Fire & ice: making and breaking macOS firewalls

Presented at VB2018, Oct. 3, 2018, 4 p.m. (30 minutes)

In the ever-raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a piece of malware has been generically thwarted thanks to the watchful eye of these products. However, on *macOS*, firewalls are rather poorly understood. *Apple*'s documentation surrounding its network filter interfaces is rather lacking and all commercial *macOS* firewalls are closed source. This talk aims to take a peek behind the proverbial curtain, revealing how to both create and 'destroy' *macOS* firewalls. In this talk, we'll first dive into what it takes to create an effective firewall for *macOS*. Yes, we'll discuss core concepts such as kernel-level socket filtering, but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defence mechanisms (including protecting the UI from synthetic events). Of course, any security tool, including firewalls, can be broken. After looking at various *macOS* malware specimens that attempt to detect such firewalls proactively, we'll don our 'grey' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can bypass even today's most vigilant *Mac* firewalls. But all is not lost! By discussing such attacks, combined with our newfound understanding of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated *Mac* malware!

Presenters:

  • Patrick Wardle - Digita Security
    Patrick Wardle Patrick Wardle is the Chief Research Officer at Digita Security and Founder of Objective-See. Having worked at NASA and the NSA, and as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Wardle is passionate about all things related to macOS security and thus spends his days finding Apple 0-days, analysing macOS malware and writing free open-source security tools to protect Mac users. @patrickwardle

Links:

Similar Presentations: