In a thread (somewhere else) about rootkits, somebody affirmed that it would be harder on Yosemite to mess with the system like malicious kext can do. Have there been some modifications on the kernel or the module system that make it actually harder to load a kernel extension that would, for example locate SYSENT and hook system call, or locate system calls and insert a jump at the beginning to a portion of code the attacker control, or was it a gratuitous remark ?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Is Yosemite less vulnerable to rootkits ?
- Thread starter AntoineLec
- Start date
- Sort by reaction score
Exploring Yosemite: Abusing Mac OS X 10.10
Found whilst drafting a roundup under Apple's OS X 10.10.2 to Fix Security Vulnerabilities Exposed by Google's Project Zero:
Abstract:
Related
Trend Micro: OSX has the most vulnerabilities. (2012-04-24)
OS X 10.10.2 Includes Fix for 'Thunderstrike' Hardware Exploit Affecting Macs (2015-01-26)
Found whilst drafting a roundup under Apple's OS X 10.10.2 to Fix Security Vulnerabilities Exposed by Google's Project Zero:
Abstract:
Mac OS X 10.10 Yosemite is going to be released soon. It brings lots of new features as well as security improvements. In the fist part of the talk, we are going to review these improvements from both defensive and offensive perspectives: what problem it solved, what issues it brought up, and what tricks still work.
In the second part, we will try several ways to abuse Mac OS X 10.10, and show you running malware and even rootkit is not a problem. A number of new offensive techniques will be introduced, including kernel mode and user mode, for example, loading a unsigned kernel module without warnings, manipulating kernel objects (rootkit) to evade detection, very stealthy techniques to launch malware, etc. All of the tricks were tested on Mac OS X 10.10.
Not only the offensive side, we are going to release a security tool in this talk as well. A comprehensive rootkit and abnormality scanner, we call it SVV-X (System Virginity Verifier for Mac OS X 10.10). The tool covers not only basic checks, such as hooks on syscall table, mach trap, IDT table, critical data verification, kernel code integrity, and it also checks many user mode tricks.Attacking Mac OS X has become a trend as we see more and more malware with advanced attack techniques on Mac OS X. In order to gain persistent control and avoid detection, malware have started to adopt rootkit tricks.
In the second part, we will try several ways to abuse Mac OS X 10.10, and show you running malware and even rootkit is not a problem. A number of new offensive techniques will be introduced, including kernel mode and user mode, for example, loading a unsigned kernel module without warnings, manipulating kernel objects (rootkit) to evade detection, very stealthy techniques to launch malware, etc. All of the tricks were tested on Mac OS X 10.10.
Not only the offensive side, we are going to release a security tool in this talk as well. A comprehensive rootkit and abnormality scanner, we call it SVV-X (System Virginity Verifier for Mac OS X 10.10). The tool covers not only basic checks, such as hooks on syscall table, mach trap, IDT table, critical data verification, kernel code integrity, and it also checks many user mode tricks.Attacking Mac OS X has become a trend as we see more and more malware with advanced attack techniques on Mac OS X. In order to gain persistent control and avoid detection, malware have started to adopt rootkit tricks.
Related
Trend Micro: OSX has the most vulnerabilities. (2012-04-24)
OS X 10.10.2 Includes Fix for 'Thunderstrike' Hardware Exploit Affecting Macs (2015-01-26)