Presented at
Black Hat Asia 2021 Virtual,
May 6, 2021, 10:20 a.m.
(40 minutes).
<div><span>When developing operating system kernels and drivers, functions related to user data mapping, accessing and parsing are often found vulnerable. In order to solve this type of problem, almost every system defines standard operating rules when touching untrusted user input. For example, on Linux platforms, the kernel or third-party drivers should use copy_from_user, copy_to_user and other functions to manipulate user mode buffers. A similar set of operations on Windows is called Probe and Capture. Routines that violate the rules will at least introduce double-fetch or TOCTTOU vulnerabilities to the kernel. On macOS/iOS platforms, the situation becomes a little more complicated. Functions like io_connect_method can automatically handle user input for the kernel and extensions, while BSD functions such as copyin and copyout provide support for manual operations. In other words, with the help of *_io_connect_method, we seem to only need to pay attention to data parsing and secondary pointers processing, but is this really the case?</span></div><div><span><br><br></span></div><div><span>This presentation will share with you more than a dozen macOS kernel memory mapping related zero-day vulnerabilities. Some subtle cases show that developers can only identify the most obvious problems when the vulnerable function is mixed with different types of vulnerabilities, which directly leads to the security update can be bypassed by race conditions. These cases remind us that we must re-examine the memory mapping mechanism of macOS/iOS.</span></div>
Presenters:
-
Yu Wang
- Senior Staff Engineer, Didi Research America
Yu Wang is a senior staff engineer at Didi Research America. He loves everything regarding OS kernel, from kernel architecture, device driver development, rootkit/anti-rootkit solutions to vulnerability hunting and exploitation. He has previously presented at Black Hat USA 2014 & 2020, Black Hat Asia 2016, Black Hat Europe 2020, DEF CON 26 and other conferences.
Links:
Similar Presentations: