As the Mac product line gradually enters the M1 chip era, the macOS security of the arm64e architecture is beginning to approach iOS. The mitigations that only existed on iOS in the past are now also applicable to macOS. As well as... the vulnerabilities that only affected iOS in the past are now also brought into macOS. Lol.
AppleAVE2 (AVEVideoEncoder) is a graphics IOKit driver that runs in kernel space and exists only on iOS and M1 chip-based Macs. The complexity of the driver itself and the extensive use of user-kernel memory mapping make it a desirable target for kernel exploitation. I used it to develop kernel exploits for iOS 12 and iOS 13 Jailbreak. CVE-2019-8795, CVE-2020-9907, CVE-2020-9907b.
This talk will explain in detail how Apple "fixed" the AppleAVE2 driver and how we can exploit AppleAVE2 once again to achieve kernel r/w on M1 Macbook, at last I'll share some of my thoughts on post-exploitation.