Conference Talks
All talk recordings have now been uploaded to our YouTube channel.
A Few JSC Tales
Luca Todesco (@qwertyoruiopz), Independent Security Researcher (read: full bio).
Luca Todesco (@qwertyoruiopz), Independent Security Researcher (read: full bio).
talk 
talk
Luca (aka @qwertyoruiopz) is a talented young Italian security researcher who likes looking into hardened devices. He released Yalu jailbreak for 10.2 last year and introduced way to fully bypass KPP.
He has hacked devices like iPhone, PS4 and Nintendo Switch.
He has hacked devices like iPhone, PS4 and Nintendo Switch.
The landscape of RCE vulnerabilities for iOS is quickly changing due to ever-increasing mitigations. This talk will go through an old WebKit RCE vulnerability to demonstrate a common bug class and the impact of mitigations on its exploitations.
Additionally, an example of a high quality bug in the JavaScript engine capable of bypassing all current mitigations will be shown.
KeySteal: A Vulnerability in Apple's Keychain
Linus Henze (@linushenze), Independent Security Researcher (read: full bio).
Linus Henze (@linushenze), Independent Security Researcher (read: full bio).
Linus Henze is an independent Security Researcher from Germany. In addition he's currently studying CS. He enjoys finding vulnerabilities in macOS/iOS and publishes them on his website pinauten.de (and Twitter of course). His passion is fighting for a macOS bug bounty program!
When he was 15, he released a bypass for Apple's newly introduced "System Integrity Protection". In 2018 he found a critical vulnerability in WebKit, tweeting "Want a free Safari 0day? Please don't do evil stuff with this." Earlier this year he became well known for demonstrating a critical vulnerability in the macOS Keychain, refusing to submit details to Apple because of a missing bug bounty program for macOS.
When he was 15, he released a bypass for Apple's newly introduced "System Integrity Protection". In 2018 he found a critical vulnerability in WebKit, tweeting "Want a free Safari 0day? Please don't do evil stuff with this." Earlier this year he became well known for demonstrating a critical vulnerability in the macOS Keychain, refusing to submit details to Apple because of a missing bug bounty program for macOS.
What do your iCloud, Slack, MS Office, etc. credentials have in common? Correct, they're all stored inside your Mac's Keychain. While the Keychain is great because it prevents all those annoying password prompts from disturbing you, the ultimate question is: Is it really safe? Does it prevent malicious Apps from stealing all my passwords?
In this talk I will try to answer those questions, showing you how the Keychain works and how it can be exploited by showing you the full details of my KeySteal exploit for the first time. The complete exploit code will be available online after the talk.
vm_map'ping out XNU virtual memory
Ian Beer (@i41nbeer), Security Researcher at Google Project Zero (read: full bio).
Ian Beer (@i41nbeer), Security Researcher at Google Project Zero (read: full bio).
Ian Beer finds bugs at Google.
Virtual memory management is a fundamental and highly complex part of any operating system; XNU's implementation is no exception. As with any sufficiently complex system, virtual memory management comes with its own vulnerability classes.
In this talk we'll cover some XNU virtual memory fundamentals and take a look at CVE-2019-6205 as a case study for what can go wrong, and how to exploit it when it does.
Watching the Watchers
Sarah Edwards (@iamevltwin), Forensic Analyst / Principal Instructor at SANS Forensics (read: full bio).
Sarah Edwards (@iamevltwin), Forensic Analyst / Principal Instructor at SANS Forensics (read: full bio).
Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter‐intelligence, counter-narcotic, and counter‐terrorism.
Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at the following industry conferences; Shmoocon, CEIC, Bsides*, TechnoSecurity, HTCIA and the SANS DFIR Summit. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College. Sarah is the author of the new SANS Mac Forensic Analysis Course - FOR518.
Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at the following industry conferences; Shmoocon, CEIC, Bsides*, TechnoSecurity, HTCIA and the SANS DFIR Summit. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College. Sarah is the author of the new SANS Mac Forensic Analysis Course - FOR518.
