[RuxCon / EkoParty 2016] Strolling into Ring-0 via I/O Kit Drivers

[RuxCon / EkoParty 2016] Strolling into Ring-0 via I/O Kit Drivers

Due to recent macOS security enhancements such as system integrity protection and signed driver requirements, having root is not what it once was :( Now, in order to fully own a Mac, one generally needs ring-0 code execution.

Not to worry though, there are seem to be many kernel-level vulnerabilities in both Apple and 3rd party drivers! This talk will provide a practical ‘how to’ on reversing engineering I/O Kit drivers in order to search for such bugs. Starting with I/O Kit basics, the talk will then illustratively walk thru the discovery of a (now-patched) 0day which was found during the audit of a common 3rd-party I/O kit driver.

Specifically, we’ll first explore how to reverse-engineer the target I/O Kit driver and its interfaces in order to ‘connect’ to the driver. Then, how to identify and audit the methods where user input is processed in ring-0. Finally details of the subtle bug and control of $RIP will be discussed. A few tangential topics will be explored along the way, such as macOS kernel debugging, macOS specific anti-debugging mechanisms (employed by the 3rd-party product), and the discovery of a core macOS kernel implementation bug that initially prevented the exploitation the I/O Kit driver bug.

Thru this talk, attendees will gain (or enhance) both knowledge and foundations of macOS kernel and I/O Kit reversing. Armed with this know-how, no I/O Kit driver will remain safe :)


patrick wardle

October 27, 2016