When the Macintosh computer was new, Apple touted the fact that Macs, unlike PCs, didn’t get viruses. We know better now; Macs do get hit with malware, even ransomware. But the fact remains that macOS is intrinsically more secure than Windows. That’s why security researcher Thijs Alkemade’s claim to break through all macOS security layers with one attack is such a gut punch. An excited audience of Black Hat conference attendees, both in-person and virtual, clamored to hear details about this surprising claim.
What Makes MacOS So Secure?
“I’ve been a Mac user all my life,” said Alkemade. “It’s a system I know well. The early Mac platform was based on Unix. In that platform, users are security boundaries but processes are not. For files, every file has an owner, and nine flags define permissions. The root user has full access to modify all files, memory, even the kernel. That was the old model.
“System Integrity Protection (SIP) was introduced in 2015 with El Capitan,” he continued. “It put a security layer between the root users and the kernel, protecting the system from modification even by the root user. Root access is no longer enough to compromise the system. One of the other names for this system is rootless. Some people think it means Apple is going to take root away, like on the iPhone. But actually it just means that root es less powerful. Dangerous operations require entitlements, and each macOS release adds more and more restrictions.
“But…macOS is old, large, and established,” said Alkemede. “A lot of system parts were written before the security model changed. It’s not possible to reconstruct the entire system.”
I have listed off several techniques that could be used to enable process injection, but concluded they’re just incidental. “It’s much nicer to have process injection that you can apply everywhere.”
Where’s the Security Hole?
Where’s the weakness? Alkemade didn’t keep listeners in suspense. “It’s in the saved state feature,” I explained. “When you shut down, you check a box if you want an app to reopen when you start again. It even restores unsaved documents. It largely works automatically. Developers don’t have to do anything to use it, but they can extend it.”
The process of saving an app’s state is called serializing, and the serialized data is meant to be encrypted. However, encryption is not required, which allows a clever programmer to abuse this feature. “I create a saved state using a malicious serialized object and write it to the directory of another application’s state. It automatically deserializes and executes within the other app, and can use the entitlements and permissions of that other app, achieving process injection.”
Alkemade walked the audience through the numerous barricades he encountered, and the techniques he evolved to circumvent them. He did admit, “I have to skip a few steps for time reasons and disclosure reasons.” I won’t attempt to explain the details here, as you need to be a programmer to totally grasp them. The key point is, it worked.
What Can You Do With Process Injection
Alkemade detailed three possible uses for the exploit: escape the sandbox, escalate privilege, and bypass System Integrity Protection.
These are extraordinary claims, given those outcomes are practically the Holy Grail of hacking. Bypassing SIP in particular gives your program supreme power. “We can read email or Safari history of all users, or grant ourselves permission to use the microphone or webcam,” Alkemade explained. “Our process is now protected by SIP, which gives it powerful persistence. We can load a kernel extension without the user’s knowledge or permission.”
Alkemade proceeded to demonstrate these three hacks for the appreciative audience. Only the best Black Hat demos get their own round of applause!
Should We Worry?
This security hole is already fixed in macOS Monterey, but app developers need to do their part. “Developers can and should make apps accept only secure serialized objects,” said Alkemade. “Apple has already done that with all their apps, but existing third-party apps need to do the same.”
As it turns out, this new protection isn’t just for Monterey. “I just learned that they back-ported it to Big Sur and Catalina,” said Alkemade. “The Catalina release notes are updated, but not those for Big Sur. I got a spontaneous email from Apple asking to share the contents of my talk in advance. Two hours ago I got confirmation that it’s fixed in Big Sur, though I haven’t had time to verify it.”
“Apple keeps adding layers to macOS,” concluded Alkemade. “Adding new layers to an established system is hard, so code written 10 or more years ago is today’s attack surface. More layers may not increase the effort for attackers, not if you can use the same bug to bypass all of them.”