"Broken isolation - draining your credentials from popular macOS password managers"
In theory, theory and practice are the same. In theory, all modern macOS applications must be isolated what is enforced by notarization and sandboxing. In practice these enforcements are usually ineffective. This talk starts by explaining basic isolation assumptions and quickly shifts to exploitation. I have selected a few the most popular macOS password managers written in different technologies to prove how a low-privileged malware can abuse various tricks and 0,n-day vulnerabilities to drain your credentials. During this talk you will:
- learn how macOS hardened runtime, sandboxing, and TCC app management privilege work
- see 0,n-day vulnerabilities and architectonical problems I have found in popular macOS password managers
- understand why software distributed via websites is sometimes more secure than from the Apple Mac App Store
- see my exploits and a lot of demos
After the talk, the audience should be able to explain macOS isolation mechanisms (in)security, check their password managers for presented vulnerabilities, and effectively support their macOS blue/red teams.
"Walking the path: addressing real-world threats with ADR"
An effective application security program focuses on applying the right tools and processes at the right moment. But you will need to rethink your security strategy beyond shift-left practices; while identifying and fixing vulnerabilities early in development before deploying to production is essential, it is simply not enough. The reality is that vulnerabilities inevitably make it into production. Many security programs overlook how to deal with attacks against the vulnerabilities that were missed. Application Detection and Response (ADR) fills this critical gap by providing real-time visibility into running applications and the ability to block attacks on application vulnerabilities in your production applications.