Forensic analysis is sometimes all about grasping for straws. You never know what time little piece of data can make a difference in an investigation. We focus so much on native forensic artifacts that we lose sight of what third party applications provide us. I’m a huge proponent of having monitoring tools to keep track of what is happening on my system and to (hopefully) protect it. These tools are inherently monitoring the system, what data can they provide to forensic investigators?
This talk will go through some of the most popular monitoring utilities to show what they record and how that can help move forward investigations. Objective-See, Little Snitch, iStat Menus, AV, and more!
Gaining Root with Harmless AppStore Apps
Csaba Fitzl (@theevilbit), macOS Security Researcher (read: full bio).
Csaba Fitzl (@theevilbit), macOS Security Researcher (read: full bio).
Csaba graduated in 2006 as a computer engineer. He worked for 6 years as a network engineer, troubleshooting and designing big networks. After that he started to work as a blue teamer, focusing on network forensics, malware analysis and kernel exploitation. Currently he works in a red team, where he spends most of his time simulating adversary techniques and doing pentents. He gave talks / workshops on various international IT security conferences, including Hacktivity, hack.lu, hek.si, SecurityFest, DEFCON and BSidesBUD. He is the author of the 'kex' kernel exploitation Python toolkit.
Csaba spends his free time with his family, practices ashtanga yoga before sunrise or simply hikes in the mountains.
Csaba spends his free time with his family, practices ashtanga yoga before sunrise or simply hikes in the mountains.
This talk is about my journey from trying to find dylib hijacking vulnerability in a particular application to finding a privilege escalation vulnerability in macOS. During the talk I will try to show the research process, how did I moved from one finding to the next and I will also show many of the failures / dead ends I had during the exploit development.
First I will briefly cover what is a dylib hijacking, and what is the current state of various application regarding this type of vulnerability. We will see how hard is to exploit these in many cases due to the fact that root access is required.
Second I will cover two seemingly harmless bugs affecting the installation process of AppStore apps, and we will see how can we chain these together in order to gain root privileges - for this we will utilise a completely benign app from the macOS App Store. Part of this I will cover how can we submit apps to the store, and what are the difficulties with that process.
In the last part I will cover how we can infect and include our malicious file in an App installer without breaking the App’s signature.
Malware Behavior on macOS
Thomas Reed (@thomasareed), Director of Mac & Mobile at Malwarebytes (read: full bio).
Thomas Reed (@thomasareed), Director of Mac & Mobile at Malwarebytes (read: full bio).
Thomas Reed has been a Mac user since 1984, and is a self-taught developer and security researcher. He is the founder of The Safe Mac and creator of the AdwareMedic adware removal tool for Macs.
He is currently Director of Mac & Mobile at Malwarebytes, where he directs product development and Mac security research. His hobbies include hiking and photography, and he is happily married with four children.
He is currently Director of Mac & Mobile at Malwarebytes, where he directs product development and Mac security research. His hobbies include hiking and photography, and he is happily married with four children.
Malware on macOS is typically pretty easy to spot. However, this doesn't have to be the case, and speaks more about the laziness of malware creators than the inherent security of macOS. If all you're looking for are launch agents, launch daemons, and login items, you'll be missing a lot.
Learn more about interesting persistence methods, suspicious behaviors, and other techniques used by existing Mac malware - or that could potentially be used in the future by Mac malware - so that you can learn better malware hunting techniques.
0dayz of our Life
Joshua Hill (@p0sixninja), Chief Research Officer at Sudo Security Group (read: full bio).
Joshua Hill (@p0sixninja), Chief Research Officer at Sudo Security Group (read: full bio).
Joshua Hill (aka @p0sixninja), has been an inspirational (yet sometimes controversial) figure in the iOS Jailbreaking scene for many years. He was the chief architect and developer for the software used in the GreenPois0n and Absinthe jailbreaks, and also performed research to help find and exploit many of the vulnerabilities used.
