A Review of macOS Control Bypass (OSMR) Certification and Exam

EXP-312-OSMR-Certification

OffSec’s macOS Control Bypass (OSMR) Certification is a special badge for cybersecurity experts who want to learn how to sneak past macOS security measures in real-world situations. As macOS becomes more popular in big companies, this certification is becoming a really valuable skill.

In this article, I’ll tell you everything you need to know about the OSMR certification, from what the course is like to how the exam works. I’ll also give you some tips to help you ace it. Whether you’re thinking about getting this certification or just curious about it, you’ll find this information helpful.

Background

Offensive Security (OffSec) has built a solid reputation in the cybersecurity world thanks to its hands-on, practical approach to training. Their certifications, like the OSCP (Offensive Security Certified Professional) and OSCE (Offensive Security Certified Expert), are highly respected by professionals and employers alike. The OSMR (macOS Control Bypass) certification is a bit more niche, focusing specifically on macOS security and the techniques used to bypass its built-in protections.

The OSMR exam challenges you to identify and exploit vulnerabilities within macOS systems, skills that are becoming more crucial as Apple devices gain popularity in enterprise environments. If you’re working with or around Apple ecosystems, mastering macOS security and control bypassing is a superpower!

As someone who’s been using Mac for over a decade, I’m pretty familiar with the ins and outs of macOS. Plus, since macOS is a Unix-based system and I have a solid foundation in Linux, I definitely feel like I have an edge when it comes to understanding macOS from both a user and security perspective.

Course Info

The OSMR course offers hands-on experience and is designed for those serious about mastering Apple’s operating system. It focuses on two crucial areas: local privilege escalation and bypassing macOS security controls like System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC).

Throughout the course, you’ll look into macOS system internals, gaining a deeper understanding of how the OS functions internally. This knowledge is essential for discovering vulnerabilities, exploiting weaknesses, and ultimately bypassing protections to gain control over macOS systems. You’ll also explore real-world vulnerabilities—both within macOS itself and in third-party applications—and learn how to identify and exploit them.

Previously, the course content was based on Intel architecture, but with the shift to Apple’s new ARM-based Macs, as of this writing in February 2025, the course has been fully updated to focus on the latest ARM architecture. This update ensures you’re learning the most relevant techniques for exploiting and bypassing macOS security on Apple’s newest architecture.

The OSMR course starts at $1,749, which might be steep for some, but the value is undeniable for serious security researchers. Additionally, since remote labs are discontinued, you’ll need a MacBook with an M-series chip and 1TB of storage for your local lab setup, adding another $1,000 to the total cost.

Syllabus Overview
  1. macOS Control Bypasses
  2. Virtual Machine Setup Guide
  3. Introduction to macOS
  4. macOS Binary Analysis Tools
  5. The Art of Crafting the Shellcodes
  6. Dylib Injection
  7. The Mach Microkernel
  8. XPC Attacks
  9. Function Hooking on macOS
  10. The macOS Sandbox
  11. Bypassing Transparency, Consent and Control (TCC)
  12. Gatekeeper Internals
  13. Bypassing Gatekeeper
  14. Symlink & Hardlink Attacks
  15. Injecting Code into Electron Apps
  16. Penetration Testing on macOS

* please refer to official website for more up-to-date information about the course content.

The Exam

The OSMR certification exam was not so easy because it puts your knowledge of exploit development and security control bypasses to the limit. It’s not an exam you can just walk through without serious preparation. The exam has four tasks, each focusing on important areas like reverse engineering, crafting exploits, bypassing security measures, and creating custom shellcode—all of which are covered in the course. While the exam tests your technical skills, it also requires you to think critically and logically about how to approach each task. You’ll need to apply the course material in ways that allow you to work through complex scenarios under pressure. The tasks are designed to reflect real-world exploit development challenges, so a solid understanding of both theory and practice is essential.

We have 47 hours and 45 minutes (almost 2 days) to complete the exam. It might seem like a lot of time at first, but it’s actually just the right amount of time to test both your technical skills and your time management skills. You need to obtain 70 points out of 80 points to earn the certificate. The exam is not very challenging but thoroughly tests most of the concepts taught in the course, and it definitely represents the key takeaways from the course.

