DEF CON 31 - Demystifying (& Bypassing) macOS's Background Task Management

DEF CON 31 - Demystifying (& Bypassing) macOS's Background Task Management - Patrick Wardle

8 місяців тому

To retain a foothold on an infected system, most Mac malware will persist; installing itself in a manner that ensures it will be automatically (re)launched each time the infected system is rebooted.
In macOS Ventura, Apple's rearchitected core persistence mechanisms and added a new security mechanism that alerts the user any time an item is persisted. As the former is both undocumented and implemented in a proprietary manner this poses a problem for existing security and forensics tools (that aim to heuristically detect malware via unauthorized persistence events). On the other hand, the latter is problematic to malware authors, who obviously want their malicious creations to persist without an alert being shown to the user.
In this talk, we'll indiscriminately provide solutions for all! First, we'll dive into the internals of macOS's Background Task Management (BTM) which, as we'll see, contains a central (albeit proprietary) repository of persistent items. Armed with this information, we'll release open-source code capable of programmatically enumerating all persistent items from BTM, ensuring security and forensics tools regain compatibility. We'll also highlight design weaknesses that malicious code could trivially employ to sidestep the new security features of BTM, such that persistence may still be silently achieved.

КОМЕНТАРІ: 15

@fightme5543 8 місяців тому

Y'all don't understand how excited I get every time I see a new talk! Thanks Defcon Team!

@zizlog_sound 8 місяців тому

First of all big thanks to Patrick for another great lesson on Mac security. When Patrick says „That‘s s/th Apple should be doing.“ I.e. preventing SIGSTOP, the devs at Apple didn’t think this all the way through or left it on purpose. I wish Apple puts more quality in their OS than quantity. Pushing out a new OS with bags of new features every year takes its toll on quality for sure.

@crissuper20 8 місяців тому

i gotta say, interesting is an understatement when seeing DEFCON conferences

@recklessroges 8 місяців тому

Patrick Wardle always gives good talks. Thanks PW and DEFCON.

@BDonTJ 8 місяців тому

Fascinating! 🤔 Thank you, Patrick.

@camelotenglishtuition6394 7 місяців тому

He's a great speaker and very interesting. Great job!

@blaxbrian6877 8 місяців тому

good talk

@zoenagy9458 8 місяців тому

where are the rest of vids??

@arir43 8 місяців тому

It takes a few weeks for them to all be uploaded

@prescientdove 8 місяців тому

@@arir43😂

@ClassicRiki 8 місяців тому

All well and good but overall without a zero click he still had to put the users password in to get that onto the system. So it’s entirely useless unless he’s also bypassing the requirement for user authentication. Pretty arrogant to say it’s “lame” that Apple doesn’t do it…because guess what, they’ll add this and now your software is entirely pointless. All of which still only applies when a user authentication bypass is achieved, and trust me…if they can bypass that then his software will be trivial to bypass. To call their software “sub par” is pretty f*cking arrogant.

@allenng2348 8 місяців тому

I wanted to listen to this; the topic was interesting, but I can't listen to people that sound like they're drowning in their own saliva when they speak.

@gillesiachelini2082 8 місяців тому

why so nasty?

@scottsound4711 8 місяців тому

Give Ya ears a clean & Ya head a wobble