He currently works as the CRO of Sudo Security Group, the company creating Guardian Mobile Firewall; the first and only smart firewall for iOS.
He currently works as the CRO of Sudo Security Group, the company creating Guardian Mobile Firewall; the first and only smart firewall for iOS.
In 1997 Apple released the first iMac (in many colors). Shortly thereafter MacOS9 shipped with a myriad of new features. One such feature, support for serial line modems, was flawed.
Since then, (until rather recently!) ever single Mac has been vulnerable. In this talk I'll walk through how I approached finding the vulnerability and developed a full persistence root exploit chain ...from start to finish.
Bash-ing Brittle Indicators: Red Teaming macOS without Bash or Python
Cody Thomas (@its_a_feature_), Senior Operator, Trainer, & Developer at SpecterOps (read: full bio).
Cody Thomas (@its_a_feature_), Senior Operator, Trainer, & Developer at SpecterOps (read: full bio).
Cody Thomas is a Senior Operator, Trainer, and developer at SpecterOps where he focuses on macOS and *nix devices.
In his spare time, he maintains an open source framework for collaborative red teaming across different operating systems called Apfell. Previously, he created the initial Mac and Linux ATT&CK matrices while he was working on the Adversary Emulation team at MITRE.
In his spare time, he maintains an open source framework for collaborative red teaming across different operating systems called Apfell. Previously, he created the initial Mac and Linux ATT&CK matrices while he was working on the Adversary Emulation team at MITRE.
On macOS, defenders are watching shell scripts, a few common binaries, and python usage as easy tell-tale signs of red teamers. After all, it's very anomalous for HR to start running Python, Perl, or Ruby, and Marketing employees never run shell commands. As EDR products and defenders start to get more adept at looking into macOS, it's time for red teamers to start adapting as well. The question becomes: what should you use for an agent? If only macOS had a native scripting capability geared towards automating tasks common across all disciplines that is meant to be accessible even to non-programmers.
In this talk, I'll go into the research, development, and usage of a new kind of agent based on JavaScript for Automation (JXA) and how it can be used in modern red teaming operations. This agent is incorporated into a broader open source project designed for collaborative red teaming I created called Apfell. I will discuss TTPs for doing reconnaissance, persistence, injection, and some keylogging all without using a shell command or spawning another scripting language. I will go into details of how JXA can be used to create an agent complete with encrypted key exchange for secure communications, domain fronting C2, and modular design to load or change key functionality on the fly. I will also cover the defensive considerations of these TTPs and how Apple is starting to secure these capabilities going forward.
Detecting macOS Compromise with Venator
Richie Cyrus (@rrcyrus), Senior Consultant at SpecterOps (read: full bio).
Richie Cyrus (@rrcyrus), Senior Consultant at SpecterOps (read: full bio).
Richie Cyrus is a Senior Consultant at SpecterOps, with experience in incident response, digital forensics, network forensics, and security operations within the Fortune 500 & Federal Government.
He specializes in detection of advanced adversaries with a focus in MacOS and Linux environments. Richie currently maintains a DFIR focused blog at https://medium.com/securityneversleeps.
He specializes in detection of advanced adversaries with a focus in MacOS and Linux environments. Richie currently maintains a DFIR focused blog at https://medium.com/securityneversleeps.
Various solutions exist to detect malicious activity on macOS. However, they are not intended for enterprise use or involve installation of an agent. This session will introduce and demonstrate how to detect malicious macOS activity using the tool Venator.
Venator is a python based macOS tool designed to provide defenders with the data to proactively identify malicious macOS activity at scale. This data can then be imported into a SIEM for the purpose of building robust analytics during hunting engagements.
Hypervisor-based Analysis of macOS Malware
Felix Seele (@c1truz_), Technical Lead at VMRay (read: full bio).
Felix Seele (@c1truz_), Technical Lead at VMRay (read: full bio).
Felix works as a Software Engineer at VMRay where he develops hypervisor-based malware analysis solutions for macOS and Windows.
