Uh-oh, it looks like your Internet Explorer is out of date.

For a better shopping experience, please upgrade now.

OS X Exploits and Defense: Own it...Just Like Windows or Linux!

OS X Exploits and Defense: Own it...Just Like Windows or Linux!

by Paul Baccas

See All Formats & Editions

Contrary to popular belief, there has never been any shortage of Macintosh-related security issues. OS9 had issues that warranted attention. However, due to both ignorance and a lack of research, many of these issues never saw the light of day. No solid techniques were published for executing arbitrary code on OS9, and there are no notable legacy Macintosh exploits


Contrary to popular belief, there has never been any shortage of Macintosh-related security issues. OS9 had issues that warranted attention. However, due to both ignorance and a lack of research, many of these issues never saw the light of day. No solid techniques were published for executing arbitrary code on OS9, and there are no notable legacy Macintosh exploits. Due to the combined lack of obvious vulnerabilities and accompanying exploits, Macintosh appeared to be a solid platform. Threats to Macintosh's OS X operating system are increasing in sophistication and number. Whether it is the exploitation of an increasing number of holes, use of rootkits for post-compromise concealment or disturbed denial of service, knowing why the system is vulnerable and understanding how to defend it is critical to computer security.

* Macintosh OS X Boot Process and Forensic Software All the power, all the tools, and all the geekery of Linux is present in Mac OS X. Shell scripts, X11 apps, processes, kernel extensions...it's a UNIX platform....Now, you can master the boot process, and Macintosh forensic software.

* Look Back Before the Flood and Forward Through the 21st Century Threatscape Back in the day, a misunderstanding of Macintosh security was more or less industry-wide. Neither the administrators nor the attackers knew much about the platform. Learn from Kevin Finisterre how and why that has all changed!

* Malicious Macs: Malware and the Mac As OS X moves further from desktops, laptops, and servers into the world of consumer technology (iPhones, iPods, and so on), what are the implications for the further spread of malware and other security breaches? Find out from David Harley.

* Malware Detection and the Mac Understand why the continuing insistence of vociferous Mac zealots that it "can't happen here" is likely to aid OS X exploitationg

* Mac OS X for Pen Testers With its BSD roots, super-slick graphical interface, and near-bulletproof reliability, Apple's Mac OS X provides a great platform for pen testing.

* WarDriving and Wireless Penetration Testing with OS X Configure and utilize the KisMAC WLAN discovery tool to WarDrive. Next, use the information obtained during a WarDrive, to successfully penetrate a customer's wireless network.

* Leopard and Tiger Evasion Follow Larry Hernandez through exploitation techniques, tricks, and features of both OS X Tiger and Leopard, using real-world scenarios for explaining and demonstrating the concepts behind them.

* Encryption Technologies and OS X Apple has come a long way from the bleak days of OS9. THere is now a wide array of encryption choices within Mac OS X. Let Gareth Poreus show you what they are.

• Cuts through the hype with a serious discussion of the security vulnerabilities of the Mac OS X operating system
• Reveals techniques by which OS X can be "owned"
• Details procedures to defeat these techniques
• Offers a sober look at emerging threats and trends

Product Details

Elsevier Science
Publication date:
Sold by:
Barnes & Noble
File size:
4 MB

Related Subjects

Read an Excerpt

OS X Exploits and Defense

By Kevin Finisterre Larry H. David Harley Gareth Porteous

Syngress Publishing, Inc.

Copyright © 2008 Elsevier, Inc.
All right reserved.

ISBN: 978-0-08-055876-9

Chapter One

Macintosh OS X Boot Process and Forensic Software

Solutions in this chapter:

* The Boot Process

* The Macintosh Boot Process

* Macintosh Forensic Software

  •   Summary


    "The computer for the rest of us" was never considered much of a hacker's platform. The original Mac didn't even have arrow keys (or a control key, for that matter), forcing the user to stop what he was doing, take his hands off the keyboard, and use the mouse. The Mac's case was sealed so tight, a special tool known as the "Mac cracker" was made to break it open. It was a closed machine, an information appliance. The expansionless design and sealed case of the Mac stood in stark contrast to the Apple II that came before it.

    With its rich graphical interface and ease of use, the Mac became the standard for graphic artists and other creative types. Custom icons and desktop patterns soon abounded. The users that embraced the Macintosh for its simplicity began using ResEdit (Resource Editor) to modify system files and to personalize their machines. The Mac developed a fanatical following, and you could rest assured that each fanatic's system was unique, with the icons, menus, program launchers, windows, sounds, and keyboard shortcuts all scrutinized and perfected to meet his personal needs. My Color Classic even played Porky Pig's "That's all folks" each time it shut down (although the novelty wore off on that one pretty quick ...).

    Mac OS X was met with some trepidation. It broke every program and system modification, it didn't have a proper Apple menu — and what on earth was this "dock"? Jef Raskin, who gave the Mac its name, wrote of Mac OS X, "Apple has ignored for years all that has been learned about developing UIs. It's unprofessional, incompetent, and it's hurting users." Bruce Tognazzini, founder of the Apple Human Interface Group, even penned an article titled "Top 10 Reasons the Apple Dock Sucks."

    Mac OS X was an entirely different operating system. Most classic Mac OS applications were compatible, but only when operating inside a special run-time environment. All system extensions and user interface modifications were permanently lost. For many users, these changes are what made the computer "theirs" and they replied heavily upon their customizations to efficiently get work done. The loss was tremendous. And it was worth it.

    Preemptive multitasking, symmetric multiprocessing, multithreading, and protected memory ... Protected memory was the one I wanted most.

    At a 1998 keynote, Steve Jobs showed off a mere dialog box, to great applause. The dialog read: "The application Bomb has unexpectedly quit. You do not need to restart your computer." I take it for granted on Mac OS X, but as I write this, I'm recalling occasions when Internet Explorer brought my entire system down multiple times in a single day.

    Protected memory doesn't do much good when all your apps are running in the Classic Environment and the user interface did indeed leave a lot to be desired. But with each revision, Mac OS X has improved dramatically. The Macintosh has become "the computer for everybody." For novices, it remains the easiest computer there is. For enthusiasts, as in the old days, there is a vast array of third party applications, utilities, and customizations, to tweak and improve the way the OS works. For hackers and programmers, there's the command line and the BSD Unix compatibility layer.

    All the power, all the tools, and all the geekery of Linux is present in Mac OS X. Shell scripts, X11 apps, processes, kernel extensions ... it's a UNIX platform. It's even possible to forgo Apple's GUI altogether and run KDE. Why you'd want to is another matter. While its UNIX core is what has made Mac OS X a viable platform for hackers and programmers, it's the user interface that has made it popular.

    Apple's Terminal application is perpetually running on my PowerBook, but so is iTunes, iCal, and a slew of Dashboard Widgets.

    The Boot Process

    In this section we will look at the startup process that most computers go through and how the fundamental operating systems get loaded and started. You will see that computers start with tiny steps that build on each other, getting larger until the entire system is loaded and running. Only then can you, the end user, issue commands that the computer interprets and understands.

    One of the most popular analogies for how a computer starts up is the amnesia scenario. For a moment look around you at the things you use everyday: telephones, pencils, coffee cups, and so on. Now imagine that you closed your eyes and when you opened them you didn't recognize any of those things, and didn't know how they worked. That is what happens inside a computer when you press the reset or the power button.

    At the most fundamental level, computers understand only two things: true and false. The process of getting the computer from being a completely blank state to a fully running operating system is one of the fundamental items that every investigator should understand.

    After looking at how a Macintosh boots, we will look at some of the tools that are available for analyzing Macintosh systems using both the Macintosh and Windows operating systems.

    The term "boot," depending on whom you talk to, came either from the old phrase, "Pulling one's self up by the bootstraps," or just from the word "bootstrap," meaning the leather tabs you use to pull on your boots. Either way it is a part of computer history and lore and is commonly used as the computer term for the initial startup of the system. All systems that are able to run Microsoft or Linux operating systems use the same boot up process. Once the computer completes this initial startup the specific operating system will load what it needs to continue. First we will look at the boot process in detail.

    The Macintosh Boot Process

    In this section, we will briefly examine the way an Apple Macintosh computer boots. The information here is for the Mac OS X version of their operating system using Intel based microprocessors. Older Motorola chipset Macintosh computers use a much different boot process.

    OS X uses Open Firmware that is very much like the BIOS noted earlier. The Open Firmware that Apple uses in the Macintosh is based on the IEEE-1275 standard.

    EFI and BIOS: Similar but Different

    Just like any other computer on the market, when the power switch is activated on a Macintosh, the system goes through a Power On Self Test (POST), resets the microprocessor, and starts the execution of initialization code, which is the Open Firmware instead of BIOS.

    Like the BIOS, Extensible Firmware Interface (EFI) checks the configuration of the machine and loads any device ROMs that it finds into memory. It then looks for a default boot device ... and here is where it gets interesting. There are numerous optional startup functions that EFI can perform based on user input. Single keys, known as "snag keys," can be pressed that will allow the system to boot from specific devices.

