EXPLORING YOSEMITE: ABUSING MAC OS X 10.10 presented at BlackHatEU 2014

by Sung-ting Tsai, Ming-chieh Pan,

Summary : Mac OS X 10.10 Yosemite is going to be released soon. It brings lots of new features as well as security improvements. In the first part of the talk, we are going to review these improvements from both defensive and offensive perspectives: what problems it solved, what issues it brought up, and what tricks still work.
In the second part, we will try several ways to abuse Mac OS X 10.10, and show you running malware and even rootkit is not a problem. A number of new offensive techniques will be introduced, including kernel mode and user mode, for example, loading a unsigned kernel module without warnings, manipulating kernel objects (rootkit) to evade detection, very stealthy techniques to launch malware, etc. All of the tricks were tested on Mac OS X 10.10.
Not only the offensive side, we are going to release a security tool in this talk as well. A comprehensive rootkit and abnormality scanner, we call it SVV-X (System Virginity Verifier for Mac OS X, including 10.10). The tool covers not only basic checks, such as hooks on syscall table, mach trap, IDT table, critical data verification, kernel code integrity, and it also checks many user mode tricks.