Samuel Groß is an independent security researcher and, in his spare time, a Master's student at Karlsruhe Institute of Technology. He has been researching browser security for some years now and has published multiple articles on the subject, including a Phrack paper about JavaScript engine exploitation techniques at the example of JavaScriptCore, the JavaScript engine inside WebKit/Safari. He successfully participated in the yearly Pwn2Own contest in 2017 and 2018, both times demonstrating a remote exploit against Safari which also gained root or kernel-mode code execution on the underlying macOS system. Recently he has started offering trainings on browser exploitation in which he dedicates a full day to JIT compiler internals.
[Abstract]
==========
With many operating system services implemented in userland, inter-process communication (IPC) is a fundamental feature in Apple's operating systems. From an security point of view, these userland services pose an interesting target as many of them run with higher privileges. Besides memory corruption vulnerabilities in services reachable through IPC, logic bugs are also not uncommon due to the high complexity of the system as a whole.
This talk will first revisit the basic IPC primitives on macOS and iOS as well as their general OS design. Afterwards, an interesting logic vulnerability, allowing an attacker to intercept and manipulate IPC traffic between userland processes, will be explained. Finally different ways of exploiting this vulnerability will be presented: first by targeting sudo to gain root privileges, then by tricking kextutil into loading an unsigned kext into the kernel, thus bypassing SIP and gaining kernel-mode code execution. This vulnerability was used in Pwn2Own 2018 as the final part of an exploit chain against Safari on macOS. A full exploit together with a library implementing the parts of the XPC protocol required for exploitation will be released.