Getting Cozy with OpenBSM Auditing on MacOS … The Good, the Bad, & the Ugly

ShmooCon XIV - 2018

Presented by: Patrick Wardle
Date: Sunday January 21, 2018
Time: 12:00 - 12:50
Location: Far Room
Track: Belay It

With the demise of dtrace on macOS, and Apple’s push to rid the kernel of 3rd-party kexts, another option is needed to perform effective auditing on macOS. Lucky for us, OpenBSM fits the bill. Though quite powerful, this auditing mechanism is rather poorly documented and suffered from a variety of kernel vulnerabilities.

In this talk, we’ll begin with an introductory overview of OpenBSM’s goals, capabilities, and components before going ‘behind-the-scenes’ to take a closer look at it’s kernel-mode implementation. Armed with this understanding, we’ll then detail exactly how to build powerful user-mode macOS monitoring utilities such as file, process, and networking monitors based on the OpenBSM framework and APIs.

Next we’ll don our hacker hats and discuss a handful of kernel bugs discovered during a previous audit of the audit subsystem (yes, quite meta): a subtle off-by-one read error, a blotched patch that turned the off-by-one into a kernel info leak, and finally an exploitable heap overflow. Though now patched, the discussion of these bugs provides an interesting ‘case-study’ of finding and exploiting several types of bugs that lurked within the macOS kernel for many years.

Patrick Wardle

Patrick Wardle (@patrickwardle) is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of Mac malware. In his personal time, Patrick collects Mac malware and writes free Mac security tools. Both can be found on his site, Objective-See.com


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats