Fuzzing at Mach Speed: Uncovering IPC Vulnerabilities on MacOS/iOS

This research presents an in-depth investigation of MacOS Inter-Process Communication (IPC) security, with a focus on Mach message handlers. It explores how Mach message handlers are utilized to execute privileged RPC-like functions and how this introduces vectors for sandbox escapes and privilege escalations. This involves a detailed examination of MacOS internals, particularly the calling and processing of Mach messages, their data formats, and statefulness. The core of the study is the development and application of a custom fuzzing harness targeting these identified IPC function handlers. The fuzzing process, aimed at inducing crashes indicative of memory corruption vulnerabilities, is discussed in detail. Several generated crashes will be discussed, one of which may be exploitable to obtain remote code execution. The research culminates in the open-sourcing of a bespoke Mach message corpus generation script and custom fuzzing harness, contributing to the broader cybersecurity community and laying groundwork for future exploration in this area.

About the Presenter: Dillon Franke

Dillon Franke is a seasoned security researcher with a track record of uncovering high-impact vulnerabilities in complex systems. Throughout his career, Dillon has focused on identifying and exploiting weaknesses in widely used products, working closely with organizations across various industries to improve their security posture and protect against emerging threats. His work has been featured in numerous industry publications and news outlets, and he has spoken at major security conferences around the world, including Black Hat, ShmooCon, TROOPERS, Nullcon, and the Qualcomm Product Security Summit.

In his current role as a Senior Security Consultant at Google/Mandiant, Dillon continues to perform cutting edge application security research and release open source tools. He is passionate about sharing his knowledge with others and inspiring the next generation of security professionals to take up the mantle and continue the fight for a safer, more secure online world.