Presented at
DEF CON 31 (2023),
Aug. 11, 2023, 2:30 p.m.
(45 minutes).
System Integrity Protection (SIP) is a macOS technology that limits the capabilities of the root user, most notably - it maintains the integrity of the operating system by preventing loading of untrusted kernel extensions and protecting sensitive filesystem locations.
In this talk we will uncover a method to bypass SIP and create undeletable malware that can later load arbitrary kernel extensions. We will explain our methodology, detail our exploitation strategy and the reverse engineering involved. Lastly, we will explain how to look for similar SIP bypasses and outline a generic detection strategy for Blue Teams.
REFERENCES:
https://objective-see.com/blog/blog_0x14.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9771
https://www.theregister.com/2016/03/30/apple_os_x_rootless/
https://www.microsoft.com/en-us/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/
https://jhftss.github.io/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/
Presenters:
-
Michael Pearse
- Security Researcher at Microsoft
Micheal Pearse started out as an embedded developer for anti-ICBM missiles. Micheal got into reversing by trying to understand how counterstrike works and the underlying mechanics of C++. In his vulnerability research journey, Michael started with home routers, worked my way up to industrial devices, and eventually found and exploited local priv escalations for Windows.
-
Anurag Bohra
- Security Researcher at Microsoft
Anurag Bohra is a Security Researcher 2 at Microsoft focusing on macOS security. His interests includes Reverse Engineering, Malware Analysis, Vulnerability Research, hardware security and also loves building tools on the same.
-
Jonathan Bar Or
- Security Researcher at Microsoft
Jonathan Bar Or ("JBO") is a Principal Security Researcher at Microsoft, working as the Microsoft Defender research architect for cross-platform. Jonathan has rich experience in vulnerability research, exploitation, cryptanalysis, and offensive security in general.
Links:
Similar Presentations: