Every authorization has its black: tackling privilege escalation in macOS
macOS had strict permission controls for a long time, such as TCC, SIP, and Entitlement; the objective was to prevent applications being misused. However, as macOS privilege escalation vulnerabilities are being exposed, it means that these mechanisms cannot guarantee absolute security. Once the attackers get some special permissions on macOS, they have chances to get control permissions even system administrators cannot interfere. In real IR cases, we found it was hard for normal users to control program permissions and they are overconfident of popup windows, this has caused macOS native protection to fail.
In order to mitigate this type of attack, we used Endpoint Security Framework (ESF) to detect privilege escalation behaviors. ESF allows third-party software write client side to get partial events; with macOS system updates, EFS provides more events for detection, and is able to get detailed behavior information to become the last defense line of macOS attacks. During development we have found that as new attacks show up, getting critical events has become an important factor for successful defenses. So, we will discuss in detail about the event trace of every privilege escalation attack, and provide security developers some concepts to detect these kinds of attacks on macOS.
The first part of this session will focus on privilege escalation vulnerabilities of macOS, introduce the issues we saw in real cases this year, and summarize related attack methods. Then we will go through the ability of EFS and underlying implementations to explain how to do effective detecting using EFS. We will demonstrate which EFS events are worth-using, and the corresponding contexts it can detect, to help blue team developers have deeper understanding of EFS framework, and can develop more efficient forensic and behavior detection tools based on our results.