He started programming by teaching himself Objective-C in high-school to write cool iPhone applications. Later, he found his way into malware research and received a master’s degree in IT Security at Ruhr-Universität Bochum, Germany. In his free time, Felix enjoys climbing, photography and cooking spicy food.
He started programming by teaching himself Objective-C in high-school to write cool iPhone applications. Later, he found his way into malware research and received a master’s degree in IT Security at Ruhr-Universität Bochum, Germany. In his free time, Felix enjoys climbing, photography and cooking spicy food.
With macOS malware on the rise, businesses need an effective way to analyze large amounts of potentially malicious files and detect even previously unknown threats. Malware sandboxes which record and analyze the behavior of an executable in an isolated environment are one such tool.
We developed the first hypervisor-based macOS malware sandbox which is able to trace the behavior of a target process from high-level Objective-C calls down to the syscall level without kernel extensions, hooking or any kind of modification of the guest OS. Our hypervisor-based approach ensures evasion resistance while profiting from the performance of hardware-assisted virtualization.
In this technical talk, we will begin by introducing the concepts of Two-Dimensional Paging, Intermodular Transition Monitoring and Virtual Machine Introspection (VMI) which are the foundation of our work. Next, we will dive into the nitty-gritty details of the macOS kernel and userspace architecture and demonstrate how we use VMI to reconstruct relevant aspects of the guest VM. We show how different means of inter-process communication can be used by malware to evade dynamic analysis systems and how we can thwart these evasion attempts. Finally, we demonstrate our results using real-world malware samples.
Herding cattle in the desert: How malware actors have adjusted to new security enhancements in Mojave
Omer Zohar (@platdrag), VP Research and Labs, Airo Security (read: full bio).
Omer Zohar (@platdrag), VP Research and Labs, Airo Security (read: full bio).
A security researcher for over a decade, Omer has been conducting multidisciplinary research on malware behavior and how to detect them. Omer is currently Heading the research team at Airo Security and manages the Lab Operations, dedicated to hunting Mac Malware and Protecting Mac Consumers.
Previously, as Head of Research for TopSpin Security, where he investigated malware C&C infrastructure and protocols to create a behavior based detection engine that correlates over a time series network and reputation data along with a deception overlay. He authored 'Deceive and Succeed: Using Deception for Post-Breach Detection' (Defcon 2016) where he investigated how malicious actors interact with various deception mechanisms to measure their effectiveness.
Previously, as Head of Research for TopSpin Security, where he investigated malware C&C infrastructure and protocols to create a behavior based detection engine that correlates over a time series network and reputation data along with a deception overlay. He authored 'Deceive and Succeed: Using Deception for Post-Breach Detection' (Defcon 2016) where he investigated how malicious actors interact with various deception mechanisms to measure their effectiveness.
Malware on the Mac has always been like a unicorn - a creature from folk tales. But in recent years what was thought of as a unicorn, turned out to be a shadow of a horse with a wooden peg on his head: a story being told to give users a (false) sense of security.
Mac malware is on the rise, at an alarming rate. Estimations indicate that over 12% of Macs showed malicious activity in the past year. Most common types are adware, monetizing malware and scareware such as fake cleaners.
In contrast, each new version of macOS introduce improved security mechanisms, supposedly setting a higher bar for successful infection. Mechanisms such as Quarantine, SIP and GateKeeper verify software integrity, and make changes to user and OS settings more difficult, TCC (Transparency, Consent, and Control) requires stricter user consent during app installation, while XProtect and MRT finish off with rules to detect malicious files.
Still, Mac Malware is on the rise, with 12M infected machine identified in 2018 alone, while the YoY growth of infection has been over 100% since 2016. A clear signal that bad guys adapt fast.
In this talk, we’ll deep dive into recent security changes in MacOS Mojave & Safari and examine how these updates impacted actors of highly distributed malware in terms of number of infections, and more importantly - monetization.
