Presented at
VB2015,
Oct. 1, 2015, noon
(30 minutes)
*[download slides](/uploads/pdf/conference_slides/2015/Wardle-VB2015.pdf) (PDF)*
*Gatekeeper* is an anti-malware feature built directly into *OS X*. *Apple* states that it 'allows users to restrict which sources they can install applications from, in order to reduce the likelihood of executing a Trojan horse'. Most *OS X* users have likely encountered *Gatekeeper* in action, as it blocked the execution of unsigned binaries or (depending on their settings), applications not from the *Mac App Store*.
All is good, right? Well not really! To start, there is little technical information about how, exactly, *Gatekeeper* is implemented. This talk seeks to expose the inner workings of *Gatekeeper*, and more broadly, delve into the concept of quarantined files. From a security point of view this is an important undertaking, as issues such as CVE 2015-3715 (discovered by the author) have previously been uncovered that have completely bypassed *Gatekeeper*, allowing unsigned code to be executed. Moreover, even today, architectural limitations of *Gatekeeper* can be abused to execute malicious unsigned binaries. Such limitations, though demonstrated before (by the author at BlackHat), will be fully detailed for the first time. In short, this talk will provide a solid technical overview of *Gatekeeper*'s design and implementation, and will discuss both patched and currently unpatched vulnerabilities or weaknesses, in this core *OS X* security mechanism.
Presenters:
Links:
Similar Presentations: