEndSelector:contextInfo:] +[WorkerThreadClass threadEntry:] mov rdi, [rbp+staticCodeRef] lea rdx, [rbp+signingInfo] xor esi, esi ;flags call _SecCodeCopySigningInformation then, analysis via xprotect USER INTERACTION VIA CORESERVICESUIAGENT CoreServicesUIAgent XProtect framework (lldb)  po  $rdi   {      FileURL  =  "file:///Users/patrick/Downloads/Malware.app";      ShouldShowMalwareSubmission  =  0;      XProtectCaspianContext  =          {                  "context:qtnflags"  =  33;                  operation  =  "operation:execute";      };      XProtectDetectionType  =  3;      XProtectMalwareType  =  2;   } program control flow XProtectMalwareType meaning unsigned0x2 signed app0x5 modified app0x7 0x3 modified bundle
finally, display the alert USER INTERACTION VIA CORESERVICESUIAGENT CoreServicesUIAgent mov rsi, cs:selRef_deny mov rdi, r14 call cs:_objc_msgSend_ptr -[GKQuarantineResolver deny] -[GKQuarantineResolver denyWithoutSettingState] mov rax, _OBJC_IVAR_$_GKQuarantineResolver__appASN mov rsi, [rdi+rax] mov edi, 0FFFFFFFEh mov edx, 2 call __LSKillApplication -[GKQuarantineResolver showGKAlertForPath:] -[GKQuarantineResolver alertForPath:malwareInfo:] mov rax, _OBJC_IVAR_$_GKQuarantineResolver__allowUnsigned mov rcx, [rbp+GKQuarantineResolver] cmp byte ptr [rcx+rax], 0
 lea rdi, cfstr_Q_headline_cas ; "Q_HEADLINE_CASPIAN_BAD_DISTRIBUTOR"
 mov rdi, cs:classRef_NSAlert mov rsi, cs:selRef_alloc call r12 ; _objc_msgSend $  less  QuarantineHeadlines.strings   <key>Q_HEADLINE_CASPIAN_BAD_DISTRIBUTOR</key>   <string>      “%@”  can’t  be  opened  because  it  is  from  an  unidentified  developer.   </string>   <key>Q_HEADLINE_CASPIAN_BLOCKED</key>   <string>      “%@”  can’t  be  opened  because  it  was  not  downloaded  from  the  Mac  App  Store.   </string> gatekeeper alert alert strings (QuarantineHeadlines.strings) alert customization application termination
quarantine attributes updated, then application resumed WHAT IF THE APP CONFORMS & IS ALLOWED BY THE USER? -[GKQuarantineResolver approveUpdatingQuarantineTarget:recursively:volume:] call __qtn_file_get_flags or eax, 40h mov rdi, [rbp+var_B8] mov esi, eax call __qtn_file_set_flags updating quarantine attributes mov rsi, [r13+r14+0] mov rax, __kLSApplicationInStoppedStateKey_ptr mov rdx, [rax] mov edi, 0FFFFFFFEh xor r8d, r8d mov rcx, rbx call __LSSetApplicationInformationItem ;on error lea rsi, "Unable to continue stopped application" mov edi, 4 xor eax, eax mov edx, ecx call logError quarantine alert resuming application $  xattr  -­‐l  ~/Downloads/KnockKnock.app/Contents/MacOS/KnockKnock     com.apple.quarantine:  0001;55f3313d;Googlex20Chrome.app;FBF45932...   $  xattr  -­‐l  ~/Downloads/KnockKnock.app/Contents/MacOS/KnockKnock     com.apple.quarantine:  0041;55f3313d;Googlex20Chrome.app;FBF45932...   before & after
BYPASSING GATEKEEPER unsigned code allowed!?
...unauthorized code should be blocked! RECALL; GATEKEEPER AIMS TO PROTECT block  unauthorized  code  from  the  internet gatekeeper in action XcodeGhost
binaries downloaded via exploits GATEKEEPER SHORTCOMINGS "exploit payload downloads" "malware that comes onto the system through vulnerabilities...bypass quarantine entirely. The infamous Flashback malware, for example, used Java vulnerabilities to copy executable files into the system. Since this was done behind the scenes, out of view of quarantine, those executables were able to run without any user interactions" -www.thesafemac.com } download via shellcode
downloading app, must 'support' quarantine attribute GATEKEEPER SHORTCOMINGS "the quarantine system relies on the app being used for downloading doing things properly. Not all do, and this can result in the quarantine flag not being set on downloaded files" -www.thesafemac.com $  xattr  -­‐p  com.apple.quarantine  Adobe  Photoshop  CC  2014.dmg     xattr:  Adobe  Photoshop  CC  2014.dmg:  No  such  xattr:  com.apple.quarantine no quarantine attribute :( vb201410-iWorm.pdf iWorm infected applications uTorrent attribute added?
allowing unsigned code to execute GATEKEEPER BYPASSES 2014 2015 CVE  2014-­‐8826   (patched) CVE  2015-­‐3715   (patched) today "runtime shenanigans" dylib hijacking malicious jar file required java }default OS install unpatched
(dylib) hijacking external content GATEKEEPER BYPASS 0X1 (CVE 2015-3715) find an signed app that contains an external, relative dependency to a hijackable dylib create a .dmg/.zip with the necessary folder structure (i.e. placing the malicious dylib in the externally referenced location) host online or inject verified, so can't modify .dmg/.zip layout (signed) application <external>.dylibgatekeeper only verified the app bundle! wasn't verified! white paper
 www.virusbtn.com/dylib
