KNOWLEDGE SERIES

Popular Security Mechanisms on macOS and Bypassing them

Jonathan Bar Or
Principal Security Researcher
Microsoft

Jonathan Bar Or (“JBO”) is a Principal Security Researcher at Microsoft, working as the Microsoft Defender research architect for cross-platform. Jonathan has rich experience in vulnerability research, exploitation, cryptoanalysis, and offensive security in general.

macOS has unique security features that challenge malware authors and attackers alike. Technologies such as TCC, sandboxing, SIP and Gatekeeper mitigate common techniques that are used across the kill-chain.

As macOS becomes increasingly popular, attackers and malware families quickly adapt to perform malicious operations on endpoints, ranging from simple Adware to full-fledged RAT instances. 

In this talk, we will present an end-to-end attack simulation done internally by Microsoft Defender for Endpoint (MDE) and show how we were able to produce creative vulnerabilities that bypass those security features, and how we help Apple secure macOS against similar attacks.

We will be describing bypasses to the Apple sandbox, Gatekeeper, TCC and SIP to show how an attacker could gain access to a system. For each technique, we will describe mitigations (done by Apple), detections by Microsoft Defender for Endpoint and variant analysis. We will also describe working with Apple and the general vulnerability disclosure process we use as part of the Microsoft Coordinated Vulnerability Disclosure (CVD) program.