Black Hat USA 2018 in Las Vegas is coming soon. In the Arsenal event, Fortinet researcher Kai Lu will present and showcase an application behavior monitoring tool for researchers named FortiAppMonitor for macOS. The introduction and schedule of this session can be found here.
For security professionals on macOS, a powerful application behavior monitoring tool is required to ensure their analysis of macOS applications (especially malicious applications) is more efficient and effective. Even for normal macOS users, a simple and user-friendly application behavior monitoring tool is very helpful to quickly capture the behaviors of applications and understand what they do. For this purpose, Fortinet designed and developed a tool named FortiAppMonitor for macOS.
To analyze applications for security purposes, we usually care about the application’s behaviors, including process operations such as process execution, file system operations such as file creation, network communications, dynamic library loading, and kernel module loading, etc. FortiAppMonitor provides all the functionality needed to monitor them, as follows:
Monitor Process Execution and Exit
FortiAppMonitor can monitor the execution and termination of processes, as shown in Figure 1.
Process execution is monitored using MACF (Mandatory Access Control Framework). MACF is the substrate on top of which all of Apple’s securities in both macOS and iOS are implemented.
Process exit is monitored using kqueue, which is a scalable event notification interface in macOS.
Monitor File Operation
FortiAppMonitor can monitor file operations such as file open, read, write, rename, and delete operations, as shown in Figure 2.
File operations are also monitored using MACF.
Monitor Network Communication
FortiAppMonitor can monitor network communications over both IPv4 and IPv6, as shown in Figure 3.
Network communications are monitored using Socket Filter, which is a powerful mechanism that enables the interception of network and IPC traffic in the kernel’s socket layer.
Monitor .dylib Loading
FortiAppMonitor can monitor the loading of .dylib files, as shown in Figure 4. A .dylib file is a Dynamic Library file that an application references during runtime in order to perform certain functions on an as-needed basis.
.dylib file loading is also monitored using MACF.
Monitor KEXT Loading and Unloading
FortiAppMonitor can monitor the loading/unloading of kernel extensions (or KEXT), as shown in Figure 5. A kernel extension is a dynamically loaded bundle of executable code that runs in kernel space. Users can create a KEXT to perform low-level tasks such as low-level device drivers that cannot be performed in user space.
KEXT loading/unloading is also monitored using MACF.
For more detailed techniques used to implement these functionalities, you can read the following blogs authored by Kai Lu before his presentation.