a signed app that contains an external dependency to hijackable dylib GATEKEEPER BYPASS 0X1 (CVE 2015-3715) $  spctl  -­‐vat  execute  /Applications/Xcode.app/Contents/Applications/Instruments.app   Instruments.app:  accepted   source=Apple  System $  otool  -­‐l  Instruments.app/Contents/MacOS/Instruments   Load  command  16                      cmd  LC_LOAD_WEAK_DYLIB                    name  @rpath/CoreSimulator.framework/Versions/A/CoreSimulator   
 Load  command  30                      cmd  LC_RPATH                    path  @executable_path/../../../../SharedFrameworks spctl tells you if gatekeeper will accept the app Instruments.app - fit's the bill
create a .dmg with the necessary layout GATEKEEPER BYPASS 0X1 (CVE 2015-3715) required directory structure 'clean up' the .dmg ‣ hide files/folder ‣ set top-level alias to app ‣ change icon & background ‣ make read-only (deployable) malicious .dmg
host online or inject into downloads GATEKEEPER BYPASS 0X1 (CVE 2015-3715) quarantine popup (anything downloaded) gatekeeper setting's (maximum) quarantine alert gatekeeper bypass :) unsigned (non-Mac App Store) code execution!!
runtime shenanigans GATEKEEPER BYPASS 0X2 find any signed app that at runtime, loads and executes a relatively external binary create a .dmg/.zip with the necessary folder structure (i.e. placing the malicious binary in the externally referenced location) verified, so can't modify .dmg/.zip layout (signed) -application <external> binary gatekeeper only statically verifies the app bundle! (still) isn't verified! host online/inject into insecure downloads
example 1: Adobe (Photoshop, etc) GATEKEEPER BYPASS 0X2 Q:  Can  I  add/modify  files  in  my  signed  (app)  bundle? 3rd party plugins, etc. -> go outside the bundle! A: "This is no longer allowed. If you must modify your bundle, do it before signing. If you modify a signed bundle, you must re-sign it afterwards. Write data into files outside the bundle" -apple.com app bundle validates! NSString* pluginDir = APPS_DIR + @"../Plug-ins"; for(NSString* plugins in pluginDir) { //load plugin dylib! } plugin loading pseudo code not validated gatekeeperiWorm vs. movie time! } Adobe Photoshop
example 2: Apple (redacted) GATEKEEPER BYPASS 0X2 //execute reacted redacted() { //redacted redacted = redacted() execv(redacted, ....) } //redacted char* redacted() { //redacted redacted = redacted() //redacted redacted = redacted(redacted) ... //redacted return redacted } $  spctl  -­‐vat  execute  redacted/redacted/redacted/redacted   redacted/redacted/redacted/redacted:  accepted   source=Apple  System gatekeeper, happy with redacted $  xattr  -­‐l  *   redacted:  com.apple.quarantine:  0001;55ee3bea;Googlex20Chrome.app   redacted:  com.apple.quarantine:  0001;55ee3bea;Googlex20Chrome.app   $  codesign  -­‐dvv  redacted     redacted:  code  object  is  not  signed  at  all ...but redacted is unsigned redacted's pseudo code
example 2: Apple (redacted) GATEKEEPER BYPASS 0X2 gatekeeper setting's (max.) alias to redacted ...name & icon attacker controlled apple-signed redacted .app extension prevents Terminal.app popup unsigned redacted command-line executable unsigned application only visible item }hide unsigned code execution .dmg setup
FIXING GATEKEEPER suggestion; runtime validation?
a suggestion to thwart runtime bypasses? VALIDATE ALL BINARIES AT RUNTIME! Quarantine.kext or executable dylib exec hook dlopen hook } BOOL isQuarantined() { //get flags call _quarantine_get_flags test eax, eax jz notQ //first time exec/loaded? and eax, 40h jz notQ //file has quarantine bit set! // ->log & return TRUE, to alert } checking quarantine attributeetc... alert on all unauthorized code
CONCLUSIONS wrapping it up
GATEKEEPER theory (or, apple marketing) protects naive OS X users from attackers protects naive OS X users from lame attackers "omg, my mac is so secure, no need for AV" -mac users GATEKEEPER the unfortunate reality highly recommend; 3rd-party security tools & false sense of security?
MY CONUNDRUM …I love my mac, but it's so easy to hack "No one is going to provide you a quality service for nothing. If you’re not paying, you’re the product." -unnamed AV company i beg to differ! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
free security tools & malware samples OBJECTIVE-SEE os x malware samples KnockKnock BlockBlock TaskExplorer
QUESTIONS & ANSWERS patrick@synack.com @patrickwardle feel free to contact me any time! "What if every country has ninjas, but we only know about the Japanese ones because they’re rubbish?" -DJ-2000, reddit.com final thought ;)
credits - http://wirdou.com/2012/02/04/is-that-bad-doctor/ - thezooom.com - http://th07.deviantart.net/fs70/PRE/f/2010/206/4/4/441488bcc359b59be409ca02f863e843.jpg 
 - iconmonstr.com - flaticon.com
 
