Though residing in the kernel with high privileges, drivers in macOS and iOS are always blamed for their poor quality and frequently abused in exploitations against the kernel. However, most drivers in macOS and iOS are closed source, making them difficult to be analyzed.
In this talk, we will share our experience of analyzing and finding bugs in macOS and iOS kernel drivers (in short, Apple drivers). We will introduce our open source tool, Ryuk, for analyzing Apple drivers, which greatly facilitates the process of manual review and static analysis. Further, we will introduce two zero-day kernel driver vulnerabilities we recently found that can be exploited for privilege escalation on macOS 10.13.2. Several new kernel exploitation strategies we use on the latest macOS will also be explained and discussed.
We will show how we gain root privilege on the latest macOS, and also share our experience of exploiting the macOS kernel with several new strategies.
