OS X Exploits and Defense: Own it...Just Like Windows or Linux! [NOOK Book]


Threats to Macintosh's OS X operating system are increasing in sophistication and number. Whether it is the exploitation of an increasing number of holes, use of rootkits for post compromise concealment or distributed denial of service, knowing how the system is vulnerable and how to defend it is critical to computer security. This book brings all this information together, providing a solid basis to help you succeed in protecting your ...
See more details below
OS X Exploits and Defense: Own it...Just Like Windows or Linux!

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
BN.com price
(Save 21%)$62.95 List Price


Threats to Macintosh's OS X operating system are increasing in sophistication and number. Whether it is the exploitation of an increasing number of holes, use of rootkits for post compromise concealment or distributed denial of service, knowing how the system is vulnerable and how to defend it is critical to computer security. This book brings all this information together, providing a solid basis to help you succeed in protecting your organization from risk.

* Cuts through the hype with a serious discussion of the security vulnerabilities of the Mac OS X operating system
* Reveals techniques by which OS X can be "owned"
* Details procedures to defeat these techniques
* Offers a sober look at emerging threats and trends
Read More Show Less

Product Details

  • ISBN-13: 9780080558769
  • Publisher: Elsevier Science
  • Publication date: 4/18/2011
  • Sold by: Barnes & Noble
  • Format: eBook
  • Edition number: 1
  • Pages: 352
  • File size: 4 MB

Meet the Author

Paul Baccas is a researcher at Sophos plc, the UK security company. After reading Engineering Science at Exeter College, Oxford, he worked in various technical roles at Sophos, and is now mainly engaged in spam research. He is a frequent contributor to Virus Bulletin.

Kevin Finisterre is the former Head of Research and Co-founder of SNOSoft, Inc. aka Secure Network Operations. Kevin's primary focus has been on the dissemination of information relating to the identification and exploitation of software vulnerabilities on various platforms. Apple, IBM, SAP, Oracle, Symantec, and HP are among many vendors that have had problems that were identified by Kevin. Kevin is currently very active in the Apple research and exploitation scene. He enjoys testing the limits and is constantly dedicated to thinking outside the box. His current brainchild is the project he calls DigitalMunition.com.

Larry H. has been doing security research on the Macintosh platform for over 2 years (since mid 2006), with strong focus on kernel land security and implementation of proactive defense mechanisms for both Linux and the XNU kernel. Even though computers aren't his main occupation, he enjoys developing new and improving existent exploitation and IDS evasion techniques, as well as researching on secure OS design, security policy frameworks (MAC, RBAC, MLS, etc) and applied data mining. Even though this all sounds pretty serious, he enjoys humor for the banter as well as reading through the King James Bible quite frequently.

David Harley has been researching and writing about malicious software and other security issues since the end of the 1980s. From 2001 to 2006 he worked in the UK's National Health Service as a National Infrastructure Security Manager, where he specialized in the management of malicious software and all forms of email abuse, as well as running the Threat Assessment Centre, and has worked since as an independent author and consultant for Small Blue-Green World. He joined ESET's Research team in January 2008. He was co-author of Viruses Revealed (McGraw-Hill) and lead author and technical editor of The AVIEN Malware Defense Guide for the Enterprise (Syngress), as well as a contributor to Botnets: the Killer Web App (Syngress). He has contributed chapters to many other books on security and education for publishers such as Wiley, Pearson and Vieweg, as well as a multitude of specialist articles and conference papers. In his copious free time he is Chief Operations Officer for AVIEN (the Anti-Virus Information Exchange Network) and administers the MAC Virus web site.

Gary Porteous is a Professional Security Researcher based in the UK and a keen advocate of open source projects. A hacker in the old sense of the word, as someone who creatively dissects and reconstructs technology, Gary feels both at home tinkering with small finite problem solving as considering the pattern of modern technology and it's larger implications. Having been involved with Macintosh security since 1998, more recently he has worked as a systems engineer and consultant, and is currently employed as a Macintosh computer expert in the UK educational sector. Alongside all this he enjoys escaping to the countryside whenever possible and helping to run the organization AppleseedUK (www.appleseeduk.org).

