XUnprotect: Reverse Engineering macOS XProtect Remediator
Black Hat USA 2025 · Day 1 · Briefings
Ko, a macOS security researcher at Prescotte Fedora Security, performed a deep reverse engineering of XProtect Remediator (XPR), Apple's third-layer malware defense. The research reveals XPR's internal DSL for remediation logic, uncovers Apple-exclusive threat intelligence embedded in scanner modules, and exposes several vulnerabilities including a TOCTOU-style arbitrary file deletion primitive. ---
AI review
Ko did what every serious macOS researcher should have done years ago and didn't: tore XProtect Remediator down to bare metal and published the results. The RemediationBuilder DSL documentation, the RedPine/TriangleDB connection, and the TOCTOU arbitrary file deletion primitive make this essential reading for both offense and defense. This is what Black Hat is supposed to look like.