[ShmooCon 2016] Gatekeeper Exposed; Come, See, Conquer

[ShmooCon 2016] Gatekeeper Exposed; Come, See, Conquer

Gatekeeper is an anti-malware feature baked directly into OS X. Its single goal is to block the execution of untrusted code from the internet. Apple boldly claims that because of Gatekeeper, both trojans and tampered downloads are generically blocked. So hooray! Mac users are all secure…right? Well, perhaps not :/

Until now, there has been little technical information about Gatekeeper’s closed-source internals. This talk seeks to remedy this by exposing the inner workings of Gatekeeper and more broadly, delve into the concept of quarantined files. We’ll also discuss architectural limitations of Gatekeeper (CVE 2015-3715, CVE-2015-7024), which were discovered during my reversing efforts. Both vulnerabilities could trivially be abused to allow for the execution of malicious unsigned binaries from the internet. In other words; complete Gatekeeper FAIL.

As all reported issues are now patched, this provides an opportunity for some ‘patch analysis’ to determine if the underlying causes were fully addressed. Finally the talk will conclude by illustrating how such bypasses could have been fully and generically thwarted from day one.


patrick wardle

January 17, 2016