Exploring Yosemite: Abusing Mac OS X 10.10

Presented at Black Hat Europe 2014, Oct. 17, 2014, 3:30 p.m. (60 minutes)

Mac OS X 10.10 Yosemite is going to be released soon. It brings lots of new features as well as security improvements. In the first part of the talk, we are going to review these improvements from both defensive and offensive perspectives: what problems it solved, what issues it brought up, and what tricks still work.

In the second part, we will try several ways to abuse Mac OS X 10.10, and show you running malware and even rootkit is not a problem. A number of new offensive techniques will be introduced, including kernel mode and user mode, for example, loading a unsigned kernel module without warnings, manipulating kernel objects (rootkit) to evade detection, very stealthy techniques to launch malware, etc. All of the tricks were tested on Mac OS X 10.10.

Not only the offensive side, we are going to release a security tool in this talk as well. A comprehensive rootkit and abnormality scanner, we call it SVV-X (System Virginity Verifier for Mac OS X, including 10.10). The tool covers not only basic checks, such as hooks on syscall table, mach trap, IDT table, critical data verification, kernel code integrity, and it also checks many user mode tricks.

Presenters:

• Ming-chieh Pan - Team T5
  Ming-chieh's (Nanika) is Chief Researcher in Team T5 Research. He is a well-known vulnerability researcher, and has been disclosing new vulnerabilities for many years. His major areas of expertise include vulnerability research, exploit techniques, malware detection, and mobile security. He has 10+ years of experience on vulnerability research, especially on Windows platform and malicious document and exploit. He discovered numerous Windows system and document application vulnerabilities, such as Microsoft Office, Adobe PDF, and Flash. In recent years, he started his exploration and discovering problems in Mac OS X. He frequently presents his researches at security conferences, such as Black Hat, HITCON, and Syscan. He and Sung-ting are members of CHROOT security group in Taiwan.
• Sung-ting Tsai - Team T5
  Sung-ting (TT) is the leader of Team T5 Research. They monitor, analyze, and track cyber threats throughout the Asia Pacific region. His major areas of interest include document exploit, malware detection, sandbox technologies, system vulnerability and protection, web security, cloud, and virtualization technology. He especially is interested in new vulnerabilities in new technologies, and frequently presents the team's research at security conferences, such as Black Hat, HITCON, and Syscan. He and Ming-chieh are members of CHROOT security group in Taiwan. Sung-ting (TT) is also the organizer of HITCON -the largest technical security conference in Taiwan.

Links:

• https://www.blackhat.com/eu-14/briefings.html#Tsai
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2014/Video/Exploring Yosemite - Abusing Mac OS X 10.10.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2014/Video/Exploring Yosemite - Abusing Mac OS X 10.10.srt (subtitles)
• https://www.youtube.com/watch?v=_i9--eKpz6U
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Tsai-Exploring-Yosemite-Abusing-Mac-OS-X-10-10.pdf
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Tsai-Exploring-Yosemite-Abusing-Mac-OS-X-10-10-wp.pdf
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Tsai-Exploring-Yosemite-Abusing-Mac-OS-X-10-10-tool-diff-Mavericks-Yosemite.zip

Similar Presentations:

• DEF CON 17 (2009) / Runtime Kernel Patching on Mac OS X
• Black Hat Asia 2014 / You Can't See Me: A Mac OS X Rootkit Uses the Tricks You Haven't Known Yet
• Kiwicon V: It Goes b00m (2011) / Defiling Mac OS X