BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Getting a Migraine - uncovering a unique SIP bypass on macOS\n When: Friday\, Aug 11\, 14:30 - 15:15 PDT\n Where: Caesars Forum - Forum - 130-134 - Track 3 - [1]Map\n Speakers:Anurag Bohra\,Jona than Bar Or\,Michael Pearse\n\n SpeakerBio:Anurag Bohra \, Security Rese archer at Microsoft\n Anurag Bohra is a Security Researcher 2 at Microso ft focusing on macOS\n security. His interests includes Reverse Engineer ing\, Malware\n Analysis\, Vulnerability Research\, hardware security an d also loves\n building tools on the same.\n\n SpeakerBio:Jonathan Bar Or \, Security Researcher at Microsoft\n Jonathan Bar Or ("JBO") is a P rincipal Security Researcher at\n Microsoft\, working as the Microsoft D efender research architect for\n cross-platform. Jonathan has rich exper ience in vulnerability\n research\, exploitation\, cryptanalysis\, and o ffensive security in\n general.\n Twitter: [2]@yo_yo_yo_jbo\n\n Spea kerBio:Michael Pearse \, Security Researcher at Microsoft\n Micheal Pear se started out as an embedded developer for anti-ICBM\n missiles. Michea l got into reversing by trying to understand how\n counterstrike works a nd the underlying mechanics of C++. In his\n vulnerability research jour ney\, Michael started with home routers\,\n worked my way up to industri al devices\, and eventually found and\n exploited local priv escalations for Windows.\n\n Description:\n System Integrity Protection (SIP) is a macOS technology that limits\n the capabilities of the root user\, mos t notably - it maintains the\n integrity of the operating system by prev enting loading of untrusted\n kernel extensions and protecting sensitive filesystem locations.\n\n In this talk we will uncover a method to bypa ss SIP and create\n undeletable malware that can later load arbitrary ke rnel extensions.\n We will explain our methodology\, detail our exploita tion strategy and\n the reverse engineering involved. Lastly\, we will e xplain how to look\n for similar SIP bypasses and outline a generic dete ction strategy for\n Blue Teams.\n\n REFERENCES\n [3]https://o bjective-see.com/blog/blog_0x14.html [4]https://cve.mitre.org/cgi-bin/cven ame.cgi?name=CVE-2020-9771\n [5]https://www.theregister.com/2016/0 3/30/apple_osxrootless/ [6]https://www.microsoft.com/en-us/security/blog/2 021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-by pass-system-integrity-protection/\n [7]https://jhftss.github.io/CV E-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/\n\n '\n\n 1. #C aesarsForumBR\n 2. https://twitter.com/yo_yo_yo_jbo\n 3. https://objec tive-see.com/blog/blog_0x14.html\n 4. https://cve.mitre.org/cgi-bin/cven ame.cgi?name=CVE-2020-9771\n 5. https://www.theregister.com/2016/03/30/a pple_osxrootless/\n 6. https://www.microsoft.com/en-us/security/b log/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-cou ld-bypass-system-integrity-protection/\n 7. https://jhftss.github.io/CVE -2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/\n\n\n DTEND:20230811T221500Z DTSTART:20230811T213000Z LOCATION:DC - Caesars Forum - Forum - 130-134 - Track 3 SUMMARY:Getting a Migraine - uncovering a unique SIP bypass on macOS END:VEVENT END:VCALENDAR