Anti Forensics techniques for OSX (Vincenzo Blackhat DC)

Vincenzo Lozzo gave a talk titled "Let your Mach-O Fly" in Blackhat DC 2009, detailing an attack using which it could be possible for a hacker to make digital forensics on a compromised OS X machine very difficult. The attack which relies on an in-memory injection technique allows unauthorized software to be installed on a Mac without leaving traces of the attack code or other tell-tale signs that the machine has been compromised. However, the pre-requitiste for this attack is that the attacker must first have a reliable exploit in common applications such as Safari, iTunes etc. In his paper, Vincenzo writes that even though OS X's address space layer randomization was designed with the intention of thwarting in-memory injection attacks, an attacker can still bypass this protection by tracing the "dynamic linker" on the platform. Interestingly, as the dynamic linker always has the same loading address, it can be used to figure our the offsets where the other libraries needed for a given attack are loaded.

The detailed white paper about the entire attack is available here. The video below shows Vincenzo do a demo of the attack.

Related Videos from: Blackhat 2009 Attacks


Defeating SSL using SSLStrip (Marlinspike Blackhat)	Attacking Intel Trusted Execution Technology (Wojtczuk Rukowska)	You are Viewing this Video Now!	Making Money on the Web the Blackhat Way	Attacking Internet Backbone Technologies (Blackhat 2009)
22194 views	2416 views	3659 views	3863 views	2740 views

Author