This course aims to teach learners about OpenBSM auditing on MacOS. By the end of the course, students will understand the goals, capabilities, and components of OpenBSM, and be able to build user-mode monitoring utilities using the OpenBSM framework and APIs. The course covers topics such as auditing mechanisms, kernel bugs, and exploiting vulnerabilities. The intended audience for this course includes security professionals, macOS enthusiasts, and individuals interested in learning about auditing and monitoring on MacOS.
Overview
Syllabus
Announcements
Trivia
Introduction
What is auditing
Why are we talking about auditing
Mac security tools
Auditing mechanisms
FS events
FS events example
kadiebug
subscribe
DTrace
OpenBSDM
Audit Commit
Audit Control Files
Audit Logs
Whats Next
Security Tools
Conceptual Overview
Connecting to the Audit Pipe
Configuring the Audit Pipe
Reading Data
Tokenization
Tokenization Example
Process Info Library
OpenBSM Auditing
Kernel Panic Log
Disassembly
Kernel Panic Diagram
OffByOne Read
Kernel Information Leak
How Apple Patched
Kernel Bug
Create Null Terminator
Debugging
Mapping Register Values
BCopy
Heap Overflows
Kernel Heat Overflows
Recap
Look for bugs in betas
Python script
Max Security
kernel panic
Taught by
0xdade
