Infiltrate Security Conference OPEN CFP

TALK PROFILE
This CFP closes in 2 days

Synthetic Reality; Breaking macOS One Click at a Time

Vulnerability Research
45

In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless local security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed. Luckily security conscious users will (hopefully) heed such warning dialogues - stopping malicious code in its tracks. But what if such clicks could be synthetically generated to interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell. Of course OS vendors such as Apple are keenly aware of this 'attack' vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately they failed. In this talk we'll first take a look at the history of synthetic attacks against macOS, including an analysis of various malware that implemented such offensive capabilities. Following this, we'll discuss Apple's patches and defenses against these attacks. Next, we'll detail a vulnerability, CVE-2017-7150, that affected all recent versions of macOS - that afforded local unprivileged attackers the ability to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'Secure Kext Loading' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more. And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!

Back to Open CFP
Rated 2 - 47 reviewers

Comments

Interested in Speaking?

We are pleased to announce the Call For Papers for INFILTRATE 2018 is now open. If you would like to present and have an offense-focused-fresh-content presentation, please submit an abstract, Bio and headshot to cfp@immunityinc.com. This information will be included on our Open CFP site, here, where the public can vote on which presentations they are most interested in seeing at INFILTRATE. Call for papers will close on December 14th, 2017. Shortly after this date, the winning speakers will be notified.

Some of the benefits of speaking at INFILTRATE are:

  • A trip to Miami Beach during the non-gates-of-hell hot season
  • A stay at one of the premier luxury resorts in the area
  • A no-bullshit environment where you don't have to be apologetic about
  • Ability to participate in the 1st ever profit sharing conference