Throughout the last year’s I found numerous (security) bugs in the BSDs (FreeBSD, OpenBSD, NetBSD). I had a great time researching those kernels. The community is very technically sophisticated and very supportive. Not to forget the great read “The Design and Implementation of the FreeBSD® Operating System” that accompanied my adventures over there. I can recommend this book to everyone working in system security!
The Binary Analysis Platform (BAP) is a framework for automated binary code analysis. I utilize BAP quite a lot to implement cross-architecture analyses in the realm of firmware (e.g. ARM, PPC, Mips, …). Owed to the fact that BAP lifts assembly code to an intermediate representation (IR), you can (almost) write architecture-agnostic binary analyses. Before I implement an analysis I inspect the IR that is emitted by BAP for a certain piece of code. You can instrument BAP to lift a program to its IR by calling
bap PATH_TO_PROGRAM -d.
Learning by doing always works quite well. Getting to know the low-level programming tool chain is a vital for understanding the low-level details of the OS in general. So I thought writing some shellcode in x64 assembly and loading it with a simple loader written in C would be a good starting point for becoming acquainted with the basic programming tools on macOS. Just to name a few: IDE (Xcode), Compiler (llvm/clang) and (dis)assembler (radare2). Also, this would be the first encounter with the development documentation provided by Apple.
This blog post shows you how to write and load shellcode on macOS. It seems that there is not that much on x64 assembly on the Internet. Sometimes it can be a little bit tricky when coming from x86 assembly. However, the easiest way is just throwing a binary in a disassembler and see how the compiler translated the code.