 
 
 - thesafemac.com - "Mac OS X & iOS Internals", Jonathan Levin - https://securosis.com/blog/os-x-10.8-gatekeeper-in-depth images resources

Recommended

Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
Synack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
Synack
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
Synack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play Doctor
Synack
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015
Synack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
Synack
 

Recommended

Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
Synack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
Synack
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
Synack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play Doctor
Synack
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015
Synack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
Synack
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
Synack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
Synack
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
Synack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
Synack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
Synack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
Synack
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
Priyanka Aash
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the sword
Priyanka Aash
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управления
Positive Hack Days
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
CanSecWest
 
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Andy Davies
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
Michael Boman
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
RootedCON
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinar
Synack
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
Synack
 

More Related Content

What's hot

RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
Synack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
Synack
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
Synack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
Synack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
Synack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
Synack
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
Priyanka Aash
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the sword
Priyanka Aash
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управления
Positive Hack Days
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
CanSecWest
 
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Andy Davies
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
Michael Boman
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
RootedCON
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 

What's hot (20)

RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the sword
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управления
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 

Viewers also liked

Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinar
Synack
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
Synack
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
Synack
 
преимущества и недостатки интернета
преимущества и недостатки интернетапреимущества и недостатки интернета
преимущества и недостатки интернета
Ay_sel
 
Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?
Marco Gabriella
 
Sip structural insulated panels
Sip structural insulated panelsSip structural insulated panels
Sip structural insulated panels
sips-structural-insulated-panels
 
Curriculo atualizado
Curriculo atualizadoCurriculo atualizado
Curriculo atualizado
Mariana Madalena
 
Giver (archetypes)
Giver (archetypes)Giver (archetypes)
Giver (archetypes)
Xiao Yun
 
Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115
Xiao Yun
 
Asset management report 2015
Asset management report 2015Asset management report 2015
Asset management report 2015
Cyril BOUCHU
 
Documentary proposal
Documentary proposalDocumentary proposal
Documentary proposal
Xiao Yun
 
Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)
Xiao Yun
 
The Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease PreventionThe Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease Prevention
Madelyn Skinner
 
Storyboard
Storyboard Storyboard
Storyboard
Xiao Yun
 

Viewers also liked (15)

Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinar
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
 
преимущества и недостатки интернета
преимущества и недостатки интернетапреимущества и недостатки интернета
преимущества и недостатки интернета
 
Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?
 
Sip structural insulated panels
Sip structural insulated panelsSip structural insulated panels
Sip structural insulated panels
 
Curriculo atualizado
Curriculo atualizadoCurriculo atualizado
Curriculo atualizado
 
Giver (archetypes)
Giver (archetypes)Giver (archetypes)
Giver (archetypes)
 
Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115
 
Asset management report 2015
Asset management report 2015Asset management report 2015
Asset management report 2015
 
Documentary proposal
Documentary proposalDocumentary proposal
Documentary proposal
 
me
meme
me
 
Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)
 
The Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease PreventionThe Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease Prevention
 
Storyboard
Storyboard Storyboard
Storyboard
 

Similar to Virus Bulletin 2015: Exposing Gatekeeper

Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
Ibrahim Baliç
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
BGA Cyber Security
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
Alexandre Borges
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W... Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...Robert Nyman
 
WebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonWebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonRobert Nyman
 
Android - Anatomy of android elements & layouts
Android - Anatomy of android elements & layoutsAndroid - Anatomy of android elements & layouts
Android - Anatomy of android elements & layouts
Vibrant Technologies & Computers
 
Deploying Spring Boot applications with Docker (east bay cloud meetup dec 2014)
Deploying Spring Boot applications with Docker (east bay cloud meetup dec 2014)Deploying Spring Boot applications with Docker (east bay cloud meetup dec 2014)
Deploying Spring Boot applications with Docker (east bay cloud meetup dec 2014)
Chris Richardson
 
Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...
Codemotion
 
Docker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitDocker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profit
Maxime Petazzoni
 
Burn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesBurn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websites
Lindsay Holmwood
 
How dorma+kaba leverages and deploys on CloudFoundry - CloudFoundry Summit Eu...
How dorma+kaba leverages and deploys on CloudFoundry - CloudFoundry Summit Eu...How dorma+kaba leverages and deploys on CloudFoundry - CloudFoundry Summit Eu...
How dorma+kaba leverages and deploys on CloudFoundry - CloudFoundry Summit Eu...
Adriano Raiano
 
