Dive Into Apple IO80211Family Vol. 2

Conference:  Black Hat USA 2022



The presentation discusses the identification and exploitation of kernel vulnerabilities in the Mac OS operating system.
  • Kernel vulnerabilities in Mac OS can be classified into several types
  • The new generation of fighting framework should focus on identifying attack surfaces and integrating interfaces
  • Domain knowledge is important for security engineering
  • The Apple SDK contains useful information for reverse engineering
  • The presentation provides an anecdote of a kernel vulnerability found in Broadcom's OS independent layer
The presentation provides an anecdote of a kernel vulnerability found in Broadcom's OS independent layer, which mistakenly trusted the input parameter and treated it as the active condition of the assignment loop, leading to a kernel crash. The vulnerability is related to Legacy code and uses byte assignment instead of string copy functions.


At the Black Hat USA 2020 I presented a topic [1] related to the Apple IO80211Family, which discussed the architecture, attack surfaces, and numerous cases of kernel vulnerabilities for the Apple 80211 Wi-Fi kernel extensions. One and a half years have passed, and maybe you will be concerned about what new changes have taken place in the above fields? I would say, first of all, that new kernel vulnerabilities and attack surfaces are constantly being introduced while old bugs are being fixed. It's an endless game. Second, the IO80211Skywalk subsystems are becoming more and more important, and some of them have even been open sourced since XNU-8019.80.24. As security researchers, we need to regularly update our background knowledge and fuzzing framework. Next, the IO80211Family subsystem has been refactored again, and the version number in the IO80211FamilyV2 name has been removed. Of course, the changes behind this are not as simple as they seem.As the research progressed, I quickly realized a new problem: the attack surfaces of the 80211 Wi-Fi subsystem are scattered all over the operating system, from user-mode daemons to the network protocol stack, and to IO80211Family.kext, IONetworkingFamily.kext, AppleBCMWLANCoreMac.kext, IOSkywalkFamily.kext and other kernel extensions. So, it became very important to integrate the fuzzing framework and make all the components work together, which motivated me to design a new 80211 Wi-Fi fuzzing system. As part of the output of this system, I will share with you more than a dozen zero-day kernel vulnerabilities. Through these brand new cases, this presentation will help you better understand the design of the Apple 80211 Wi-Fi subsystem and the security challenges it faces.[1] https://www.blackhat.com/us-20/briefings/schedule/#dive-into-apple-iofamilyv-20023