We’ll take a look at malware actors currently infecting machines in the wild (Bundlore and Genio to name a few) - and investigate how their tactics evolved after the update: From vectors of infection that bypass Gatekeeper, getting around the new TCC dialogs, hijacking search in a SIP protected Safari, to persistency and reinfection mechanisms that ultimately turn these ‘annoying PUPs’ into a fully fledged backdoored botnet.
Fun with Mac Malware Attribution
Josh Long (@theJoshMeister), Chief Security Analyst, Intego (read: full bio).
Josh Long (@theJoshMeister), Chief Security Analyst, Intego (read: full bio).
Joshua Long, Intego’s Chief Security Analyst, is a renowned security researcher and writer. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Business Administration and Computer and Information Security.
His research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, MacTech Magazine, Naked Security, and The Mac Security Blog.
His research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, MacTech Magazine, Naked Security, and The Mac Security Blog.
Malware attribution—figuring out who created a particular piece of malware, and the motivation behind its creation—is a fun puzzle to solve. We’ll take a look at some entertaining, true stories of how Mac malware has been tied to its creators.
We’ll also take a look at why attribution is important, what makes it challenging for researchers, and the importance of creative thinking when identifying adversaries.
Never Before Had Stierlitz Been So Close To Failure
Sergei Shevchenko, Threat Research Manager at Sophos (read: full bio).
Sergei Shevchenko, Threat Research Manager at Sophos (read: full bio).
Sergei Shevchenko has more than 17 years of professional experience reverse engineering malware and is a recognized expert in his field. His analysis of high-profile malware attacks, including previous years' Bangladesh Bank heist, attacks on Polish and other banks, recent cyber espionage within managed service providers and ransomware attacks affecting thousands of vital service organizations globally, is the go-to information source for risk and technology officers and their teams around the world. He manages our threat research team in Sydney.
One of the fairly popular macOS bundleware exemplars presented in this research employs techniques that any seasoned threat researcher will find ...rather amusing. Not only it employs anti-debugging, strings/API encryption, Mach-O runtime decompression techniques. Its developers went as far as embedding a full backdoor component into the installer, granting it capabilities that extend way beyond what one might expect from an installation software.
The power given to the installer practically enables full control over the target system. Even if it was done so that the company behind it had 'advanced analytics' or an ability to push any third-party software it wants, what happens if this power is abused?
Boasting 'millions of downloads' (whether it's true or not), this particular bundleware has potential access to a large number of Macs around the world. Given the amount of power it aggregates, it is a matter of duty for the security folks to have a closer look into this software.
In this research, we'll dive into the installer's Mach-O binary to demonstrate how it piggy-backs on 'non-lazy' Objective-C classes, the way it dynamically unpacks its code section in memory and decrypts its config. An in-depth analysis will reveal the structure of its engine and a full scope of its hidden backdoor capabilities, anti-debugging, VM evasion techniques and other interesting tricks that are so typical to the Windows malware scene but aren’t commonly found in the unwanted apps that claim to be clean, particularly on the Mac platform.
This talk reveals practical hands-on tricks used in Mach-O binary analysis under a Hackintosh VM guest, using LLDB debugger and IDA Pro disassembler, along with a very interesting marker found during such analysis. Curious to learn what that marker was? Willing to see how far the Mac-specific techniques evolved in relation to Windows malware?
Bad Things in Small Packages
Jaron Bradley (@jbradley89), Senior Research Developer at CrowdStrike (read: full bio).
Jaron Bradley (@jbradley89), Senior Research Developer at CrowdStrike (read: full bio).
Jaron started his career out of college as an incident responder for APT based intrusions. From there he went on to CrowdStrike where he’s done work in many different areas including intrusion analysis and detection engineering. He now continues to work at CrowdStrike on a small R&D team. A large portion of his time is spent investigating Mac based intrusions and detections as he prefers the platforms that are given little attention in the security industry.
