Gatekeeper Exposed

Presented at ShmooCon XII (2016), Jan. 17, 2016, noon (60 minutes).

Gatekeeper is an anti-malware feature baked directly into OS X. Its single goal is to block the execution of untrusted code from the internet. Apple boldly claims that because of Gatekeeper, both trojans and tampered downloads are generically blocked. So hooray! Mac users are all secure…right? Well, perhaps not :/

Until now, there has been little technical information about Gatekeeper's closed-source internals. This talk seeks to remedy this by exposing the inner workings of Gatekeeper and more broadly, delve into the concept of quarantined files. We'll also discuss architectural limitations of Gatekeeper (CVE 2015-3715, CVE-2015-7024), which were discovered during my reversing efforts. Both vulnerabilities could trivially be abused to allow for the execution of malicious unsigned binaries from the internet. In other words; complete Gatekeeper FAIL.

As all reported issues are now patched, this provides an opportunity for some ‘patch analysis' to determine if the underlying causes were fully addressed. Finally the talk will conclude by illustrating how such bypasses could have been fully and generically thwarted from day one.


Presenters:

  • Patrick Wardle
    Patrick Wardle (@patrickwardle) is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes OS X security tools.

Links:

Similar Presentations: