MCH2022 Curated content

macOS local security: escaping the sandbox and bypassing TCC

"SomeApp would like to access files in your Documents folder." Anyone who has used macOS recently will be familiar with these prompts. But how do they work? What happens if you deny the access? Are they an effective defense against malware? This talk will give an up to date overview of the local security measures of macOS and describe some ways they can be defeated in practice.
Sandboxing on macOS was introduced 13 years ago, but Apple didn't leave it at that. Starting with the release of macOS Catalina in 2019, even non-sandboxed apps need to deal with sandbox-like restrictions for files: all apps now need to ask permission to access sensitive files, like those in the user's documents or desktop folder. Features such as the camera and geolocation already needed user approval from a permission prompt. This system of user controlled permissions is known as Transparency, Consent, and Control (TCC). Any new security measure like this will also mean the introduction of new security boundaries, with new classes of vulnerabilities. Many parts of the system have to be re-examined to check for these vulnerabilities. For example, apps can now try to attack other apps in order to "steal" the permissions granted by the user to those apps. Apple has taken steps to allow apps to defend themselves against this, such as the hardened runtime. Ultimately, however, it is up to the developer of an app to safeguard its permissions. Many developers are not aware of this new responsibility or do not take it seriously. Developers who are used to the security model of Windows or Linux often do not know that these boundaries even exist. To make matters worse, Apple's documentation and APIs for these features are not as clear and easy to use as they should be. This talk will start with an overview of local security restrictions on the latest version of macOS, Mojave. Then, it will cover some ways these protections might be bypassed in third-party applications. Finally, we will show some vulnerabilities we found in software that allowed escaping the macOS sandbox, stealing TCC permissions and privilege escalation, such as CVE-2021-30688, CVE-2020-10009 and CVE-2020-24428.

Additional information

Type Talk
Language English

More sessions

7/22/22
MCH2022 Curated content
Elger "Stitch" Jonker
Abacus 🧮
⚠️ Warning! This talk may contain hackers. There may be hackers in the room. There may be hackers surrounding the room. There may be hackers recording this. There may be hackers listening in. There may be hackers that exfiltrate data. There may be hackers wearing shirts. There may be hackers carrying spying devices. OH NO! There are hackers EVERYWHERE! What can we do now, except having a party?
7/22/22
MCH2022 Curated content
Jelle vd ster
Abacus 🧮
What do big tech, synthesizers, the crucifixion and Matthäus Passion have in common? Find the answer in the tech performance The Silicon Passion. We’ve all embraced big tech —but is it a warm hug or a strangulation? Bear witness to a debate of biblical proportions between tech nerds, technology and its users. In The Silicon Passion SETUP, in collaboration with de Transmissie (David Schwarz en Derk Stenvers) and Rodrigo Ferreira, is looking for a way out of the pit that technology has ...
7/22/22
MCH2022 Curated content
Clairvoyance 🔮
Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki.
7/22/22
MCH2022 Curated content
Mikko Hypponen
Abacus 🧮
This is a submission for a keynote talk at MCH2022. The Internet is both a familiar, comfortable place as well as a bottomless rabbit hole you can lose yourself in. The Internet has always been like this from its inception, the difference now is the scale and consequences are almost immeasurable - and it tests the limits of human imagination. When you look into the mirror of the Internet what you see reflected back depends on what you are looking for. It has become largely a reflection of ...
7/22/22
MCH2022 Curated content
Battery 🔋
Thanks to DNSSEC and DANE, it is possible to automatically verify user@domain.name identities by checking with domain.name servers. The real problem however, is integration with existing protocols, instead of inventing something completely new and perhaps web-only. The purpose of our work on Realm Crossover mechanisms has been to design generic solutions that extend many different application protocols, without changing their protocol specs.
7/22/22
MCH2022 Curated content
Klaus Agnoletti
Clairvoyance 🔮
Utilizing collaborative security to collect data on attacks we were able to detect Log4J in a quite unusual but effective manner. We'll show you how CrowdSec enables the entire infosec community to stand together by detecting attempts to exploit a critical 0day, reporting them centrally thereby enabling anyone to protect themselves shortly after the vulnerability was made public. The unusual part is that this is done using FOSS software and by analyzing logs of real production systems but in a ...
7/22/22
MCH2022 Curated content
bert hubert
Abacus 🧮
Building on the very well attended DNA presentations ("DNA: The Code Of Life") at SHA2017, this talk will cover: * A brief recap what DNA is and how it works * It is surprisingly digital! * How reading DNA is within 'pro-sumer' reach now * (I might bring a live demo for after the talk) * An overview of DNA editing technologies (offline, and online: on living organisms) * Including the famous CRISPR-CAS, but also newer variants * How does such editing actually work in a lab? * The surprising lack ...