Chris Hurley is a Senior Penetration Tester in the Washington, DC area. He has more than 10 years of experience performing penetration testing, vulnerability assessments, and general INFOSEC grunt work. He is the founder of the WorldWide WarDrive, a four-year project to assess the security posture of wireless networks deployed throughout the world. Chris was also the original organizer of the DEF CON WarDriving contest. He is the lead author of WarDriving: Drive, Detect, Defend (Syngress Publishing, ISBN: 19318360305). He has contributed to several other Syngress publications, including Penetration Tester's Open Source Toolkit (ISBN: 1-5974490210), Stealing the Network: How to Own an Identity (ISBN: 1597490067), InfoSec Career Hacking (ISBN: 1597490113), and OS X for Hackers at Heart (ISBN: 1597490407). He has a BS from Angelo State University in Computer Science and a whole bunch of certifications to make himself feel important.

Johnny Long is a Christian by grace, a professional hacker by trade, a pirate by blood, a ninja in training, a security researcher and author. He can be found lurking at his website (http://johnny.ihackstuff.com). He is the founder of Hackers For Charity(http://ihackcharities.org), an organization that provides hackers with job experience while leveraging their skills for charities that need those skills.

Read More Show Less

Read an Excerpt

OS X Exploits and Defense

By Kevin Finisterre Larry H. David Harley Gareth Porteous

Syngress Publishing, Inc.

Copyright © 2008 Elsevier, Inc.
All right reserved.

ISBN: 978-0-08-055876-9

Chapter One

Macintosh OS X Boot Process and Forensic Software

Solutions in this chapter:

* The Boot Process

* The Macintosh Boot Process

* Macintosh Forensic Software

  •   Summary


"The computer for the rest of us" was never considered much of a hacker's platform. The original Mac didn't even have arrow keys (or a control key, for that matter), forcing the user to stop what he was doing, take his hands off the keyboard, and use the mouse. The Mac's case was sealed so tight, a special tool known as the "Mac cracker" was made to break it open. It was a closed machine, an information appliance. The expansionless design and sealed case of the Mac stood in stark contrast to the Apple II that came before it.

With its rich graphical interface and ease of use, the Mac became the standard for graphic artists and other creative types. Custom icons and desktop patterns soon abounded. The users that embraced the Macintosh for its simplicity began using ResEdit (Resource Editor) to modify system files and to personalize their machines. The Mac developed a fanatical following, and you could rest assured that each fanatic's system was unique, with the icons, menus, program launchers, windows, sounds, and keyboard shortcuts all scrutinized and perfected to meet his personal needs. My Color Classic even played Porky Pig's "That's all folks" each time it shut down (although the novelty wore off on that one pretty quick ...).

Mac OS X was met with some trepidation. It broke every program and system modification, it didn't have a proper Apple menu — and what on earth was this "dock"? Jef Raskin, who gave the Mac its name, wrote of Mac OS X, "Apple has ignored for years all that has been learned about developing UIs. It's unprofessional, incompetent, and it's hurting users." Bruce Tognazzini, founder of the Apple Human Interface Group, even penned an article titled "Top 10 Reasons the Apple Dock Sucks."

Mac OS X was an entirely different operating system. Most classic Mac OS applications were compatible, but only when operating inside a special run-time environment. All system extensions and user interface modifications were permanently lost. For many users, these changes are what made the computer "theirs" and they replied heavily upon their customizations to efficiently get work done. The loss was tremendous. And it was worth it.

Preemptive multitasking, symmetric multiprocessing, multithreading, and protected memory ... Protected memory was the one I wanted most.

At a 1998 keynote, Steve Jobs showed off a mere dialog box, to great applause. The dialog read: "The application Bomb has unexpectedly quit. You do not need to restart your computer." I take it for granted on Mac OS X, but as I write this, I'm recalling occasions when Internet Explorer brought my entire system down multiple times in a single day.

Protected memory doesn't do much good when all your apps are running in the Classic Environment and the user interface did indeed leave a lot to be desired. But with each revision, Mac OS X has improved dramatically. The Macintosh has become "the computer for everybody." For novices, it remains the easiest computer there is. For enthusiasts, as in the old days, there is a vast array of third party applications, utilities, and customizations, to tweak and improve the way the OS works. For hackers and programmers, there's the command line and the BSD Unix compatibility layer.

