Let’s discuss the hidden Recovery OS, and show how in virtualized environments, it may be subverted to allow malware to survive a full OS X restore and bypass SIP. Then, we’ll look at how OS X performs OS updates, noting that this process may be locally subverted even on native hardware. This talk will also cover various novel OS X infection and injection strategies, and discuss some general OS X hardening methodologies that may generically thwart, or at least complicate such attacks.