Attacking the macOS Kernel Graphics Driver

The presentation discusses bug hunting, zero-day vulnerabilities, open source projects, and third-party kernel protection and mediation.

• Bug hunting and zero-day vulnerabilities
• Open source projects and the need for better kernel monitoring mechanisms
• Introduction of the Chemo open source pre and post callback based framework for Mac OS kernel monitoring
• Anecdote about a heap overwrite vulnerability in a graphics driver and the need for better kernel protection policies

The speaker shared an anecdote about a heap overwrite vulnerability in a graphics driver that was submitted to Apple security. The vulnerability was caused by a bug in the code that processed input data, and the speaker manually found the issue. The vulnerability could be exploited to execute malicious code, and the speaker emphasized the need for better kernel protection policies to prevent such vulnerabilities. The speaker also discussed the limitations of existing kernel monitoring mechanisms and introduced the Chemo open source pre and post callback based framework as a solution.

Just like the Windows platform, graphic drivers of macOS kernel are complicated and provide a large promising attack surface for EoPs and sandbox escapes from low-privileged processes. After auditing part of the binaries, I discovered a number of vulnerabilities last year. Including, NULL pointer dereference, stack-based buffer overflow, arbitrary kernel memory read and write, use-after-free, etc. Some of these vulnerabilities were reported to Apple Inc., such as the CVE-2017-7155, CVE-2017-7163, CVE-2017-13883.In this presentation, I will share with you the detailed information about these vulnerabilities. Furthermore, from the attacker's perspective, I will also reveal some new exploit techniques and zero-days.