Jaron is the author of the book OS X Incident Response Scripting and Analysis. He loves these conferences because he lives in Michigan and sometimes forgets what warmth feels like.
Jaron is the author of the book OS X Incident Response Scripting and Analysis. He loves these conferences because he lives in Michigan and sometimes forgets what warmth feels like.
This talk will primarily focus on the work that went into discovering CVE-2019-8561. The vulnerability exists within PackageKit that could lead to privilege escalation, signature bypassing, and ultimately the bypassing of Apple's System Integrity Protection (SIP).
This vulnerability was patched in macOS 10.14.4, but the details behind this exploit have not been documented anywhere prior to this conference!
Peeling back the 'Shlayers' of macOS Malware
Erika Noerenberg (@gutterchurl), Senior Threat Researcher at Carbon Black (read: full bio).
Josh Watson (@josh_watson), Senior Security Engineer at Trail of Bits (read: full bio).
Erika Noerenberg (@gutterchurl), Senior Threat Researcher at Carbon Black (read: full bio).
Josh Watson (@josh_watson), Senior Security Engineer at Trail of Bits (read: full bio).
Erika Noerenberg is a Senior Threat Researcher with Carbon Black’s Threat Analysis Unit, with over 15 years of experience in the security industry specializing in digital forensics, malware analysis, and software development.
Previously, she worked as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the Department of Defense and FBI.
Previously, she worked as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the Department of Defense and FBI.
Josh Watson is a Senior Security Engineer with Trail of Bits. An acknowledged Binary Ninja expert, he has both presented talks and taught training courses at conferences on automating analysis with Binary Ninja.
In his spare time, he hosts a Twitch stream in which he writes tools and reverse engineers binaries with Binary Ninja for a live audience.
In his spare time, he hosts a Twitch stream in which he writes tools and reverse engineers binaries with Binary Ninja for a live audience.
In February of 2019, researchers at Intego reported on a family of macOS malware they had newly discovered in the wild, which they named Shlayer. In November 2018, Carbon Black researchers saw an increase in infections from malware later identified to be Shlayer and began deeper investigation. The sites serving out this malware - mostly as fake Adobe Flash updates or malicious browser extensions - employed increasing levels of anti-analysis based on system and location fingerprinting to hinder harvesting of samples. Digging deeper into analysis, we found that these samples were signed with legitimate Apple developer IDs and used legitimate system applications via bash to conduct all installation activity, complicating detection. Furthermore, these samples were observed to achieve privilege escalation by use of the deprecated AuthorizationExecuteWithPrivileges API.
In this talk we will provide a technical overview of exemplary samples of Shlayer, including site discovery, distribution techniques, obfuscation, privilege escalation, and behavior. We will also discuss the difficulties of analyzing macOS malware, as traditional disassemblers aren't enlightened to the inner workings of Objective-C. To address this gap in malware analysis tooling, we will present newly developed plugins for Binary Ninja that improve Objective-C analysis, including structure recovery and rendering objc_msgSend calls in a more readable format. Finally, we will demonstrate how our toolset aided in analysis of the Shlayer malware family. These tools will be released to the public after the talk.
Root Canal
Samuel Keeley (@keeleysam), Security Engineer at Airbnb (read: full bio).
Samuel Keeley (@keeleysam), Security Engineer at Airbnb (read: full bio).
Samuel is a Security Engineer focused on user endpoints and access management at Airbnb.
Apple released System Integrity Protection/rootless with OS X El Capitan almost four years ago.
The root account is still there, and many common pieces of software open the Mac up to simple root escalations - including common macOS management tools. How can we detect these vulnerabilities across our Mac fleets? What can root still be abused for in 2019?
An 0day in macOS
Patrick Wardle (@patrickwardle), Chief Research Officer at Digita Security (read: full bio).
Patrick Wardle (@patrickwardle), Chief Research Officer at Digita Security (read: full bio).
Patrick Wardle is the Chief Research Officer at Digita Security and founder of Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.
Let's talk about a powerful 0day in macOS Mojave.