Endpoint Security and Insecurity

Presented at Objective by the Sea version 3.0 (2020), March 12, 2020, 10:10 a.m. (50 minutes)

One of the most interesting things, from a security perspective, announced at the 2019 Apple WWDC was System Extensions. System Extensions are a natural evolution of Apple's desire to move third party developers out of the kernel. From a developer's perspective this means access to more modern programming languages like Swift when writing security tools. From an end user's perspective this should mean increased stability with less third party code running in the kernel. In this talk I'll present a deep dive into one of the new System Extension types: the EndpointSecurity framework. I'll cover the internals of how the framework works, starting with the kernel level, then the system level and finally how the user level applications get access to information provided by the framework. I'll also cover some of the challenges that come from the EndpointSecurity framework architecture. Finally I'll share details around CVE-2019-8805, a local privilege escalation bug found in the framework and fixed in macOS 10.15.1.

Presenters:

• Scott Knight - Threat Researcher at VMware Carbon Black
  Scott Knight is a Threat Researcher on the VMware Carbon Black TAU team. Specifically on the NSAT (Nation State and Advanced Tactics) group within TAU. He works to reverse engineer malware, track threat actors and share information with the security community. Scott has a specific interest in macOS malware and macOS system internals.

Links:

• https://objectivebythesea.org/v3/content.html#sKnight
• https://objectivebythesea.org/v3/talks/OBTS_v3_sKnight.pdf

Similar Presentations:

• VB2019 / Play fuzzing machine - hunting iOS and macOS kernel vulnerabilities automatically and smartly
• Black Hat USA 2022 / Dive Into Apple IO80211Family Vol. 2
• May Contain Hackers (MCH2022) / macOS local security: escaping the sandbox and bypassing TCC