当前位置:首页 > 报告详情

李中权与何其丹_揭开Mac安全沙盒和AppData TCC的全面探索.pdf

上传人: 张** 编号:175575 2024-09-13 154页 17.23MB

1、#BHUSA BlackHatEventsUnveiling Mac Security:A Comprehensive Exploration of Sandboxing and AppData TCCZhongquan Li&Qidan He#BHUSA BlackHatEventsZhongquan Li GuluisacatSenior security researcher from Dawn Security Lab of JD.com Focusing on bug hunting and fuzzing in Android,IoT,and Apple products Blog

2、:https:/Qidan He flanker_hqdDirector,Chief security researcher from Dawn Security Lab of JD.com Focusing on security architecture of mobile and cloud native security,bug hunting,anti-fruad Blog:https:/blog.flanker017.meWhoami#BHUSA BlackHatEvents Security Lab of JD.com Found 200+CVEs in Google,Apple

3、,Samsung,Huawei,etc Members consisting of previous Pwn2Own and DEFCON winnners Pwnie Award 2022 winner for best privilege escalation Mystique https:/ https:/About Dawn Security Lab#BHUSA BlackHatEventsWhy I Switched from Android to Apple for Vulnerability Research1Better vulnerability disclosure pol

4、icy2Higher bug bounties3I built a system using AFL+Unicorn to simulate and fuzz Android TAs.By building a custom syscall API,it can be adapted for macOS/iOShttps:/ BlackHatEventsGoals and Findings02021.Analyze and exploit macOS userland vulnerabilities to identify fuzzing targets2.Bypass all user sp

5、ace security mechanisms to gain full control of the computerGoals0303Over 40 exploitable logic vulnerabilities have been discoveredsince July 2023Findings#BHUSA BlackHatEventsContent Adjustment Due to Unpatched Vulnerabilities#BHUSA BlackHatEventsAgenda1.Security Protections on macOS2.Transforming a

6、 Traditionally Useless Bug into a Sandbox Escape3.A Permission Granting Mechanism on macOS4.Everything you need to know about AppData TCC5.Summary#BHUSA BlackHatEventsSection 1:Security Protections on macOS#BHUSA BlackHatEventsSystem Integrity Protection:Rootlesshttps:/ BlackHatEventshttps:/ Integri

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文主要介绍了macOS的安全保护机制,以及如何利用这些机制中的漏洞进行沙箱逃逸。文章首先介绍了macOS上的安全保护措施,包括系统完整性保护(SIP)、透明度与隐私控制(TCC)等。然后,文章详细分析了如何将一个看似无用的文件夹创建漏洞转化为沙箱逃逸的方法,包括利用quarantine标志、用户选择功能、苹果事件等。接着,文章讨论了macOS 14中引入的AppData TCC,以及如何利用MACL权限授予机制来绕过TCC限制。最后,文章总结了macOS安全保护的现状,指出仍有超过30个相关漏洞等待修复。
macOS沙箱逃逸漏洞有哪些? 如何利用AppData TCC漏洞? macOS中MACL机制是什么?
客服
商务合作
小程序
服务号
折叠