Getting started in macOS security

Many people used to ask me where to start learning about macOS security or exploitation, what are the trainings or books out there that can help with this topic. Nowadays there are a few trainings, which can get you started. Other great resources for macOS security are blog posts and conference talks.

I thought I will try to collect some resources that can help people to get started in this field.

Training Link to heading

There are quite a few trainings as of 2021, this wasn’t the case in the past, but as the popularity of macOS is growing, so the training offerings.

Internals Link to heading

Stefan Esser created iOS and MacOS Kernel Internals for Security Researchers, this one focuses on macOS kernel internals as the name suggests.
The other is created by Jonathan Levin / Technologeeks, and is more broadly about OSX and iOS internals and security. Although it’s not offered live anymore, an online version should come out… but no one knows when, it’s being promised for to years now.

Offense Link to heading

Offensive Security offers now a full blown course, which covers macOS internals basics, vulnerability research, exploitation and pentesting macOS machines. It’s called macOS Control Bypasses, and was created by myself.
SpecterOps offers Adversary Tactics: Mac Tradecraft and it’s focused on Red Teaming specifically vs exploitation. It’s only offered live, and it’s 2 day long.
MDSec Labs covers macOS in their 4-day Adversary Simulation and Red Team Tactics training. It’s limited to the last day, when Linux is also covered, and just like SpecterOps it’s focusing on Red Teaming.

Defense Link to heading

SANS has a Mac & IOS Forensic Analysis & Incident Response Training | SANS FOR518, which is created by Sarah Edwards.

Books Link to heading

Similarly to the trainings there are not really books about macOS exploitation. There are two, but they are rather dated. The rest are mostly programming guides, or covering macOS internals. All of them, expect Levin’s new series are dated, but it doesn’t mean there is no useful information in them.

When it comes to defense, there are two free ebooks about macOS malware, which are up-to-date! This is pretty good considering how everything else is so much old.

Here follows a list, that I think can be useful for security:

Internals Link to heading

Amit Singh - Mac OS X Internals: A Systems Approach - The first(?) book about OSX internals, it was released in 2006. It’s rather old, however some old items which can be still relevant today are still documented here. It also contains many source code samples, so can be a useful go-to resource.
Jonathan Levin - Mac OS X and iOS Internals: To the Apple’s Core - The first book of Jonathan Levin about *OS internals. It’s also dated, but sometimes still relevant and some items better explained here as in the new books, or at least I found it easier to read sometimes. It’s available for free from the author’s website: MOXiI.pdf
Jonathan Levin - *OS Internals Vol I-II-III - The most current books about *OS internals, and it’s up-to-date till macOS Catalina. This is a must have series for anyone who is serious about the subject.
Apple Platform Security - Apple’s own page about the security of their platform.
macOS Support Essentials 11 - Apple Pro Training Series: Supporting and Troubleshooting macOS Big Sur - This book is targeted for macadmins, however it contains a great deal of macOS internals as well.

Exploitation Link to heading

Charlie Miller, Dino Dai Zovi - The Mac Hacker’s Handbook - The only book dedicated to OSX exploitation. It was released in 2011, so it’s rather old, and not so relevant anymore. It can be still useful for limited amount of information.
Enrico Perla, Massimiliano Oldani - A Guide to Kernel Exploitation: Attacking the Core - Deals with kernel exploitation of OSX Leopard, which was ages ago. The concepts are not relevant in modern day macOS, however could be a good start to get an intro into macOS kernel exploitation

Malware & DFIR Link to heading

Phil Stokes - How To Reverse Malware on macOS Without Getting Infected - A new, free ebook about analyzing malware on macOS.
Patrick Wardle - The Art Of Mac Malware - Another free ebook about analyzing macOS malware, more detailed than the other one.
Jaron Bradley - OS X Incident Response - 1st Edition - The only book to cover incident response and forensics.

Programming Link to heading

Ole Henry Halvorsen, Douglas Clarke - OS X and iOS Kernel Programming - It’s a developer book, but a very useful resource for macOS kernel programming.
Graham J Lee - Professional Cocoa Application Security - A book for developers about secure coding. As it’s from 2010, it’s also old, however still can be a good resource for certain topics or to better understand why some apps work the way they work.

Reverse engineering Link to heading

Derek Selander - Advanced Apple Debugging & Reverse Engineering - A book about debugging, tracing applications.

Blogs Link to heading

I found the following people having awesome blog posts on macOS internals or security on a constant basis.

Conference Talks and Papers Link to heading

@osxreverser maintains an awesome collection of paper and conference talks on his website: macOS · Papers, Slides and Thesis Archive

Although it’s covered in Pedro’s collection, I still want to highlight the Objective By The Sea conference, which is entirely dedicated to macOS security.

Apple Link to heading

Apple’s own developer documents can be also very useful, especially the older ones. These are also dated, yet a very valuable resources. Apple Documentation Archive

Part of the XNU kernel is open sourced by Apple, which is also an invaluable resource. Apple Open Source

I hope these resources can get help people started and answer the question answered so frequently. It’s probably far from being complete, and sorry if I missed anyone. If you know of a good resource let me know, and I can update this list.