logo

One bite and all your dreams will come true: Analyzing and Attacking Apple Kernel Drivers

Conference:  Defcon 26

2018-08-01

Summary

The presentation discusses the use of a new tool called Rook to analyze drivers in Mac OS and iOS to find vulnerabilities and exploit use-after-free vulnerabilities in the kernel.
  • Rook is a reverse engineering tool that can identify name, size, and with labels for classes, recover function names, and resolve local and global member variables in the compiled code of drivers in Mac OS and iOS
  • The presentation demonstrates how Rook was used to find use-after-free vulnerabilities in the kernel and exploit them to gain privilege escalation on Mac OS 10.13.2 and 10.13.3
  • The presentation also discusses the problem of passive fuss for America using a wrong way to infer the kernel text space and how Apple moved the interrupt handler and other code related to user space from the kernel text to another special occasion to defend against male down
  • The presentation concludes by introducing a new static analysis tool called Rook and showing a use case called the rubric of funds, which has been open sourced on Github
The presentation demonstrates how Rook was used to find use-after-free vulnerabilities in the kernel and exploit them to gain privilege escalation on Mac OS 10.13.2 and 10.13.3.

Abstract

Though many security mechanisms are deployed in Apple's macOS and iOS systems, some old-fashioned or poor-quality kernel code still leaves the door widely open to attackers. Especially, as kernel's critical components, device drivers are frequently exploited to attack Apple systems. In fact, bug hunting in Apple kernel drivers is not easy since they are mostly closed-source and heavily relying on object-oriented programming. In this talk, we will share our experience of analyzing and attacking Apple kernel drivers. In specific, we will introduce a new tool called Ryuk. Ryuk employs static analysis techniques to discover bugs by itself or assist manual review. In addition, we further combine static analysis with dynamic fuzzing for bug hunting in Apple drivers. In specific, we will introduce how we integrate Ryuk to the state-of-art Apple driver fuzzer, PassiveFuzzFrameworkOSX, for finding exploitable bugs. Most importantly, we will illustrate Ryuk's power with several new vulnerabilities that are recently discovered by Ryuk. In specific, we will show how we exploit these vulnerabilities for privilege escalation on macOS 10.13.3 and 10.13.2. We will not only explain why these bugs occur and how we find them, but also demonstrate how we exploit them with innovative kernel exploitation techniques.

Materials:

Tags: