Getting Cozy With OpenBSM Auditing On MacOS

Explore the intricacies of OpenBSM auditing on macOS in this comprehensive 51-minute talk by Patrick Wardle. Dive into the goals, capabilities, and components of OpenBSM, examining its kernel-mode implementation and learning how to build powerful user-mode macOS monitoring utilities. Discover file, process, and networking monitors based on the OpenBSM framework and APIs. Investigate kernel bugs found during an audit of the audit subsystem, including an off-by-one read error, a kernel info leak, and an exploitable heap overflow. Gain insights into finding and exploiting various bug types that persisted in the macOS kernel for years. Benefit from Wardle's extensive experience in cybersecurity, including his work at NASA and the NSA, as he shares his expertise on automated vulnerability discovery and Mac malware threats.

Announcements
Trivia
Introduction
What is auditing
Why are we talking about auditing
Mac security tools
Auditing mechanisms
FS events
FS events example
kadiebug
subscribe
DTrace
OpenBSDM
Audit Commit
Audit Control Files
Audit Logs
Whats Next
Security Tools
Conceptual Overview
Connecting to the Audit Pipe
Configuring the Audit Pipe
Reading Data
Tokenization
Tokenization Example
Process Info Library
OpenBSM Auditing
Kernel Panic Log
Disassembly
Kernel Panic Diagram
OffByOne Read
Kernel Information Leak
How Apple Patched
Kernel Bug
Create Null Terminator
Debugging
Mapping Register Values
BCopy
Heap Overflows
Kernel Heat Overflows
Recap
Look for bugs in betas
Python script
Max Security
kernel panic