The Mac Hacker's Handbook
Charlie Miller, Dino Dai Zovi
Wiley
ISBN: 978-0-470-39536-3

As one of the resident Mac nerds, I had been eagerly awaiting this book since Charlie mentioned it to me last year. As soon as it was available, I ordered a copy from Amazon and cracked it open. To be honest, I generally don't like reading security books but I loved this one. The narrative voice in this book is clear and consistent the whole way through which makes it very easy to read. This may seem like a strange thing to mention, but it mattered to me, and I'm the one writing this review. The Mac Hacker's Handbook is broken down into four sections. Mac OS X Basics, Discovering Vulnerabilities, Exploitation and Post Exploitation.

Mac OS X Basics

The first section is a primer on OS X itself, aimed at someone new to the operating system. This chapter alone makes the book an invaluable resource for someone picking up OS X after coming in with a security background on other operating systems. These chapters cover the the OS structure from the kernel, common OS X services, security measures in place as well as detailed and concise overviews of Bonjour and RTSP.

Discovering Vulnerabilities

In the chapters dedicated to vulnerability discovery, the authors start with an overview of the the debugging and tracing tools available on the mac. That is to say GDB and DTrace. On top of the extremely good example of DTrace in action, Charlie made changes to PyDbg to run on OS X. This is the first set of tools released alongside the book that intensely contribute to the quality of tools available for Apple security research. The next chapter is actually on finding bugs. Coming from Charlie and Dino, both prolific bug hunters in their own rights, this was bound to be interesting. Instead of writing a tome on the topics of bug hunting (which has already been done), it's limited to case studies of the CanSecWest Pwn2Own bugs and other bug finding techniques that tend to be Apple specific. The last chapter in this section is on reverse engineering OS X, primarily Objective-C, binaries. This is where Charlie drops another tool into your lap. The modified x86 emulator for IDA Pro included and documented will make your life far easier when reversing your Objective-C binaries.

Exploitation

The next section of the book places the focus on the actual exploitation of bugs, with detailed sections on stack based exploitation, heap exploitation, payloads followed by a chapter with more detailed case studies of real world bugs and the working exploits. Both the older PowerPC architecture as well as the current x86 architecture are included in the examples. All three of the chapters start off similar to other descriptions of the same concepts with other operating systems, but also include OS X specific techniques. For that reason I would recommend a reader with experience writing exploits not skip these chapters.

Post Exploitation

This section delves into runtime code injection and rootkits. This section, also chock full of examples gives an clear view on the low level mechanisms in place that allow you to inject code (or Swizzle in Objective-C binaries) on an OS X system. Followed with an introduction to writing kernel extensions for Mac OS X with the examples focused on the tasks required by the common rootkit.

Overall I found this book to be extremely well thought out, well written and it's already been useful for me in the month or so I've been procrastinating on writing this review. If you're an Apple based security researcher or interested in becoming one, this will be an invaluable resource in your library.