Be Kind, Please Rewind: Adventures in creating a macOS record/replay debugger

Presented at REcon 2023, June 9, 2023, 4:30 p.m. (60 minutes)

Record/replay or "time travel" debuggers let developers record a trace of a program's execution and later replay it, allowing them to revisit past execution states and diagnose bugs that may be difficult to reproduce. These tools have existed on Linux and Windows for many years, however no such tool has ever been created for macOS. In this talk, we'll present our work towards creating a record/replay tool for macOS, describing the macOS-specific internals required to create it, why existing tools can't simply be ported, and some of the challenges that come up in creating this type of tool from scratch.

Presenters:

• Nick Gregory
  Nick is a software engineer at Google working on macOS and Linux endpoint security systems. He was previously a senior threat researcher at Capsule8 (acquired by Sophos), focusing on Linux server defense. His background is primarily in low-level systems and kernel exploitation research. Nick is also a Hacker in Residence and former student of NYU Tandon School of Engineering’s OSIRIS Lab.
• Pete Markowsky
  Pete is a well-known member of the information security community. His background is primarily in low-level systems, exploitation, and building tools to monitor operating systems. He is currently working at Google on their Security Endpoints Agents.

Links:

• https://cfp.recon.cx/2023/talk/LBLGDC/

Similar Presentations:

• Objective by the Sea version 5.0 (2022) / Process Injection: Breaking all macOS Security Layers with a Single Vulnerability
• VB2017 / Record and replay debugging against in-the-wild exploit kits and other practical cases
• DEF CON 30 (2022) / Process injection: breaking all macOS security layers with a single vulnerability