Is Yosemite less vulnerable to rootkits ?

Discussion in 'OS X Yosemite (10.10)' started by AntoineLec, Aug 20, 2014.

  1. AntoineLec macrumors newbie

    Joined:
    Jul 31, 2012
    #1
    In a thread (somewhere else) about rootkits, somebody affirmed that it would be harder on Yosemite to mess with the system like malicious kext can do. Have there been some modifications on the kernel or the module system that make it actually harder to load a kernel extension that would, for example locate SYSENT and hook system call, or locate system calls and insert a jump at the beginning to a portion of code the attacker control, or was it a gratuitous remark ?
     
  2. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #2
    Yosemite implements kext signing that would make it more difficult to hack. You can read a bit about it here.
     
  3. grahamperrin macrumors 601

    grahamperrin

    Joined:
    Jun 8, 2007
    #3
    Exploring Yosemite: Abusing Mac OS X 10.10

    Found whilst drafting a roundup under Apple's OS X 10.10.2 to Fix Security Vulnerabilities Exposed by Google's Project Zero:
    Abstract:

    Mac OS X 10.10 Yosemite is going to be released soon. It brings lots of new features as well as security improvements. In the fist part of the talk, we are going to review these improvements from both defensive and offensive perspectives: what problem it solved, what issues it brought up, and what tricks still work.
    In the second part, we will try several ways to abuse Mac OS X 10.10, and show you running malware and even rootkit is not a problem. A number of new offensive techniques will be introduced, including kernel mode and user mode, for example, loading a unsigned kernel module without warnings, manipulating kernel objects (rootkit) to evade detection, very stealthy techniques to launch malware, etc. All of the tricks were tested on Mac OS X 10.10.

    Not only the offensive side, we are going to release a security tool in this talk as well. A comprehensive rootkit and abnormality scanner, we call it SVV-X (System Virginity Verifier for Mac OS X 10.10). The tool covers not only basic checks, such as hooks on syscall table, mach trap, IDT table, critical data verification, kernel code integrity, and it also checks many user mode tricks.Attacking Mac OS X has become a trend as we see more and more malware with advanced attack techniques on Mac OS X. In order to gain persistent control and avoid detection, malware have started to adopt rootkit tricks.​

    Related

    Trend Micro: OSX has the most vulnerabilities. (2012-04-24)

    OS X 10.10.2 Includes Fix for 'Thunderstrike' Hardware Exploit Affecting Macs (2015-01-26)
     

Share This Page