Threat Research

Tool Showcase at Black Hat USA 2018 - FortiAppMonitor

By Fortinet | August 06, 2018

Black Hat USA 2018 in Las Vegas is coming soon. In the Arsenal event, Fortinet researcher Kai Lu will present and showcase an application behavior monitoring tool for researchers named FortiAppMonitor for macOS. The introduction and schedule of this session can be found here.

For security professionals on macOS, a powerful application behavior monitoring tool is required to ensure their analysis of macOS applications (especially malicious applications) is more efficient and effective. Even for normal macOS users, a simple and user-friendly application behavior monitoring tool is very helpful to quickly capture the behaviors of applications and understand what they do. For this purpose, Fortinet designed and developed a tool named FortiAppMonitor for macOS.

To analyze applications for security purposes, we usually care about the application’s behaviors, including process operations such as process execution, file system operations such as file creation, network communications, dynamic library loading, and kernel module loading, etc. FortiAppMonitor provides all the functionality needed to monitor them, as follows:

Monitor Process Execution and Exit

FortiAppMonitor can monitor the execution and termination of processes, as shown in Figure 1.

Figure 1. Monitor Process

Process execution is monitored using MACF (Mandatory Access Control Framework). MACF is the substrate on top of which all of Apple’s securities in both macOS and iOS are implemented. 

Process exit is monitored using kqueue, which is a scalable event notification interface in macOS.

Monitor File Operation

FortiAppMonitor can monitor file operations such as file open, read, write, rename, and delete operations, as shown in Figure 2.

Figure 2. Monitor File System

File operations are also monitored using MACF. 

Monitor Network Communication

FortiAppMonitor can monitor network communications over both IPv4 and IPv6, as shown in Figure 3.

Figure 3. Monitor Network Communications

Network communications are monitored using Socket Filter, which is a powerful mechanism that enables the interception of network and IPC traffic in the kernel’s socket layer.

Monitor .dylib Loading

FortiAppMonitor can monitor the loading of .dylib files, as shown in Figure 4. A .dylib file is a Dynamic Library file that an application references during runtime in order to perform certain functions on an as-needed basis.

Figure 4. Monitor .dylib Loading

.dylib file loading is also monitored using MACF.

Monitor KEXT Loading and Unloading

FortiAppMonitor can monitor the loading/unloading of kernel extensions (or KEXT), as shown in Figure 5. A kernel extension is a dynamically loaded bundle of executable code that runs in kernel space. Users can create a KEXT to perform low-level tasks such as low-level device drivers that cannot be performed in user space. 

Figure 5. Monitor KEXT Loading/Unloading

KEXT loading/unloading is also monitored using MACF.

For more detailed techniques used to implement these functionalities, you can read the following blogs authored by Kai Lu before his presentation.

Monitor Process Execution via MACF on macOS

Monitor File System Events and Dylib Loading via MACF on macOS

Monitor Network Activities Using Socket Filters on macOS


Want to hear more?

Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.

Check out our latest Quarterly Threat Landscape Report for more details about recent threats.