Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 12:30 p.m. (40 minutes)

Compromising a kernel through a browser is the ultimate goal for offensive security researchers. Because of continuous efforts to eliminate vulnerabilities and introduce various mitigations, a remote kernel exploit from a browser becomes extremely difficult, seemingly impossible.

In this talk, we will share our Safari exploit submitted to Pwn2Own 2020. Combining six different vulnerabilities, our exploit successfully compromises the macOS kernel starting from the Safari browser. It breaks every mitigation in macOS including ASLR, DEP, sandbox, and even System Integrity Protection (SIP). Inspecting every vulnerability used in this exploit, we will show not only state-of-the-art hacking techniques but also challenges in protecting complicated systems (i.e., browsers and operating systems) and in introducing their mitigations. Moreover, we will introduce a new technique that reliably exploits a TOCTOU vulnerability in macOS.

Presenters:

• Taesoo Kim - Associate Professor, Georgia Institute of Technology
  <p>Taesoo Kim is associate professor in the School Computer Science at Georgia Tech. He also serves as the director of the Georgia Tech Systems Software and Security Center (GTS3). He is genuinely interested in building a system that has underline principles for why it should be secure. Those principles include the design of the system, analysis of its implementation, elimination of certain classes of vulnerabilities, and clear separation of its trusted components. His thesis work, in particular, focused on detecting and recovering from attacks on computer systems, as known as undo computing. He holds a SM (2011) and a PhD (2014) from MIT EECS.</p>
• Insu Yun - PhD Student, Georgia Institute of Technology
  Insu Yun is a PhD student at Georgia Institute of Technology. He is interested in system security in general, especially, binary analysis, automatic vulnerability detection, and applied cryptography. His research won the best paper award from Usenix Security and OSDI. In addition to research, he has been participating in several hacking competitions. In particular, he received the Black Badge from DEF CON as the winner in 2015 (DEFKOR) and 2018 (DEFKOR00t). Prior to joining Georgia Tech, he received his BS degree in Computer Science from KAIST in 2015.
• Jungwon Lim - PhD Student, Georgia Institute of Technology
  Jungwon Lim is a PhD student at Georgia Institute of Technology. He is interested in information security in general, and binary exploitation and mitigations. He received many awards in hacking competitions. He was selected as Best 10 trainee in 2nd generation of South Korea's Ministry of Science and ICT's information security expert program (the program is also known as KITRI BoB).
• Yonghwi Jin - PhD Student, Georgia Institute of Technology
  Yonghwi Jin is a PhD student at Georgia Institute of Technology. He is interested in automating binary analysis. He received a BS degree in Cyber Defense from Korea University in 2018.

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#compromising-the-macos-kernel-through-safari-by-chaining-six-vulnerabilities-20051

Similar Presentations:

• REcon 2016 / Shooting the OS X El Capitan Kernel Like a Sniper
• DEF CON 25 (2017) / macOS/iOS Kernel Debugging and Heap Feng Shui
• Black Hat USA 2022 / Process Injection: Breaking All macOS Security Layers With a Single Vulnerability