Conference Talks
Slides
Reversing the complex filesystem structures, container blocks, snapshots and trees is a lousy job, but someone had to do it. Jonathan will present the unofficial APFS specification as it appears in Volume II of the "*OS Internals" trilogy, and present a free tool for inspecting and traversing APFS partitions and disk images for MacOS, iOS - and Linux.
In this talk, we'll start by looking at the public malware threats currently targeting macOS in 2018. Though these specimens are rather unsophisticated, things could much worse. To support this claim, we'll discuss a myriad of recent security flaws in macOS, many such as #iamroot, that should have never have made it into production code! And what about 0days? Maybe we'll drop one as well ;)
Luckily it's not all doom and gloom for Mac users, as Mojave promises to be the most secure version of macOS ever. After examining some of the baked-in security mechanisms of this new OS we'll discuss how 3rd-party security tools still play an essential role ensuring that the Garden remains secure!
Because macOS checks code signatures very infrequently, it is easily possible to hijack a legitimate application that is already installed on the system without triggering any kind of code signature check. Worse, most developers are not aware of this, and do not add their own code signature self-checks. This means that there are countless vulnerable Mac applications in existence on the market.
This is extremely easy to exploit, as will be demonstrated. Fortunately, there are also steps that will be described that developers can take to prevent their apps from being abused in this manner, as well as some ways that admins can flag potential problems with applications on their endpoints, or that techs can use while troubleshooting issues.
Although there is currently no malware known to be taking advantage of this issue, it could easily happen in the future. As macOS appears to be behaving as designed, it will fall on the shoulders of developers to ensure their apps are not vulnerable to such threats.
This data tends to be stored in in a variety of databases and correlation of this data for analysis purposes can be difficult. Each database can hold different type of data, retain it for a different period of time, and have different storage mechanisms for its entries.
Each small seed of data can grow into a database providing delicious fruit that can be harvested to create a damn good apple pie. This presentation will show were each seed is stored, what type of apple it is, how to make the most out of it.
Mac malware is evolving as Apple computers continue to grow in popularity. As a result, there is a need for proactive detection of attacks targeting MacOS systems in a enterprise environment. Despite advancements in MacOS security tooling for a single user/endpoint, little is known and discussed regarding detection at a enterprise level.
This talk will discuss common tactics, techniques and procedures used by attackers on MacOS systems, as well as methods to detect adversary activity. We will take a look at known malware, mapping the techniques utilized to the MITRE ATT&CK framework. Attendees will leave equipped to begin hunting for evil lurking within their MacOS fleet.
In this talk, I will share how I reverse engineered a system service to find a critical Mach port replacement vulnerability and how to exploit the bug to execute code with full system privileges, including the task_for_pid-allow entitlement which grants control over any userspace process. Using this technique, we can then spawn a "rootless shell" in which SIP's filesystem protections are disabled.
The talk will assume basic familiarity with macOS but I'll cover the concepts we'll need (Mach ports, MIG, launchd) before diving into the core of the vulnerability. The complete exploit code and documentation is available online.
We'll begin this talk, by discussing our open-source monitoring framework ('MonitorKit') which passively collects a myriad of system events.
But what good are a steady stream of events, if they cannot be intelligently and efficiently processed? Enter: Apple's built-in game engine. By means of this highly optimized logic engine, we can quickly and efficiently apply analytics against these collected events to detect both anomalous and malicious events!
End result? A comprehensive, extensible detection, response and threat hunting platform. To illustrate the real-world efficacy of this novel approach, we'll pit it against recent Mac malware, which honestly never stood a chance!
This talk aims to fill that gap by showing attendees a full Mac intrusion performed by a hostile adversary. Process visualizations, command lines, and other artifacts will be shared from real world intrusions revealing how they got in, what commands were used to move laterally, and how they manually set up their backdoors while trying to fly under the radar. Some Linux attack details will be shared as well due to a lot of tools, techniques, and procedures being cross-platform.
Apple ships a screen capture utility to make it easy for the user to take screenshots. In this presentation, we will lift the bonnet of this utility to learn about the API’s surrounding screen grabbing. Armed with the knowledge, we will explore discovered malware that takes screenshots. Then, we will build better, stealthier malware as an educational exercise. And finally, we will explore some options for improving security of the operating system so that the user can continue enjoying the convenience of taking screenshots but malware would have to work harder.