Dive into Apple IO80211FamilyV2

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 1:30 p.m. (40 minutes).

Starting from macOS Catalina Beta, Apple refactored the architecture of the 80211 Wi-Fi client drivers and renamed the new generation design to IO80211FamilyV2. Compared with IO80211Family (V1), modules such as Version 2 and AppleBCMWLANCore integrate the original AirPortBrcm series drivers and further expand features such as Sidecar and Skywalk. These latest changes provide better support and protection for communication and data sharing between devices. Of course, we should also realize that new features are always accompanied by new vulnerabilities and potential risks of being attacked.<br><br>This research will delve into each of the affected Wi-Fi kernel components and explore new attack surfaces. We will also share with you more than a dozen zero-day vulnerabilities, which can be classified into at least four categories from the high level of the architecture:<br><ol><li>Vulnerabilities affecting only V1. In other words, V2 fixes vulnerable functions. Unfortunately, these important improvements have not been synchronized with other system platforms, so we can use them to attack targets like the latest macOS High Sierra and Mojave.</li><li>Vulnerabilities affecting only V2. In short, developers mistakenly introduced security flaws into Catalina when porting existing V1 functions.</li><li>Vulnerabilities that affect both V1 and V2.</li><li>Vulnerabilities in the new features of V2. In fact, many codes have not been rigorously audited and tested. Through these brand new cases, this presentation will help you better understand the design and security challenges of Apple's 80211 Wi-Fi subsystem.</li></ol>

Presenters:

  • Yu Wang - Senior Staff Engineer, Didi Research America
    Yu Wang is a senior staff engineer at Didi Research America. He loves everything regarding OS kernel, from kernel architecture, device driver development, rootkit/anti-rootkit solutions to vulnerability discovery and exploitation. He has previously presented on Syscan360 2012/2013, Hitcon 2013, Black Hat USA 2014, Black Hat ASIA 2016, DEF CON 26 and other conferences.

Links:

Similar Presentations: