Gabriel Biondo

Security Researcher • macOS Specialist • Exploit Developer

10 minute read

Long time no hear, huh? Bear with me. Let me tell you what happened!

This is not a war journal - actually in this post I will share a lot of content, especially regarding macOS hardening.

Prolog

Lately I changed my MacBook, for non-technical reasons: - that machine still kicks serious ass! And it looks like the last ass it kicked was actually mine.

I never clone a machine onto another. I don’t do it for phones, I don’t do it for appliances. and given that computers are my primary working tools, rest assured: I would not do it for computers either!

It turns out that _building my machine took almost a week. I am not happy with the result yet, but we’re steadily - and slowly! - getting there.

In this post, I will tell you what I did and how I did it.

Introduction - the Old Man (in Black) talking

I have been around long enough to see the concept of Information Security evolving in a very fascinating manner.

When I started (yes, this is the “old man talking” part) there was this so called “Chinese wall” model (or “perimeter security”, for the younger crowd): whatever was within the boundary of your “premises” (by that time, it was really physical premises. Then it became virtual premises) was somehow “safe” and “trustworthy”. The rest was pure evil.

That model actually does not fit with nowadays cloud-based architectures. When that model was envisioned, there were no social media (which I profoundly despise. But you gotta be on social media, somehow). By that time, CyberCrime was not the most lucrative (and, up to an extent, the safest) form of crime around.

Nowadays structure looks more as a Möbius strip instead: a geometrical locus that has no “inside” nor “outside”. The Maths around this is wonderful, but this is not the right place to discuss it. Unfortunately, because I love Maths. Mainly, because it makes people cry.

The old “fortification” mindset cannot stand - and probably it couldn’t even survive by that times, being an over-simplification!

The old fortification mindset cannot stand. What we need is not a wall — it’s depth.

The myth of perfect security

Ok, let’s start rough - repeat after me: P E R F E C T S E C U R I T Y D O E S N O T E X I S T Are you convinced? If not, read it again.

Really. If you’re convinced that a dynamic system (i.e. - your security posture) interacting with a dynamic environment (the threats to your security posture) within the boundaries of factual constraints (budgets, revenues, but also “presence”, just to name a few) can reach an equilibrium, you’re a vibrant model of naive optimism that’s going to clash on the rocks of reality before you can say “Perfect security does not exist”.

Is someone trying to sell you such a thing? Good, this is a perfect filter - avoid that someone!

In practical terms, everything can be bypassed, given an adequate amount of time, knowledge, and money. Every configuration is prone to failure. Accept that, it’s easier.

Ask yourself: what is the cost if my assets will be compromised? How large is the part of data/information I can lose before being out of my business? Chances are you can afford to have some data compromised — but your estimate of “some” is more generous than reality. Humans tend to be optimistic. I am a proud inhuman Cassandra disciple, as a matter of fact.

Threat modelling for humans

Threat Modelling is a phase of risk assessments, and like all the Risk-related processes, is easy to understand and quite hard to apply.

There is a conspicuous literature explaining Threat Modelling, some books are good (e.g. # Probabilistic Risk Analysis: Foundations and Methods, or Fault Tree Handbook), but the largest part are just wasted celluloid.

If a consultant starts a risk assessment by obsessing over BIAs, walk away. As a former CISO: a BIA is the best way to delegate the responsibility to someone else, so if a consultant starts with that, is a snake oil seller 9 cases out of 10.

So, how can we do something that resembles threat modelling without snake ointments on our fingers? With the old, good common sense.

You want to know:

  • what am I protecting
  • who can attack me?
  • value vs cost: what is the value they are after to, what is the cost to attack me.

As you may see, the answers are very business-dependent. My threat model is very different from Snowden’s, obviously. But it may be radically different from yours.

So, as a matter of fact, the vast majority of us won’t need to protect themselves from Mossad or NSA, therefore let’s do a simple analysis: my case.

  • I develop software: I want to have my Intellectual Property (IP) protected
  • I am trying to build an image: I want it to be protected (let’s force the language and call this Public Image Protection, PIP)
  • I have servers and VPS, and I want them to be protected and accessible (forcing once again the language, I want to protect their IP Addresses and Contents. IPC)
  • I want to protect my personal data and my behaviours whilst using the internet (here I don’t have an IP protection for you, sorry…)

So, to begin with, the surface I want to protect is:

  • My Intellectual Property
  • Some VPS
  • My Private Data
  • My Public Image

The following table should be quite easy to understand:

| Asset to protect | Threat Agent | Perceived risk | Value/Cost | | —————- | —————- | ————– | ————– | | My private code | Other coders? | Very low | Medium/Medium | | My private code | Cyber Criminals | Medium | High/High | | My VPS | Cyber Criminals | Medium | Very High/High | | My VPS | Competitors | Very low | High/High | | My Laptop | Cyber Criminals | High | High/Low | | My Laptop | Criminals | High | High/Low | | My Laptop | Physical damages | Low | Null/Null | | Public image | Time1 | Very high | Low/Null | | Public image | Competitors | Medium | High/Low | | Public image | Detractors | Medium | High/Low | | Behaviours | Trackers | Very high | High2/Low | | Behaviours | Social networks | Very high | High/Low | | Behaviours | Search engines | Very high | High/Low | Please, observe that the above are more family of risks than precise, punctual risks. For instance, I can furtherly refine:

Physical damages

| Threat agent | Scenario | Perceived risk | | ———————– | ———————————————————————————————————- | ———————————————- | | Force of gravity | Newton hates me, therefore invents something to destroy my tools. The laptop magically falls from the desk | High. Newton hates me with a passion. | | The Illy Coffee Company | These guys know I drink Nespresso’s and hence they poor cups of fuckoffee on my keyboard while I am away | High. Illy perceives me as a traitor of Italy. |

Excerpts of my threat modelling

  • Software
    • information loss due to technical issues
    • information loss due to myself (you cannot imagine how often I screw up…)
    • information theft
  • Public image
    • customer’s data exfiltration
    • my websites being hacked
  • Laptop
    • Accidents
    • Laptop Loss
    • Laptop Stolen
  • My personal data
    • My preferences being gathered without my consent
    • Tracking

My list is quite long - in theory. Then I end up acting on the same 5/10 items.

Defence in depth - the philosophy

If before I roasted tie-dye consultants speaking of BIAs, experience led me to respect those speaking about Defence in depth, or Layered defence.

The idea is: a security control can fail. A system must not. Achieving this is easier than it seems.

An example: protecting against malware

Let’s explain this with an example I won’t treat: Anti-malware. Clearly, nobody installs two antiviruses - and in fact, in general it is not even possible: you would end up having two similar pieces of software competing for the same resources, possibly at the same time. It’d be the perfect recipe for a disaster. Many antiviruses have great uninstallers for their competition. Great :)

So, in this example, how would you apply the idea of layered defence? Stack up:

  • your favourite antivirus running on your machine
  • VirusTotal: whenever you download from promiscuous websites, upload your files contextually on virustotal.com
  • perhaps you may want to setup a dedicated virtual machine to go promiscuing in those promiscuous website. Linux/FreeBSD are a great choice for that, and also have good tools to detect dangerous contents
  • your experience. Years ago I wanted to do an experiment: publish an unprotected machine running Windows XP on the greater internet, to see how long it would survive without infections. 4 months. Then the disk died.

So, if you define:

| Event | Likelihood | Example | | —————————————————– | ———- | ——- | | Antivirus does not detect a specific malware | 1/a, a>1 | 1/10 | | VirusTotal unreachable | 1/b, b>1 | 1/10 | | Linux/FreeBSD host does not detect a specific malware | 1/c, c>1 | 1/10 | | You’re drunk while operating your system | 1/d, d>1 | 1/10 | the likelihood of a successful malware attack would become (1/10)\^4, 3 orders of magnitude less than the level of security of a single layer of protection. You do the math.

General strategy

I will write a dedicated post in this series, given the importance of the topic. However, for love of completeness…

  1. Each layer can fail. The system shall not
  2. Network layer: filter the threats before they become a problem
  3. Application layer: be prepared to lose data, but not everything: backups
  4. Application layer: be prepared to lose data, but not everything: compartmentalisation
  5. Secrets: if someone is successful at breaking through in your machine, then let fetching your data be their nightmare: plausible deniability!
  6. Secrets: if someone is successful at stealing your data, then let it be useless: strong crypto to kick their balls!
  7. Operational layer: don’t drink and drive. Don’t be stupid whilst tapping on your keyboard.

    The pragmatic compromise

    The voice of the pentester who used to be a CISO (yes, I climbed up the tree, then I found that hanging with other monkeys was boring, and I came back to hacking!):

Security can be a pain in the ass

Really, I know security guys who have setups that outdo professional hackers’ or spies.

Then you ask them to check a price of a book on Amazon. No answer. Not because they don’t want to, but because they cannot.

Security must be an enabler, not an obstacle. Forbidding something is never clever, it’s better to manage and to secure that thing… nevertheless this requires experience, work, resources — and sadly, trade-offs.

The best approach, for me is not to be invulnerable, but to be harder to attack than others. You know the saying “I don’t need to outrun the bear, I need to outrun you”? Well, that’s true also on the Internet. Consider that a large part of attackers are lousy script kiddies that run scripts, they aren’t very skilled and they cannot mount intricate attacks. If you are harder to attack than someone else, they will attack someone else.

That’s what I want to teach you. To achieve a solid security posture, but not at the price of a granitic, stagnant machine.

Spoiler: what’s next:

  • Network layer: DNS, proxy, VPN, other wicked stuff.
  • Browser compartmentalisation, cookie management: become tracker’s nightmare.
  • Multi-factor authentication, secrets, passkeys.
  • Compensative controls.
  • What I don’t do (and you shouldn’t too!): how to avoid silly show-offs.

  1. With age I become old and ugly. Seriously: I just wanted to show that also inanimate entities can be a threat agent. 

  2. It turns out that my behaviours are kind of interesting for these suckers. Will write something about it, sooner or later. 

You May Also Enjoy

Apple Notarization

12 minute read

Notarization is not a seal of approval. It’s a statement of non-objection: Apple scanned an artifact at submission time and found nothing that triggered its ...

Year Zero

4 minute read

0tH is closed source by design. This post explains why craftsmanship, responsibility, and signal matter more than ideology.I’ll keep building tools that solv...

Binary Logic, Shifts, and the Zero Register

16 minute read

A hands-on exploration of boolean logic and shift operations on AArch64, driven by debugging rather than theory. This lesson focuses on how small, legal deta...