All the power, all the tools, and all the geekery of Linux is present in Mac OS X. Shell scripts, X11 apps, processes, kernel extensions ... it's a UNIX platform. It's even possible to forgo Apple's GUI altogether and run KDE. Why you'd want to is another matter. While its UNIX core is what has made Mac OS X a viable platform for hackers and programmers, it's the user interface that has made it popular.

Apple's Terminal application is perpetually running on my PowerBook, but so is iTunes, iCal, and a slew of Dashboard Widgets.

The Boot Process

In this section we will look at the startup process that most computers go through and how the fundamental operating systems get loaded and started. You will see that computers start with tiny steps that build on each other, getting larger until the entire system is loaded and running. Only then can you, the end user, issue commands that the computer interprets and understands.

One of the most popular analogies for how a computer starts up is the amnesia scenario. For a moment look around you at the things you use everyday: telephones, pencils, coffee cups, and so on. Now imagine that you closed your eyes and when you opened them you didn't recognize any of those things, and didn't know how they worked. That is what happens inside a computer when you press the reset or the power button.

At the most fundamental level, computers understand only two things: true and false. The process of getting the computer from being a completely blank state to a fully running operating system is one of the fundamental items that every investigator should understand.

After looking at how a Macintosh boots, we will look at some of the tools that are available for analyzing Macintosh systems using both the Macintosh and Windows operating systems.

The term "boot," depending on whom you talk to, came either from the old phrase, "Pulling one's self up by the bootstraps," or just from the word "bootstrap," meaning the leather tabs you use to pull on your boots. Either way it is a part of computer history and lore and is commonly used as the computer term for the initial startup of the system. All systems that are able to run Microsoft or Linux operating systems use the same boot up process. Once the computer completes this initial startup the specific operating system will load what it needs to continue. First we will look at the boot process in detail.

The Macintosh Boot Process

In this section, we will briefly examine the way an Apple Macintosh computer boots. The information here is for the Mac OS X version of their operating system using Intel based microprocessors. Older Motorola chipset Macintosh computers use a much different boot process.

OS X uses Open Firmware that is very much like the BIOS noted earlier. The Open Firmware that Apple uses in the Macintosh is based on the IEEE-1275 standard.

EFI and BIOS: Similar but Different

Just like any other computer on the market, when the power switch is activated on a Macintosh, the system goes through a Power On Self Test (POST), resets the microprocessor, and starts the execution of initialization code, which is the Open Firmware instead of BIOS.

Like the BIOS, Extensible Firmware Interface (EFI) checks the configuration of the machine and loads any device ROMs that it finds into memory. It then looks for a default boot device ... and here is where it gets interesting. There are numerous optional startup functions that EFI can perform based on user input. Single keys, known as "snag keys," can be pressed that will allow the system to boot from specific devices.

* Pressing the C key will attempt to boot from the CD/DVD-ROM drive. * Pressing the D key will attempt to boot from the first hard disk drive. * Pressing the N key will attempt to boot from the Network Interface Controller (NIC). * Pressing the Z key will attempt to boot from the ZIP drive.

It is also possible to enter the EFI interactive console mode by pressing the cmd-opt-O-F key combination during power up. (Note: If you are like me and just tried this before reading on, typing mac-boot at the prompt will let the Macintosh finish booting.) You should read a good source of Open Firmware/EFI commands before trying the console mode. An excellent mirror of the Open Firmware Working Group is at http://bananjr6000. Apple.com/1275/.

The EFI program is located in the BOOT.efi file. This is the portion of the boot loading process that loads the OSX kernel and starts the user interface.


To many die-hard Macintosh users the move to OS X wasn't immediately seen as a move to the open source UNIX environment. It wasn't long before they realized their beloved Mac was now a UNIX machine. When you look at the roots of OS X, a large number of open source modules and programs were obtained from other groups including Carnegie Mellon, FreeBSD, GNU, Mach, Xfree86, NEXTSTEP, and OPENSTEP.

