Thursday 1 October 12:00 - 12:30, Green room
Patrick Wardle (Synack)
download slides (PDF)
Gatekeeper is an anti-malware feature built directly into OS X. Apple states that it 'allows users to restrict which sources they can install applications from, in order to reduce the likelihood of executing a Trojan horse'. Most OS X users have likely encountered Gatekeeper in action, as it blocked the execution of unsigned binaries or (depending on their settings), applications not from the Mac App Store.
All is good, right? Well not really! To start, there is little technical information about how, exactly, Gatekeeper is implemented. This talk seeks to expose the inner workings of Gatekeeper, and more broadly, delve into the concept of quarantined files. From a security point of view this is an important undertaking, as issues such as CVE 2015-3715 (discovered by the author) have previously been uncovered that have completely bypassed Gatekeeper, allowing unsigned code to be executed. Moreover, even today, architectural limitations of Gatekeeper can be abused to execute malicious unsigned binaries. Such limitations, though demonstrated before (by the author at BlackHat), will be fully detailed for the first time. In short, this talk will provide a solid technical overview of Gatekeeper's design and implementation, and will discuss both patched and currently unpatched vulnerabilities or weaknesses, in this core OS X security mechanism.