Getting started in macOS security

Many people used to ask me where to start learning about macOS security or exploitation, what are the trainings or books out there that can help with this topic. Surprisingly there is great coverage for macOS internals and defense, which are even recent vs exploitation, where everything is 9+ years old. If you are interested in offensive macOS research, you are stuck with blog posts and conference talks.

I thought I will try to collect some resources that can help people to get started in this field.

Training

There are two different classes for macOS internals and one for forensics.

One is offered by Stefan Esser, and it’s called iOS and MacOS Kernel Internals for Security Researchers, this one focuses on macOS kernel internals as the name suggests.

The other is created by Jonathan Levin / Technologeeks, and is more broadly about OSX and iOS internals and security. Although it’s not offered live anymore, an online version should come out shortly.

SANS has a Mac & IOS Forensic Analysis & Incident Response Training | SANS FOR518, which is created by Sarah Edwards.

Books

Similarly to the trainings there are not really books about macOS exploitation. There are two, but they are rather dated. The rest are mostly programming guides, or covering macOS internals. All of them, expect Levin’s new series are dated, but it doesn’t mean there is no useful information in them.

When it comes to defense, there are two free ebooks about macOS malware, which are up-to-date! This is pretty good considering how everything else is so much old.

Here follows a list, that I think can be useful for security:

Internals

• Amit Singh - Mac OS X Internals: A Systems Approach - The first(?) book about OSX internals, it was released in 2006. It’s rather old, however some old items which can be still relevant today are still documented here. It also contains many source code samples, so can be a useful go-to resource.
• Jonathan Levin - Mac OS X and iOS Internals: To the Apple’s Core - The first book of Jonathan Levin about *OS internals. It’s also dated, but sometimes still relevant and some items better explained here as in the new books, or at least I found it easier to read sometimes. It’s available for free from the author’s website: MOXiI.pdf
• Jonathan Levin - *OS Internals Vol I-II-III - The most current books about *OS internals, and it’s up-to-date till macOS Catalina. This is a must have series for anyone who is serious about the subject.
• Apple Platform Security - Apple’s own page about the security of their platform

Exploitation

• Charlie Miller, Dino Dai Zovi - The Mac Hacker’s Handbook - The only book dedicated to OSX exploitation. It was released in 2011, so it’s rather old, and not so relevant anymore. It can be still useful for limited amount of information.
• Enrico Perla, Massimiliano Oldani - A Guide to Kernel Exploitation: Attacking the Core - Deals with kernel exploitation of OSX Leopard, which was ages ago. The concepts are not relevant in modern day macOS, however could be a good start to get an intro into macOS kernel exploitation

Malware & DFIR

• Phil Stokes - How To Reverse Malware on macOS Without Getting Infected - A new, free ebook about analyzing malware on macOS.
• Patrick Wardle - The Art Of Mac Malware - Another free ebook about analyzing macOS malware, more detailed than the other one.
• Jaron Bradley - OS X Incident Response - 1st Edition - The only book to cover incident response and forensics.

Programming

• Ole Henry Halvorsen, Douglas Clarke - OS X and iOS Kernel Programming - It’s a developer book, but a very useful resource for macOS kernel programming.
• Graham J Lee - Professional Cocoa Application Security - A book for developers about secure coding. As it’s from 2010, it’s also old, however still can be a good resource for certain topics or to better understand why some apps work the way they work.

Reverse engineering

• Derek Selander - Advanced Apple Debugging & Reverse Engineering - A book about debugging, tracing applications.

Blogs

I found the following people having awesome blog posts on macOS internals or security on a constant basis.

• Patrick Wardle (@patrickwardle) - Objective-See Blog
• Pedro Vilaça (@osxreverser) - Reverse Engineering
• Howard Oakley (@howardnoakley) - The Eclectic Light Company – Macs, painting, and more
• Jeff Johnson (@lapcatsoftware) - The Desolation of Blog
• Wojciech Reguła (@_r3ggi) - IT Security blog
• Scott Knight (@sdotknight) - Reverse engineering and debugging.
• Zhi Zhou (@CodeColorist) · Final Lullaby
• Kai Lu (@K3vinLuSec) - Fortinet’s macOS posts
• Jaron Bradley (@jbradley89) - The Mitten Mac – Mac Incident Response and Threat Hunting
• Cody Thomas (@its_a_feature_) – Medium
• Adam Chester (@_xpn_) - InfoSec Blog
• Alex Plaskett (@alexjplaskett) - Random Security Research
• George Johnson (@GeoSn0w) – Programmer. Hacking stuff. Failed ordinary man.
• Harry Moulton (@h3adsh0tzz) - Blog
• Sarah Edwards (@iamevltwin) - mac4n6
• Saagar Jha - Blog
• LockBoxx (@1njection) - macOS Post Summary
• Brandon Azad (@_bazad) - security blog
• Google Project Zero Bug Tracker - Apple
• Cedric Owens (@cedowens) – Medium
• Christopher Ross (@xorrior) – Medium
• Richie Cyrus (@rrcyrus) – Medium
• Thomas Reed (@thomasareed) - Malwarebytes Labs
• Phil Stokes (@philofishal) - SentinelOne
• Jakob Rieck (0xdead10cc) - Blog
• Csaba Fitzl (@theevilbit) - Blog

Conference Talks and Papers

@osxreverser maintains an awesome collection of paper and conference talks on his website: macOS · Papers, Slides and Thesis Archive

Although it’s covered in Pedro’s collection, I still want to highlight the Objective By The Sea conference, which is entirely dedicated to macOS security.

Apple

Apple’s own developer documents can be also very useful, especially the older ones. These are also dated, yet a very valuable resources. Apple Documentation Archive

Part of the XNU kernel is open sourced by Apple, which is also an invaluable resource. Apple Open Source

I hope these resources can get help people started and answer the question answered so frequently. It’s probably far from being complete, and sorry if I missed anyone. If you know of a good resource let me know, and I can update this list.