Overview
Syllabus
Intro
Solution Overview
Attack Surfaces
Think about Apple System
New Attack Interfaces Generator
KEXTs Interfaces Analysis Flow
Classes inheritance relationship
Class/Method names re-fine
Connection Type - User Clients
User Client External Methods - Graceful
User Client External Methods - Ugly
Parse the External Method Dispatch Array
Analyze the ASM Instructions
Custom KEXT Analysis Engine
Generate CFG local information
Analyze key paths based on CFG
Emulate key instructions operation
Emulate register operation
Output User Client or external method information
Kernel Interfaces
Kernel Diff Methodology
Kernel Diff Analysis Practice (1/2)
KEXTs Diff Analysis
Disadvantages about KEXTs static analysis
Comparison of dynamic trace
Frida Hook in User Mode
xpe_connection_send_message API context
xpe_connection send message API context
Hunt more dynamic relation if you like
Dtrace introduction
Dtrace providers list
Dtrace seript (e.g. file probe)
Enhanced kernel fuzz
KASAN in iOS/OSX Kernel
Future plan
CVE-2018-4462 - Root Cause
OOB read in AMD Radeon X4000 Extension
OOB read-Root Cause
Over Flow-Root Cause
NULL PAGE Reference in Intel Accelerator
NULL PAGE Reference - Root Cause
Divide Zero in AMD Radeon X4000 Extension
Divide Zero - Root Cause
Taught by
Hack In The Box Security Conference