How we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIHow we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CI
Marcio Klepacz
 
Core Android
Core AndroidCore Android
Core Android
Dominik Helleberg
 
Use Eclipse technologies to build a modern embedded IDE
Use Eclipse technologies to build a modern embedded IDEUse Eclipse technologies to build a modern embedded IDE
Use Eclipse technologies to build a modern embedded IDEBenjamin Cabé
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesNode Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Chris Bailey
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
Chris Bailey
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage coding
Max Kleiner
 
Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)
충섭 김
 

Similar to Virus Bulletin 2015: Exposing Gatekeeper (20)

Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W... Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
Bringing the open web and APIs to mobile devices with Firefox OS - Whisky W...
 
WebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonWebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla London
 
Android - Anatomy of android elements & layouts
Android - Anatomy of android elements & layoutsAndroid - Anatomy of android elements & layouts
Android - Anatomy of android elements & layouts
 
Deploying Spring Boot applications with Docker (east bay cloud meetup dec 2014)
Deploying Spring Boot applications with Docker (east bay cloud meetup dec 2014)Deploying Spring Boot applications with Docker (east bay cloud meetup dec 2014)
Deploying Spring Boot applications with Docker (east bay cloud meetup dec 2014)
 
Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...
 
Docker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitDocker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profit
 
Burn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesBurn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websites
 
How dorma+kaba leverages and deploys on CloudFoundry - CloudFoundry Summit Eu...
How dorma+kaba leverages and deploys on CloudFoundry - CloudFoundry Summit Eu...How dorma+kaba leverages and deploys on CloudFoundry - CloudFoundry Summit Eu...
How dorma+kaba leverages and deploys on CloudFoundry - CloudFoundry Summit Eu...
 
How we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIHow we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CI
 
Core Android
Core AndroidCore Android
Core Android
 
Use Eclipse technologies to build a modern embedded IDE
Use Eclipse technologies to build a modern embedded IDEUse Eclipse technologies to build a modern embedded IDE
Use Eclipse technologies to build a modern embedded IDE
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesNode Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage coding
 
Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)
 

Recently uploaded

Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 

Recently uploaded (20)

Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 

Virus Bulletin 2015: Exposing Gatekeeper

  • 2. “leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” WHOIS @patrickwardle security for the 21st century career hobby
  • 3. {all aspects of gatekeeper OUTLINE Gatekeeper fixing?bypassingunderstanding
  • 5. ...os x trojans everywhere? everywhere! LIFE BEFORE GATEKEEPER 2009 2012 gatekeeper 2006 leap-­‐a 2007 rsplug 2008 macsweeper hovdy-­‐a rkosx-­‐a jahlav-­‐a iworks-­‐a 2010 pinhead boonana opinionspy 2011 macdefender qhost PDF revir devilrobber countless OS X users infected
  • 6. as there is no patch for human stupidity ;) GATEKEEPER AIMS TO PROTECT Gatekeeper is a built-in anti-malware feature of OS X (10.7+) "If a [downloaded] app was developed by an unknown developer—one with no Developer ID—or tampered with, Gatekeeper can block the app from being installed" -apple.com TL;DR  block  unauthorized  code  from  the  internet only option!
  • 7. ...from low-tech adversaries GATEKEEPER PROTECT USERS fake codecs fake installers/updates infected torrents rogue "AV" products ??? poor naive users! "Gatekeeper Slams the Door on Mac Malware Epidemics" -tidbits.com
  • 8. ...from high-tech adversaries GATEKEEPER PROTECTS USERS LittleSnitch Sophos ClamXav Q1 2015: all security software, I downloaded -> served over HTTP :( MitM + infect insecure downloads my dock
  • 9. an overview HOW GATEKEEPER WORKS quarantine attributes //attributes   $  xattr  -­‐l  ~/Downloads/malware.app          com.apple.quarantine:0001;534e3038;      Safari;  B8E3DA59-­‐32F6-­‐4580-­‐8AB3...   quarantine attribute added gatekeeper settings iff quarantine attribute is set! gatekeeper in action
  • 10. simply put; file metadata EXTENDED FILE ATTRIBUTES dumping quarantine attributes $  xattr  -­‐l  ~/Downloads/eicar.com.txt     com.apple.metadata:kMDItemWhereFroms:   00000000    62  70  6C  69  73  74  30  30  A2  01  02  5F  10  2B  68  74    |bplist00..._.+ht|   00000010    74  70  3A  2F  2F  77  77  77  2E  65  69  63  61  72  2E  6F    |tp://www.eicar.o|   00000020    72  67  2F  64  6F  77  6E  6C  6F  61  64  2F  65  69  63  61    |rg/download/eica|   00000030    72  2E  63  6F  6D  2E  74  78  74  5F  10  27  68  74  74  70    |r.com.txt_......|   com.apple.quarantine:  0001;55ef7b62;Google  Chrome.app;3F2688DE-­‐C34D-­‐4953-­‐8AF1-­‐4F8741FC1326 dump w/ xattr command extended attr. (com.apple.*) brief details FinderInfo information for Finder.app (such as folder colors) metadata Spotlight data, such as download location & version info quarantine indicates that file is from an 'untrusted' source (internet) Jonathan Levin "Mac OS X & iOS Internals"
  • 11. realized by the com.apple.quarantine file attribute 'FILE QUARANTINE' //dictionary for quarantine attributes NSDictionary* quarantineAttributes = nil; //get attributes [fileURL getResourceValue:&quarantineAttributes forKey:NSURLQuarantinePropertiesKey error:NULL]; added in Leopard "file from internet" $  dumpAttrs  ~/Downloads/eicar.com.txt            LSQuarantineAgentBundleIdentifier  =  "com.google.Chrome";
        LSQuarantineAgentName  =  "Google  Chrome.app";          LSQuarantineDataURL  =  "http://www.eicar.org/download/eicar.com.txt";          LSQuarantineEventIdentifier  =  "3F2688DE-­‐C34D-­‐4953-­‐8AF1-­‐4F8741FC1326";          LSQuarantineOriginURL  =  "http://www.eicar.org/85-­‐0-­‐Download.html";          LSQuarantineTimeStamp  =  "2015-­‐09-­‐09  00:20:50  +0000";          LSQuarantineType  =  LSQuarantineTypeWebDownload; dumping a file's com.apple.quarantine attribute note; not gatekeeper file quarantine in action code to get attributes
  • 12. who done it!? SETTING THE QUARANTINE ATTRIBUTE custom downloader any extended attributes? $  xattr  -­‐l  ~/Downloads/eicar.com.txt   $  dumpAttrs  ~/Downloads/eicar.com.txt   $ //button handler: download file -(IBAction)download:(id)sender { //url NSURL *remoteFile = [NSURL URLWithString:self.textField.stringValue]; //local file NSString* localFile = [NSString stringWithFormat:@"/tmp/%@", [remoteFile lastPathComponent]]; //download & save to file [[NSData dataWithContentsOfURL:remoteFile] writeToFile:localFile atomically:NO]; return; } none; huh? custom downloader's source code
  • 13. apps can manually add it SETTING THE QUARANTINE ATTRIBUTE -(void)setQAttr:(NSString*)localFile { //quarantine attributes dictionary NSMutableDictionary* quarantineAttributes = [NSMutableDictionary dictionary]; //add agent bundle id quarantineAttributes[kLSQuarantineAgentBundleIdentifierKey] = [[NSBundle mainBundle] bundleIdentifier]; //add agent name quarantineAttributes[kLSQuarantineAgentNameKey] = [[[NSBundle mainBundle] infoDictionary] objectForKey:kCFBundleNameKey]; ... //manually add quarantine attributes to file [[NSURL fileURLWithPath:localFile] setResourceValues:@{NSURLQuarantinePropertiesKey: quarantineAttributes} error:NULL]; return; } $  xattr  -­‐l  ~/Downloads/eicar.com.txt
 com.apple.quarantine:   0000;55efddeb;downloader;ED9BFEA8-­‐10B1-­‐48BA-­‐87AF-­‐623EA7599481   
 $  dumpAttrs  ~/Downloads/eicar.com.txt            LSQuarantineAgentBundleIdentifier  =  "com.synack.downloader";          LSQuarantineAgentName  =  downloader;          LSQuarantineDataURL  =  "http://www.eicar.org/download/eicar.com.txt";          LSQuarantineEventIdentifier  =  "ED9BFEA8-­‐10B1-­‐48BA-­‐87AF-­‐623EA7599481";          LSQuarantineTimeStamp  =  "2015-­‐09-­‐09  07:21:15  +0000";          LSQuarantineType  =  LSQuarantineTypeWebDownload; consts in LSQuarantine.h manually set, quarantine attribute code to set a file's quarantine attribute
  • 14. or, apps can generically tell the OS to add it SETTING THE QUARANTINE ATTRIBUTE $  xattr  -­‐l  ~/Downloads/eicar.com.txt   com.apple.quarantine:  0000;55f139c4;downloader.app;   
 $  dumpAttrs  ~/Downloads/eicar.com.txt            LSQuarantineAgentName  =  "downloader.app";          LSQuarantineTimeStamp  =  "2015-­‐09-­‐10  08:05:24  +0000"; automatically (OS) set, quarantine attribute Info.plist keys: LSFileQuarantineEnabled "When the value of this key is true, all files created by the application process will be quarantined by OS X" -apple.com app's Info.plist file updated (LSFileQuarantineEnabled) $  grep  -­‐A  1  LSFileQuarantineEnabled  Info.plist      <key>LSFileQuarantineEnabled</key>      <true/>
  • 15. an overview GATEKEEPER IN ACTION Finder.app LaunchServices framework Quarantine.kext XPC request XPC request CoreServicesUIAgent XProtect framework Launchd
  • 16. handled by the launchservices framework LAUNCHING THE BINARY/APP Finder.app LaunchServices framework libxpc.dylib`_spawn_via_launchd LaunchServices`LaunchApplicationWithSpawnViaLaunchD LaunchServices`_LSLaunchApplication LaunchServices`_LSLaunch LaunchServices`_LSOpenApp LaunchServices`_LSOpenStuffCallLocal LaunchServices`_LSOpenStuff LaunchServices`_LSOpenURLsWithRole_Common LaunchServices`LSOpenURLsWithRole pid_t  _spawn_via_launchd(      const  char  *label,        const  char  *const  *argv,        const  struct  spawn_via_launchd_attr  *spawn_attrs,        int  struct_version     ); launch_priv.h (lldb)  x/s  $rdi   "[0x0-­‐0xb92b92].com.nsa.malware"   
 (lldb)  print  *(char**)$rsi   "~/Downloads/Malware.app/Contents/MacOS/Malware"
 
