βΉοΈ Note that talks are scoped to Apple security topics, such as:
βοΈ OS internals
π¦ Malware analysis
π οΈ Tool making & breaking
π Bug discovery & exploitation
The conference CFP is now closed π π»ββοΈ
Mahalo for the many many quality CFP submissions, which the CFP committee is now busily reviewing.
The selected talks for #OBTS v5.0, will be announced shortly! π€
In short, unsigned, non-notarized script-based applications would be allowed if their script did *not* specify an interpreter! π€―π€£
Meaning attackers could trivially bypass a myriad of foundational macOS security mechanisms via:
#!
<any malicious commands>
The issue begins in user-mode, where xpcproxy invokes posix_spawnp to launch the interpreter-less script-based application.
This initially errors out (no interpreter β ENOEXEC), but then posix_spawnp "recovers" and (re)executes the script ...this time directly via /bin/sh:
Themes of interest are π-security topics, such as:
βοΈ OS internals
π¦ Malware analysis
π οΈ Tool making & breaking
π Bug discovery & exploitation
The majority of Mac infections are "user-assisted", which Apple combats via:
β Notarization
β Gatekeeper
β File Quarantine
...these have proven problematic for attackers
But oops, this bug sidesteps all, allowing unsigned (unnotarized) items to be launched ...with no alerts!π