🔺New on the Apple Security Research blog: we pit our hardened kalloc_type XNU allocator against SockPuppet, a powerful vulnerability from the past: https://t.co/UyTkz1slu3
We've released a new blog on an APT malware targeting macOS that we call RustBucket. The actor is using decoy PDF documents that act as a key when loaded within an attacker provided pdf app. The malware has three stages. Check out our writeup for details
https://t.co/huj7JET9Sm
Happy Friday everyone! Want a ProcMon for macOS? Ever wish you had your own Endpoint Security client you could task? Want to peer behind the macOS EDR curtain? Have a go and let us know what you think!
https://t.co/uVL198bU0W
Stoked to announce "Objective by the Sea" (#OBTS) v6.0 🍎🧑🏻🏫🌴☀️
Details:
📍 Marbella, Spain
🗓️ Oct 9ᵗʰ - 13ᵗʰ '23
ℹ️ Hop over to the conf. site to sign up for trainings, conference, & book a room at the venue: https://t.co/bmEX5iRpX8
Can't wait to see y'all at the there! 🥰
New Project Zero blog post in which I dissect Apple DER-encoded entitlements and tell a story about how I found a fun (albeit short-lived) bug in the way they were decoded. https://t.co/Ey6UJh2Umf
Today we are releasing Hyperpom, a fuzzing framework for ARM64 binaries based on the Apple Silicon hypervisor. Check out our latest blogpost, as well as our GitHub repo, to learn more about the project and its internals.
📙 https://t.co/cUZUa4KrXq
🗃️ https://t.co/pSWZThor2o
LIVE: Apple Security Research, our new blog and website at https://t.co/Ssr3471Pju! We launch with an update on Apple Security Bounty (https://t.co/b7aYxqidka), and a deep dive into some fundamental XNU memory safety improvements with kalloc_type (https://t.co/evVdUYYo5p). Enjoy!
iBoot running on QEMU? 🔥🌸
In case you missed our BH talk, here is one of the presented demo. The slides should be linked below.
Meanwhile, our new DWC3 USB emulation and iOS 16 support is published, be sure to check it out at the repo.
https://t.co/40kYzFh4xr
I'm going to start a series of two blog posts related to iOS obfuscation.
The first part will be about RASP on iOS like detecting the Frida's Stalker or using the iOS Sandbox to detect jailbroken devices.
https://t.co/nXAE2DiAlY
I put together a quick blogpost about this new AMFI Launch Constraints mitigation, with examples what kind of exploits it prevents. Again this was long time needed. Well done to everyone involved!
https://t.co/RMCgyexFu5
Updates to @Apple's Endpoint Security Framework (ESF)!
- Ability to mute events based on path/process
- New `eslogger` binary to quickly get your hands dirty with ESF
- More userland events!
https://t.co/5M7NBZHLWz
It took a while, but the English version of the macOS Forensics Hands-on Workshop materials are now available. Have fun! https://t.co/dN5ntsnVD0 https://t.co/rhH8FYv5wb #DFIR#JSAC2022
Took some time recently to dive into in-memory Mach-O execution on macOS. I dig into the API calls necessary to perform reflective code loading, present my Swift implementation, cover nuances on Big Sur vs Monterey, and how to detect it on Monterey!
https://t.co/qyT1LTUCTj
Just published a @fridadotre tutorial, with a focus on iOS devices. It contains an introduction to Frida and iOS, low-level iOS interfaces (GCD, XPC, IOKit, Mach), and Objective-C instrumentation.
https://t.co/5fR0MZzBDB
https://t.co/CIYu9dSj6o
https://t.co/JVYHSsbywi