当前位置:首页 > 报告详情

XUnprotect:macOS XProtect 修复工具的逆向工程.pdf

上传人: 竿*** 编号:981898 2025-11-29 97页 6.38MB

1、XUnprotect:Reverse Engineering macOS XProtect RemediatorKoh M.Nakagawa(tsunek0h)FFRI Security,Inc.NSUserFullName()Koh M.Nakagawa(tsunek0h)Security researcher at FFRI Security,Inc.Mainly focusing on Apple product security Gave talks at Black Hat and CODE BLUEAbout This Presentation This presentation

2、covers:oTechnical deep dive into XProtect Remediator(XPR)How XPRs detection logic works Malware removed(or remediated)by each scanner Provenance Sandbox(which XPR utilizes for identifying the source of files being remediated)This presentation does not cover:oEvaluation of XPR Such as effectiveness a

3、s a macOS security productoTraditional XProtect For this topic,see Stuart Ashenbrenners excellent talk at MDOYVR23 https:/youtu.be/43BIK-e7FBEWhat Youll Gain from This Talk?For Red Teamers:Learn TCC&Provenance Sandbox bypass For Blue Teamers:Learn XPRs detection/remediation capabilities&Apple-exclus

4、ive threat intelDeep understanding of XPRDefensiveOffensiveOutline1.Introduction2.Tooling3.RE results4.Vulnerability Research5.ConclusionWhat Is XPR?https:/ layers of defenseMalware defenses are structured in three layers:1.Prevent launch or execution of malware:App Store,or Gatekeeper combined with

5、 Notarization2.Block malware from running on customer systems:Gatekeeper,Notarization,and XProtect3.Remediate malware that has executed:XProtectRemediatorXProtectRemediator acts to remediate malware that has managed to successfully execute.-“Apple Platform Security”by AppleWhat Is XPR?Introduced in

6、macOS Monterey as a replacement for the MRT Built-in mechanisms and updated once or twice per month Contains 20+scanners,each targeting a specific malware family https:/eclecticlight.co/2022/08/30/macos-now-scans-for-malware-whenever-it-gets-a-chance/https:/ scanner targets a specific malware family

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据标记内容,本文主要探讨了XProtect Remediator (XPR)的逆向工程和漏洞研究。以下是关键点: 1. XPR是macOS的三个防恶意软件层之一,用于修复已执行的恶意软件。 2. XPR包含20多个针对特定恶意软件家族的扫描器。 3. 研究者分析了XPR的初始化、修复逻辑和Provenance Sandbox,揭示了其内部机制。 4. 研究发现XPR使用Swift编写,并利用了Swift的Result Builders来提高代码可读性和可维护性。 5. 研究者还分析了XPR中未知的恶意软件家族,如RoachFlight和BadGacha。 6. 研究者开发了工具来利用Provenance Sandbox,并发现了绕过XPR的漏洞。
苹果安全背后的秘密?" 破解苹果防御机制?" XPR与Provenance Sandbox揭秘!"
客服
商务合作
小程序
服务号
折叠