Welcome to the VB2021 conference!

arrow left Back

Mitigating exploits using Apple’s Endpoint Security

19:30 - 20:00 UTC Fri 8 Oct 2021
Csaba Fitzl (Offensive Security)
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links.

When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source.

In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it.

Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
Csaba Fitzl
Offensive Security

Csaba graduated in 2006 as a computer engineer. He worked for six years as a network engineer, troubleshooting and designing big networks. After that he worked for eight years as a blue and red teamer focusing on network forensics, malware analysis, adversary simulation and defence bypasses. Currently he is working as a content developer at Offensive Security. He has given talks and workshops at various international IT security conferences, including Hacktivity, hack.lu, Troopers, SecurityFest, DEFCON, NULLCON and Objective By The Sea.