 (lldb)print  *(struct  spawn_via_launchd_attr*)$rdx   {          spawn_flags  =  SPAWN_VIA_LAUNCHD_STOPPED          ...   } call stack _spawn_via_launchd() XPC request 'spawn' attributes, etc.
  • 17. kernel-mode mac component POLICY ENFORCEMENT WITH QUARANTINE.KEXT Quarantine`hook_vnode_check_exec kernel`mac_vnode_check_exec kernel`exec_activate_image kernel`exec_activate_image kernel`posix_spawn kernel`unix_syscall64 kernel`hndl_unix_scall64 call stack Quarantine.kext Launchd XPC request hook_vnode_check_exec //bail if sandbox'ing not enforced cmp cs:_sandbox_enforce, 0 jz leaveFunction
 //bail if file previously approved call _quarantine_get_flags and eax, 40h jnz leaveFunction
 //bail if file is on read-only file system
 call _vfs_flags ; mnt flags test al, MNT_RDONLY
 jnz leaveFunction hook_vnode_check_exec (lldb)  print  *(struct  mac_policy_conf*)0xFFFFFF7F8B447110      mpc_name  =  0xffffff7f8b446c3a  "Quarantine"      mpc_fullname  =  0xffffff7f8b446cb0  "Quarantine  policy"      ...   quarantine policy
  • 18. first, the xpc request USER INTERACTION VIA CORESERVICESUIAGENT LaunchServices framework XPC request CoreServicesUIAgent (lldb)  po  $rax   {          LSQAllowUnsigned  =  0;          LSQAppPSN  =  3621748;          LSQAppPath  =  "/Users/patrick/Downloads/Malware.app";          LSQAuthorization  =  <bed76627  c7cc0ae4  a6860100  00000000  ...          LSQRiskCategory  =  LSRiskCategoryUnsafeExecutable;   } void ____LSAgentGetConnection_block_invoke(void * _block) { rax = xpc_connection_create_mach_service("com.apple.coreservices.quarantine-resolver", dispatch_get_global_queue(0x0, 0x0), 0x0); xpc_connection_set_event_handler(rax, void ^(void * _block, void * arg1) { return; }); xpc_connection_resume(rax); return; } getting XPC connection to CoreServicesUIAgent XPC message contents pseudo code
  • 19. -[CSUIController handleIncomingXPCMessage:clientConnection:]
 -[GKQuarantineResolver resolve] -[GKQuarantineResolver malwareChecksBegin] -[GKQuarantineResolver malwareCheckNextItem] mov rdi, cs:classRef_XProtectAnalysis mov rsi, cs:selRef_alloc call r15 ; _objc_msgSend mov rdi, rax mov rsi, cs:selRef_initWithURL_ mov rdx, r14 ;path to app call r15 ; _objc_msgSend -[XProtectAnalysis beginAnalysisWithDelegate:didEndSelector:contextInfo:] +[WorkerThreadClass threadEntry:] mov rdi, [rbp+staticCodeRef] lea rdx, [rbp+signingInfo] xor esi, esi ;flags call _SecCodeCopySigningInformation then, analysis via xprotect USER INTERACTION VIA CORESERVICESUIAGENT CoreServicesUIAgent XProtect framework (lldb)  po  $rdi   {      FileURL  =  "file:///Users/patrick/Downloads/Malware.app";      ShouldShowMalwareSubmission  =  0;      XProtectCaspianContext  =          {                  "context:qtnflags"  =  33;                  operation  =  "operation:execute";      };      XProtectDetectionType  =  3;      XProtectMalwareType  =  2;   } program control flow XProtectMalwareType meaning unsigned0x2 signed app0x5 modified app0x7 0x3 modified bundle
  • 20. finally, display the alert USER INTERACTION VIA CORESERVICESUIAGENT CoreServicesUIAgent mov rsi, cs:selRef_deny mov rdi, r14 call cs:_objc_msgSend_ptr -[GKQuarantineResolver deny] -[GKQuarantineResolver denyWithoutSettingState] mov rax, _OBJC_IVAR_$_GKQuarantineResolver__appASN mov rsi, [rdi+rax] mov edi, 0FFFFFFFEh mov edx, 2 call __LSKillApplication -[GKQuarantineResolver showGKAlertForPath:] -[GKQuarantineResolver alertForPath:malwareInfo:] mov rax, _OBJC_IVAR_$_GKQuarantineResolver__allowUnsigned mov rcx, [rbp+GKQuarantineResolver] cmp byte ptr [rcx+rax], 0
 lea rdi, cfstr_Q_headline_cas ; "Q_HEADLINE_CASPIAN_BAD_DISTRIBUTOR"
 mov rdi, cs:classRef_NSAlert mov rsi, cs:selRef_alloc call r12 ; _objc_msgSend $  less  QuarantineHeadlines.strings   <key>Q_HEADLINE_CASPIAN_BAD_DISTRIBUTOR</key>   <string>      “%@”  can’t  be  opened  because  it  is  from  an  unidentified  developer.   </string>   <key>Q_HEADLINE_CASPIAN_BLOCKED</key>   <string>      “%@”  can’t  be  opened  because  it  was  not  downloaded  from  the  Mac  App  Store.   </string> gatekeeper alert alert strings (QuarantineHeadlines.strings) alert customization application termination
  • 21. quarantine attributes updated, then application resumed WHAT IF THE APP CONFORMS & IS ALLOWED BY THE USER? -[GKQuarantineResolver approveUpdatingQuarantineTarget:recursively:volume:] call __qtn_file_get_flags or eax, 40h mov rdi, [rbp+var_B8] mov esi, eax call __qtn_file_set_flags updating quarantine attributes mov rsi, [r13+r14+0] mov rax, __kLSApplicationInStoppedStateKey_ptr mov rdx, [rax] mov edi, 0FFFFFFFEh xor r8d, r8d mov rcx, rbx call __LSSetApplicationInformationItem ;on error lea rsi, "Unable to continue stopped application" mov edi, 4 xor eax, eax mov edx, ecx call logError quarantine alert resuming application $  xattr  -­‐l  ~/Downloads/KnockKnock.app/Contents/MacOS/KnockKnock     com.apple.quarantine:  0001;55f3313d;Googlex20Chrome.app;FBF45932...   $  xattr  -­‐l  ~/Downloads/KnockKnock.app/Contents/MacOS/KnockKnock     com.apple.quarantine:  0041;55f3313d;Googlex20Chrome.app;FBF45932...   before & after
  • 23. ...unauthorized code should be blocked! RECALL; GATEKEEPER AIMS TO PROTECT block  unauthorized  code  from  the  internet gatekeeper in action XcodeGhost
  • 24. binaries downloaded via exploits GATEKEEPER SHORTCOMINGS "exploit payload downloads" "malware that comes onto the system through vulnerabilities...bypass quarantine entirely. The infamous Flashback malware, for example, used Java vulnerabilities to copy executable files into the system. Since this was done behind the scenes, out of view of quarantine, those executables were able to run without any user interactions" -www.thesafemac.com } download via shellcode
  • 25. downloading app, must 'support' quarantine attribute GATEKEEPER SHORTCOMINGS "the quarantine system relies on the app being used for downloading doing things properly. Not all do, and this can result in the quarantine flag not being set on downloaded files" -www.thesafemac.com $  xattr  -­‐p  com.apple.quarantine  Adobe  Photoshop  CC  2014.dmg     xattr:  Adobe  Photoshop  CC  2014.dmg:  No  such  xattr:  com.apple.quarantine no quarantine attribute :( vb201410-iWorm.pdf iWorm infected applications uTorrent attribute added?
  • 26. allowing unsigned code to execute GATEKEEPER BYPASSES 2014 2015 CVE  2014-­‐8826   (patched) CVE  2015-­‐3715   (patched) today "runtime shenanigans" dylib hijacking malicious jar file required java }default OS install unpatched
  • 27. (dylib) hijacking external content GATEKEEPER BYPASS 0X1 (CVE 2015-3715) find an signed app that contains an external, relative dependency to a hijackable dylib create a .dmg/.zip with the necessary folder structure (i.e. placing the malicious dylib in the externally referenced location) host online or inject verified, so can't modify .dmg/.zip layout (signed) application <external>.dylibgatekeeper only verified the app bundle! wasn't verified! white paper
 www.virusbtn.com/dylib
  • 28. a signed app that contains an external dependency to hijackable dylib GATEKEEPER BYPASS 0X1 (CVE 2015-3715) $  spctl  -­‐vat  execute  /Applications/Xcode.app/Contents/Applications/Instruments.app   Instruments.app:  accepted   source=Apple  System $  otool  -­‐l  Instruments.app/Contents/MacOS/Instruments   Load  command  16                      cmd  LC_LOAD_WEAK_DYLIB                    name  @rpath/CoreSimulator.framework/Versions/A/CoreSimulator   
 Load  command  30                      cmd  LC_RPATH                    path  @executable_path/../../../../SharedFrameworks spctl tells you if gatekeeper will accept the app Instruments.app - fit's the bill
  • 29. create a .dmg with the necessary layout GATEKEEPER BYPASS 0X1 (CVE 2015-3715) required directory structure 'clean up' the .dmg ‣ hide files/folder ‣ set top-level alias to app ‣ change icon & background ‣ make read-only (deployable) malicious .dmg
