李中权与何其丹_揭开Mac安全沙盒和AppData TCC的全面探索.pdf

1、#BHUSA BlackHatEventsUnveiling Mac Security:A Comprehensive Exploration of Sandboxing and AppData TCCZhongquan Li&Qidan He#BHUSA BlackHatEventsZhongquan Li GuluisacatSenior security researcher from Dawn Security Lab of JD.com Focusing on bug hunting and fuzzing in Android,IoT,and Apple products Blog

2、:https:/Qidan He flanker_hqdDirector,Chief security researcher from Dawn Security Lab of JD.com Focusing on security architecture of mobile and cloud native security,bug hunting,anti-fruad Blog:https:/blog.flanker017.meWhoami#BHUSA BlackHatEvents Security Lab of JD.com Found 200+CVEs in Google,Apple

3、,Samsung,Huawei,etc Members consisting of previous Pwn2Own and DEFCON winnners Pwnie Award 2022 winner for best privilege escalation Mystique https:/ https:/About Dawn Security Lab#BHUSA BlackHatEventsWhy I Switched from Android to Apple for Vulnerability Research1Better vulnerability disclosure pol

4、icy2Higher bug bounties3I built a system using AFL+Unicorn to simulate and fuzz Android TAs.By building a custom syscall API,it can be adapted for macOS/iOShttps:/ BlackHatEventsGoals and Findings02021.Analyze and exploit macOS userland vulnerabilities to identify fuzzing targets2.Bypass all user sp

5、ace security mechanisms to gain full control of the computerGoals0303Over 40 exploitable logic vulnerabilities have been discoveredsince July 2023Findings#BHUSA BlackHatEventsContent Adjustment Due to Unpatched Vulnerabilities#BHUSA BlackHatEventsAgenda1.Security Protections on macOS2.Transforming a

6、 Traditionally Useless Bug into a Sandbox Escape3.A Permission Granting Mechanism on macOS4.Everything you need to know about AppData TCC5.Summary#BHUSA BlackHatEventsSection 1:Security Protections on macOS#BHUSA BlackHatEventsSystem Integrity Protection:Rootlesshttps:/ BlackHatEventshttps:/ Integri