The OS X Kernel

In a nutshell the real OS X is when the combination of several components come together. XNU is the actual OS X kernel name on the boot drive. It is comprised of the following modules:

* Mach Provides the service layer to the kernel

* n BSD Provides the primary system program interface

* I/O Toolkit Provides driver support

* LIBSA & LIBKERN Kernel libraries

* The Platform Expert A motherboard-specific hardware abstraction layer

* Apple I/O components The unique Mac interfaces

Apple uses proprietary components to invoke the Macintosh look and feel to the open source products listed. Carbon, Cocoa, Quartz, OpenGL, QuickTime, and the Aqua interfaces are just a few of the unique interfaces that make the Macintosh so special.

Macintosh Forensic Software

Only recently has the Macintosh begun to be accepted in the forensic community. Listed next are just a few of the tools that can make forensics of OS X systems easier.

As with all forensic tools, the examiner should have a solid understanding of how tools work and should be able to prove by demonstration that each finding produced by the tool can be duplicated in a court of law.

BlackBag Forensic Suite

BlackBag Technologies, Inc. is one of the few providers of forensic software for the Macintosh platform. Its Macintosh Forensic Suite is a collection of 26 modules that can be launched individually or from the Forensic Suite Toolbar (see Figure 1.1).

Directory Scan

The Directory Scan utility allows you to view all the files and folders on a Macintosh volume (see Figure 1.2). A volume can be any mounted storage device including USB or Firewire devices. All files, including invisible files, can be examined to include Data Fork/ Resource Fork data sizes, Creator andType codes, and all important date/time stamps.

You can select individual files and folders for export to a new directory for further examination as well as printing a comprehensive report on all the files viewed or selected in the main window.


When you need to take a quick look inside of a file that has forks, FileSpy is a good tool (see Figure 1.3). This utility allow you to view either fork in a file, see the relative sizes of each fork, and move to any sector of a file directly. The utility even includes an ASCII filter to aid in file viewing.


Because the header is a calculated portion of Macintosh files, changing the header or repairing one can be time and math intensive using a traditional hex editor. HeaderBuilder makes this an easy task by allowing you to make the changes and then generate the CRC32 checksum and the MD5 hash of the file immediately (see Figure 1.4).

Other Tools

Other utilities in the Forensic Suite include:

* Breakup Splits large folders or files into more manageable sizes.

* Comment Hunter Looks in the Comment fields of Mac files for keywords.

* DCFLDDassistant Launches the Macintosh version of DCFLDD.

* File Searcher Looks for specific filenames or Type/Creator codes.

* GraphicView Uses the QuickTime engine to view files or movies.

* HFS Extractor Converts image file formats (Sfaeback, Linux, DD, FWB).

* ImageBuster Searches image files for keywords.

* ListBuilder Allows you to create keyword lists in native languages (Spanish, Russian, etc.).

* LockMaster Allows you to quickly lock or unlock a large number of files/folders.

* MacCarver Lets you carve image files from within a container.

* PhantomSearch Allows you to capture all the invisible files of a volume.

* Typer A very fast little utility that shows/changes the Type/Creator for a given file.

* VolumeExplorer HFS partition analyzer.

Carbon Copy Cloner

Mike Bombich has created a handy utility called Carbon Copy Cloner (CCC) for making backups or copies of important data on your Macintosh. It is a front-end for several less than intuitive utilities that are part of OS X.

As the name implies CCC can clone one hard disk to another when you use its default options. This copy can also be made to an image file on another drive, but it should be noted that this is not a forensic copy of the original (see Figure 1.5).

Documentation is available at the Bombich Software site: www.bombich.com/ software/ccc.html.

Only Macintosh formatted volumes can be "cloned" using CCC; any other DOS or UNIX formats are not recognized in the drop-down menus. If you do not have psync installed, you can install it from the Preferences menu (see Figure 1.6).


Excerpted from OS X Exploits and Defense by Kevin Finisterre Larry H. David Harley Gareth Porteous Copyright © 2008 by Elsevier, Inc.. Excerpted by permission of Syngress Publishing, Inc.. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Overview: The OS X operating system
Current and past threats
Malicious Code
Exploit development and research
Defense and protection
Detecting malicious code; rootkits
Protecting against exploits
Locking down services and firewall policies
Future threats and malicious advancements facing OS X
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)