    * Pressing the C key will attempt to boot from the CD/DVD-ROM drive. * Pressing the D key will attempt to boot from the first hard disk drive. * Pressing the N key will attempt to boot from the Network Interface Controller (NIC). * Pressing the Z key will attempt to boot from the ZIP drive.

    It is also possible to enter the EFI interactive console mode by pressing the cmd-opt-O-F key combination during power up. (Note: If you are like me and just tried this before reading on, typing mac-boot at the prompt will let the Macintosh finish booting.) You should read a good source of Open Firmware/EFI commands before trying the console mode. An excellent mirror of the Open Firmware Working Group is at http://bananjr6000. Apple.com/1275/.

    The EFI program is located in the BOOT.efi file. This is the portion of the boot loading process that loads the OSX kernel and starts the user interface.


    To many die-hard Macintosh users the move to OS X wasn't immediately seen as a move to the open source UNIX environment. It wasn't long before they realized their beloved Mac was now a UNIX machine. When you look at the roots of OS X, a large number of open source modules and programs were obtained from other groups including Carnegie Mellon, FreeBSD, GNU, Mach, Xfree86, NEXTSTEP, and OPENSTEP.

    The OS X Kernel

    In a nutshell the real OS X is when the combination of several components come together. XNU is the actual OS X kernel name on the boot drive. It is comprised of the following modules:

    * Mach Provides the service layer to the kernel

    * n BSD Provides the primary system program interface

    * I/O Toolkit Provides driver support

    * LIBSA & LIBKERN Kernel libraries

    * The Platform Expert A motherboard-specific hardware abstraction layer

    * Apple I/O components The unique Mac interfaces

    Apple uses proprietary components to invoke the Macintosh look and feel to the open source products listed. Carbon, Cocoa, Quartz, OpenGL, QuickTime, and the Aqua interfaces are just a few of the unique interfaces that make the Macintosh so special.

    Macintosh Forensic Software

    Only recently has the Macintosh begun to be accepted in the forensic community. Listed next are just a few of the tools that can make forensics of OS X systems easier.

    As with all forensic tools, the examiner should have a solid understanding of how tools work and should be able to prove by demonstration that each finding produced by the tool can be duplicated in a court of law.

    BlackBag Forensic Suite

    BlackBag Technologies, Inc. is one of the few providers of forensic software for the Macintosh platform. Its Macintosh Forensic Suite is a collection of 26 modules that can be launched individually or from the Forensic Suite Toolbar (see Figure 1.1).

    Directory Scan

    The Directory Scan utility allows you to view all the files and folders on a Macintosh volume (see Figure 1.2). A volume can be any mounted storage device including USB or Firewire devices. All files, including invisible files, can be examined to include Data Fork/ Resource Fork data sizes, Creator andType codes, and all important date/time stamps.

    You can select individual files and folders for export to a new directory for further examination as well as printing a comprehensive report on all the files viewed or selected in the main window.


    When you need to take a quick look inside of a file that has forks, FileSpy is a good tool (see Figure 1.3). This utility allow you to view either fork in a file, see the relative sizes of each fork, and move to any sector of a file directly. The utility even includes an ASCII filter to aid in file viewing.


    Because the header is a calculated portion of Macintosh files, changing the header or repairing one can be time and math intensive using a traditional hex editor. HeaderBuilder makes this an easy task by allowing you to make the changes and then generate the CRC32 checksum and the MD5 hash of the file immediately (see Figure 1.4).

    Other Tools

    Other utilities in the Forensic Suite include:

    * Breakup Splits large folders or files into more manageable sizes.

    * Comment Hunter Looks in the Comment fields of Mac files for keywords.

    * DCFLDDassistant Launches the Macintosh version of DCFLDD.

    * File Searcher Looks for specific filenames or Type/Creator codes.

    * GraphicView Uses the QuickTime engine to view files or movies.

    * HFS Extractor Converts image file formats (Sfaeback, Linux, DD, FWB).

    * ImageBuster Searches image files for keywords.

    * ListBuilder Allows you to create keyword lists in native languages (Spanish, Russian, etc.).

    * LockMaster Allows you to quickly lock or unlock a large number of files/folders.

    * MacCarver Lets you carve image files from within a container.

    * PhantomSearch Allows you to capture all the invisible files of a volume.

    * Typer A very fast little utility that shows/changes the Type/Creator for a given file.

    * VolumeExplorer HFS partition analyzer.

    Carbon Copy Cloner

    Mike Bombich has created a handy utility called Carbon Copy Cloner (CCC) for making backups or copies of important data on your Macintosh. It is a front-end for several less than intuitive utilities that are part of OS X.

    As the name implies CCC can clone one hard disk to another when you use its default options. This copy can also be made to an image file on another drive, but it should be noted that this is not a forensic copy of the original (see Figure 1.5).