  • 30. host online or inject into downloads GATEKEEPER BYPASS 0X1 (CVE 2015-3715) quarantine popup (anything downloaded) gatekeeper setting's (maximum) quarantine alert gatekeeper bypass :) unsigned (non-Mac App Store) code execution!!
  • 31. runtime shenanigans GATEKEEPER BYPASS 0X2 find any signed app that at runtime, loads and executes a relatively external binary create a .dmg/.zip with the necessary folder structure (i.e. placing the malicious binary in the externally referenced location) verified, so can't modify .dmg/.zip layout (signed) -application <external> binary gatekeeper only statically verifies the app bundle! (still) isn't verified! host online/inject into insecure downloads
  • 32. example 1: Adobe (Photoshop, etc) GATEKEEPER BYPASS 0X2 Q:  Can  I  add/modify  files  in  my  signed  (app)  bundle? 3rd party plugins, etc. -> go outside the bundle! A: "This is no longer allowed. If you must modify your bundle, do it before signing. If you modify a signed bundle, you must re-sign it afterwards. Write data into files outside the bundle" -apple.com app bundle validates! NSString* pluginDir = APPS_DIR + @"../Plug-ins"; for(NSString* plugins in pluginDir) { //load plugin dylib! } plugin loading pseudo code not validated gatekeeperiWorm vs. movie time! } Adobe Photoshop
  • 33.
  • 34. example 2: Apple (redacted) GATEKEEPER BYPASS 0X2 //execute reacted redacted() { //redacted redacted = redacted() execv(redacted, ....) } //redacted char* redacted() { //redacted redacted = redacted() //redacted redacted = redacted(redacted) ... //redacted return redacted } $  spctl  -­‐vat  execute  redacted/redacted/redacted/redacted   redacted/redacted/redacted/redacted:  accepted   source=Apple  System gatekeeper, happy with redacted $  xattr  -­‐l  *   redacted:  com.apple.quarantine:  0001;55ee3bea;Googlex20Chrome.app   redacted:  com.apple.quarantine:  0001;55ee3bea;Googlex20Chrome.app   $  codesign  -­‐dvv  redacted     redacted:  code  object  is  not  signed  at  all ...but redacted is unsigned redacted's pseudo code
  • 35. example 2: Apple (redacted) GATEKEEPER BYPASS 0X2 gatekeeper setting's (max.) alias to redacted ...name & icon attacker controlled apple-signed redacted .app extension prevents Terminal.app popup unsigned redacted command-line executable unsigned application only visible item }hide unsigned code execution .dmg setup
  • 37. a suggestion to thwart runtime bypasses? VALIDATE ALL BINARIES AT RUNTIME! Quarantine.kext or executable dylib exec hook dlopen hook } BOOL isQuarantined() { //get flags call _quarantine_get_flags test eax, eax jz notQ //first time exec/loaded? and eax, 40h jz notQ //file has quarantine bit set! // ->log & return TRUE, to alert } checking quarantine attributeetc... alert on all unauthorized code
  • 39. GATEKEEPER theory (or, apple marketing) protects naive OS X users from attackers protects naive OS X users from lame attackers "omg, my mac is so secure, no need for AV" -mac users GATEKEEPER the unfortunate reality highly recommend; 3rd-party security tools & false sense of security?
  • 40. MY CONUNDRUM …I love my mac, but it's so easy to hack "No one is going to provide you a quality service for nothing. If you’re not paying, you’re the product." -unnamed AV company i beg to differ! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
  • 41. free security tools & malware samples OBJECTIVE-SEE os x malware samples KnockKnock BlockBlock TaskExplorer
  • 42. QUESTIONS & ANSWERS patrick@synack.com @patrickwardle feel free to contact me any time! "What if every country has ninjas, but we only know about the Japanese ones because they’re rubbish?" -DJ-2000, reddit.com final thought ;)
  • 43. credits - http://wirdou.com/2012/02/04/is-that-bad-doctor/ - thezooom.com - http://th07.deviantart.net/fs70/PRE/f/2010/206/4/4/441488bcc359b59be409ca02f863e843.jpg 
 - iconmonstr.com - flaticon.com
 
 
 
 - thesafemac.com - "Mac OS X & iOS Internals", Jonathan Levin - https://securosis.com/blog/os-x-10.8-gatekeeper-in-depth images resources