Tweet
Getting a Migraine - uncovering a unique SIP bypass on macOS
Jonathan Bar Or, Security Researcher at Microsoft, He/Him
Michael Pearse, Security Researcher at Microsoft, He/Him
Anurag Bohra, Security Researcher at Microsoft, He/Him
| Demo, Exploit | 45
System Integrity Protection (SIP) is a macOS technology that limits the capabilities of the root user, most notably - it maintains the integrity of the operating system by preventing loading of untrusted kernel extensions and protecting sensitive filesystem locations.
In this talk we will uncover a method to bypass SIP and create undeletable malware that can later load arbitrary kernel extensions. We will explain our methodology, detail our exploitation strategy and the reverse engineering involved. Lastly, we will explain how to look for similar SIP bypasses and outline a generic detection strategy for Blue Teams.
Jonathan Bar Or ("JBO") is a Principal Security Researcher at Microsoft, working as the Microsoft Defender research architect for cross-platform. Jonathan has rich experience in vulnerability research, exploitation, cryptanalysis, and offensive security in general.
@yo_yo_yo_jbo
Micheal Pearse started out as an embedded developer for anti-ICBM missiles. Micheal got into reversing by trying to understand how counterstrike works and the underlying mechanics of C++. In his vulnerability research journey, Michael started with home routers, worked my way up to industrial devices, and eventually found and exploited local priv escalations for Windows.
Anurag Bohra is a Security Researcher 2 at Microsoft focusing on macOS security. His interests includes Reverse Engineering, Malware Analysis, Vulnerability Research, hardware security and also loves building tools on the same.
REFERENCES:
https://objective-see.com/blog/blog_0x14.html
https://cve.mitre.org/cgi-bin/cvenam...=CVE-2020-9771
https://www.theregister.com/2016/03/...os_x_rootless/
https://www.microsoft.com/en-us/secu...ty-protection/
https://jhftss.github.io/CVE-2022-26...ven-Tweetable/
Jonathan Bar Or, Security Researcher at Microsoft, He/Him
Michael Pearse, Security Researcher at Microsoft, He/Him
Anurag Bohra, Security Researcher at Microsoft, He/Him
| Demo, Exploit | 45
System Integrity Protection (SIP) is a macOS technology that limits the capabilities of the root user, most notably - it maintains the integrity of the operating system by preventing loading of untrusted kernel extensions and protecting sensitive filesystem locations.
In this talk we will uncover a method to bypass SIP and create undeletable malware that can later load arbitrary kernel extensions. We will explain our methodology, detail our exploitation strategy and the reverse engineering involved. Lastly, we will explain how to look for similar SIP bypasses and outline a generic detection strategy for Blue Teams.
Jonathan Bar Or ("JBO") is a Principal Security Researcher at Microsoft, working as the Microsoft Defender research architect for cross-platform. Jonathan has rich experience in vulnerability research, exploitation, cryptanalysis, and offensive security in general.
@yo_yo_yo_jbo
Micheal Pearse started out as an embedded developer for anti-ICBM missiles. Micheal got into reversing by trying to understand how counterstrike works and the underlying mechanics of C++. In his vulnerability research journey, Michael started with home routers, worked my way up to industrial devices, and eventually found and exploited local priv escalations for Windows.
Anurag Bohra is a Security Researcher 2 at Microsoft focusing on macOS security. His interests includes Reverse Engineering, Malware Analysis, Vulnerability Research, hardware security and also loves building tools on the same.
REFERENCES:
https://objective-see.com/blog/blog_0x14.html
https://cve.mitre.org/cgi-bin/cvenam...=CVE-2020-9771
https://www.theregister.com/2016/03/...os_x_rootless/
https://www.microsoft.com/en-us/secu...ty-protection/
https://jhftss.github.io/CVE-2022-26...ven-Tweetable/