    Documentation is available at the Bombich Software site: www.bombich.com/ software/ccc.html.

    Only Macintosh formatted volumes can be "cloned" using CCC; any other DOS or UNIX formats are not recognized in the drop-down menus. If you do not have psync installed, you can install it from the Preferences menu (see Figure 1.6).


    Excerpted from OS X Exploits and Defense by Kevin Finisterre Larry H. David Harley Gareth Porteous Copyright © 2008 by Elsevier, Inc.. Excerpted by permission of Syngress Publishing, Inc.. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
    Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

  • Meet the Author

    Paul Baccas is a researcher at Sophos plc, the UK security company. After reading Engineering Science at Exeter College, Oxford, he worked in various technical roles at Sophos, and is now mainly engaged in spam research. He is a frequent contributor to Virus Bulletin.

    Kevin Finisterre is the former Head of Research and Co-founder of SNOSoft, Inc. aka Secure Network Operations. Kevin's primary focus has been on the dissemination of information relating to the identification and exploitation of software vulnerabilities on various platforms. Apple, IBM, SAP, Oracle, Symantec, and HP are among many vendors that have had problems that were identified by Kevin. Kevin is currently very active in the Apple research and exploitation scene. He enjoys testing the limits and is constantly dedicated to thinking outside the box. His current brainchild is the project he calls DigitalMunition.com.

    Larry H. has been doing security research on the Macintosh platform for over 2 years (since mid 2006), with strong focus on kernel land security and implementation of proactive defense mechanisms for both Linux and the XNU kernel. Even though computers aren't his main occupation, he enjoys developing new and improving existent exploitation and IDS evasion techniques, as well as researching on secure OS design, security policy frameworks (MAC, RBAC, MLS, etc) and applied data mining. Even though this all sounds pretty serious, he enjoys humor for the banter as well as reading through the King James Bible quite frequently.

    David Harley has been researching and writing about malicious software and other security issues since the end of the 1980s. From 2001 to 2006 he worked in the UK's National Health Service as a National Infrastructure Security Manager, where he specialized in the management of malicious software and all forms of email abuse, as well as running the Threat Assessment Centre, and has worked since as an independent author and consultant for Small Blue-Green World. He joined ESET's Research team in January 2008. He was co-author of Viruses Revealed (McGraw-Hill) and lead author and technical editor of The AVIEN Malware Defense Guide for the Enterprise (Syngress), as well as a contributor to Botnets: the Killer Web App (Syngress). He has contributed chapters to many other books on security and education for publishers such as Wiley, Pearson and Vieweg, as well as a multitude of specialist articles and conference papers. In his copious free time he is Chief Operations Officer for AVIEN (the Anti-Virus Information Exchange Network) and administers the MAC Virus web site.

    Gary Porteous is a Professional Security Researcher based in the UK and a keen advocate of open source projects. A hacker in the old sense of the word, as someone who creatively dissects and reconstructs technology, Gary feels both at home tinkering with small finite problem solving as considering the pattern of modern technology and it's larger implications. Having been involved with Macintosh security since 1998, more recently he has worked as a systems engineer and consultant, and is currently employed as a Macintosh computer expert in the UK educational sector. Alongside all this he enjoys escaping to the countryside whenever possible and helping to run the organization AppleseedUK (www.appleseeduk.org).

    Chris Hurley is a Senior Penetration Tester in the Washington, DC area. He has more than 10 years of experience performing penetration testing, vulnerability assessments, and general INFOSEC grunt work. He is the founder of the WorldWide WarDrive, a four-year project to assess the security posture of wireless networks deployed throughout the world. Chris was also the original organizer of the DEF CON WarDriving contest. He is the lead author of WarDriving: Drive, Detect, Defend (Syngress Publishing, ISBN: 19318360305). He has contributed to several other Syngress publications, including Penetration Tester's Open Source Toolkit (ISBN: 1-5974490210), Stealing the Network: How to Own an Identity (ISBN: 1597490067), InfoSec Career Hacking (ISBN: 1597490113), and OS X for Hackers at Heart (ISBN: 1597490407). He has a BS from Angelo State University in Computer Science and a whole bunch of certifications to make himself feel important.

    Johnny Long is a Christian by grace, a professional hacker by trade, a pirate by blood, a ninja in training, a security researcher and author. He can be found lurking at his website (http://johnny.ihackstuff.com). He is the founder of Hackers For Charity(http://ihackcharities.org), an organization that provides hackers with job experience while leveraging their skills for charities that need those skills.

    Customer Reviews

    Average Review:

    Post to your social network


    Most Helpful Customer Reviews

    See all customer reviews