Fire & Ice: Making and Breaking macOS Firewalls

Conference:  Defcon 26



The talk discusses creating and breaking macOS firewalls, with a focus on creating a comprehensive kernel-level firewall for macOS.
  • Firewalls play an essential role in the battle against malicious code and anti-malware tools
  • Creating a firewall for macOS involves writing a kernel extension using Network Kernel Extensions (NKEs) and Socket Filters
  • The firewall must register a socket filter and use callbacks to examine and filter socket actions
  • Lulu is a free firewall for macOS that uses these techniques
  • Breaking firewalls involves detecting and bypassing them, which can be done by malware
  • By discussing these attacks and understanding firewall internals, advancements can be made in firewall development
The speaker describes how they decided to create a firewall for macOS and the process they went through to develop Lulu, a free firewall product. They explain the importance of firewalls in protecting privacy and detecting cyberattacks, and how socket filters and callbacks are used to monitor and filter network traffic. They also discuss the process of breaking firewalls, including detecting and bypassing them using malware. The speaker emphasizes the importance of understanding these attacks and improving firewall development to stay ahead of sophisticated Mac malware.


In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products. However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source. This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls. In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering—but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events). Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls. But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!



Post a comment

Related work

Conference:  BlackHat USA 2020

Conference:  Defcon 27

Conference:  Defcon 28

Conference:  Defcon 31
Authors: Patrick Wardle Objective-See Foundation

Conference:  BlackHat USA 2021