One important lesson I learned: you need to understand not just how to solve each task, but how the tasks interconnect with the overarching concepts of the course. If you’re unclear on the big picture, you’ll likely struggle. The exam really emphasizes the importance of having a solid, repeatable methodology for exploit development and testing. I strongly recommend taking the time to not only complete the course but also to synthesize your own methodology for macOS exploitation before attempting the exam.

I originally scheduled my exam for December 17, 2024, at 11:00 PM UTC+5, but unfortunately, it got canceled due to some unexpected maintenance, so I had to reschedule. I chose January 26, 2025, at 5:00 AM UTC+5 for my new exam date and here’s how the day went:

04:45 AM: Logged into the proctoring system for the identity check.
05:05 AM: Got my VPN credentials, but hit a roadblock—couldn’t connect from my Mac host. Tried transferring the Kali VM, but still no luck. 😢
06:45 AM: Finally solved the issue by adjusting the MTU size and managed to get connected to the VPN.
06:55 AM: Tested the portal connectivity and decided to take a short break to reset.
07:10 AM: Came back, joined the exam, and quickly skimmed through all the challenges.
07:20 AM: Decided to tackle the challenges in order, starting with Challenge 1.
07:50 AM: Discovered the first vulnerability and started working on the exploit.
08:30 AM: Took a break for breakfast.
09:15 AM: Ran into a problem—the exploit code wasn’t working, so I started testing alternative approaches.
10:30 AM: Finally, after a lot of trial and error, I had a working payload!
10:50 AM: Successfully exploited the target and set up persistence.
11:00 AM: Took another break.
11:15 AM: 10 points down, so I started the second challenge worth 30 points.
11:30 AM: Shortlisted a few exploit pathways.
01:25 PM: Got to the end of my shortlisted paths, but all of them were failing.
01:30 PM: Took a break for lunch to clear my head.
02:15 PM: Finally found the right exploit pathway, so I worked on preparing the payload.
02:30 PM: Target exploited and persistence achieved.
02:45 PM: Took another quick break to refresh.
03:00 PM: 40 points down, now onto the next 30-point challenge.
03:30 PM: This one was a bit tricky, but thanks to my prior Linux experience, I knocked it out in about 10 minutes. 😉
03:50 PM: Reviewed the last challenge and took another short break.
04:20 PM: Wasn’t too worried about this challenge since I had a good sense of how to approach it, so I dove in with confidence.
05:30 PM: Made a silly mistake—ended up troubleshooting it for over two hours.
07:45 PM: Finally got the payload fixed and had completed all the challenges.
08:00 PM: Took a break to get some sleep.
09:00 AM: Woke up, and reviewed all the screenshots and details.
10:00 AM: Began writing the report.
02:00 PM: Finished the report and wrapped up the exam.
05:00 PM: Sat down for another two hours to review and polish my report.
07:30 PM: Submitted my report to Offensive Security.

Then, after four days of waiting, I finally got the email I had been hoping for: “We are happy to inform you that you have successfully completed the macOS certification exam and have obtained your Offsec macOS Researcher (OSMR) certification.” 🎉

It was a rollercoaster of a day, but it felt amazing to finally cross the finish line!

Resources

When preparing for the OSMR exam or diving into macOS research, there are a few key resources I found extremely helpful. While the course itself is comprehensive, these additional materials can really help deepen your understanding of macOS internals, security, and exploitation techniques.

  • OS Internals Books (https://newosxbook.com/jbooks.html)
    These books dive into macOS internals in three parts: user mode, kernel mode, and security. They’re packed with detailed information and even discuss real-world vulnerabilities, like the ones used in the Pegasus ZeroClick RCE attack.
  • The Mac Hacker’s Handbook (https://www.amazon.com/Mac-Hackers-Handbook-Charlie-Miller/dp/0470395362)
    This is a must-read for anyone interested in macOS security. Written by Charlie Miller, it covers a wide range of hacking and exploitation techniques for macOS.
  • Eclectic Light (https://eclecticlight.co/mac-problem-solving/)
    The Eclectic Light website has a ton of valuable articles on macOS technologies. It’s great for understanding how macOS works under the hood and for troubleshooting various macOS-related issues.
  • Sektion Eins Blog (https://www.sektioneins.de/categories/blog.html)
    This site features in-depth vulnerability analysis and exploit research focused on macOS, making it an excellent resource for security researchers.
  • Objective-See Blog (https://objective-see.org/blog.html)
    Known for its macOS security tools, Objective-See also has a great blog that covers vulnerabilities and security techniques for macOS.

Additional Research Resources:

  • Apple Developer Documentation: (https://developer.apple.com/documentation/) – Official Apple documentation for APIs and macOS internals.
  • PRZHU’s Blog: (https://przhu.github.io) – A blog with vulnerability analysis and research on macOS.
  • Knight Security Research: (https://knight.sc) – Security-focused site with research on macOS and other platforms.
  • The Evil Bit: (https://theevilbit.github.io/posts/) – Exploit research and vulnerability analysis, including macOS.
  • Nshipster: (https://nshipster.com) – A developer resource for macOS technologies and APIs.
  • HackTricks – macOS Red Teaming: (https://book.hacktricks.xyz/macos-hardening/macos-red-teaming) – A comprehensive guide for red teaming techniques on macOS.

These resources will be incredibly helpful whether you’re working through the OSMR exam or just expanding your knowledge of macOS security. The more you familiarize yourself with these sites, the better equipped you’ll be to handle the challenges in the exam and beyond.

FAQs

Before jumping in, make sure you’re comfortable with these topics:

  • x86-64 Assembly: You’ll be diving into reverse engineering and exploitation, so understanding assembly is key.
  • C & Objective-C Programming: You’ll need to read and write C code, as well Objective-C, as it’s crucial for exploit development.
  • Debuggers and Exploit Development: Having hands-on experience with tools like GDB or LLDB will make things much smoother.

You’ll know you’re ready when you’ve worked through all the exercises (and gone the extra mile). If you feel confident about the material and have a good grasp on everything, then it’s exam time! Just make sure you’ve really internalized the concepts before hitting submit.

The course is mainly focused on macOS, so it won’t teach iOS exploit development directly. However, many of the skills and concepts you’ll learn here—like reverse engineering, and exploit creation—are transferable to iOS. It might not be a direct path, but it can definitely point you in the right direction.

It can take up to 10 business days to get your results, but don’t worry, it’s usually faster. For me, I got my results in about 4 days after submitting the exam report.

If you need more details or have questions, check out these resources:

  • EXP-312: Advanced macOS Control Bypasses – The official course page.
  • EXP-312: OSMR Exam Guide – All the info you need specifically for the exam.
  • OSMR Exam FAQ – The official FAQ from OffSec.
  • For real-time help, join OffSec’s Discord. There’s a channel specifically for EXP-312 (exp-312-general) where the community can answer your questions.

Yes! A good understanding of both Intel and ARM assembly will be super helpful, especially since a lot of the course revolves around reverse engineering with tools like Hopper. Also, being comfortable with C and Objective-C will make a big difference when you’re reading source code and working on exploits. Finally, some basic knowledge of macOS technologies (like XPC and TCC) will help you absorb the material more easily and give you a clearer understanding of how macOS works.

If your goal is just to get the certificate, then yes, the exercises and extra miles will more than prepare you for the exam. The exam itself isn’t overly difficult as long as you’ve done the work. But if you want to really push yourself and dig deeper, I’d recommend going beyond the exercises and practicing even more. That way, you’ll get a more thorough understanding of the material.

You’ll need Hopper or another disassembler to tackle the reverse engineering tasks. It’s also a good idea to be familiar with debugging tools like LLDB, Radare2, or Cutter. Since the exam is remote, make sure your setup is solid and you’re comfortable with all your tools before diving in. It’s important to double-check that your system meets the exam requirements to avoid any surprises. And just a heads-up—since labs are discontinued in November 2024, you’ll need to set up your own lab environment for the exam.

Conclusion

I’m really glad I took the OSMR course. It expanded my understanding of macOS security and made me a better pen tester. While the price might be a bit high for some, especially with the discontinuation of labs, it’s definitely worth it if you’re serious about security research in the Apple ecosystem.

For the exam, managing stress is key, take breaks when needed, and make sure to practice all the exercises. The course content is top-notch, constantly updated, and it’s one of the best resources out there for macOS exploitation.

Whether you’re a pen tester, security researcher, or macOS developer, this course is a fantastic choice. It teaches you the skills you need to approach real-world macOS security challenges. I’d take it again in a heartbeat and look forward to what’s next with OffSec.