Fuzzing at Mach Speed: Uncovering IPC Vulnerabilities on MacOS

Dive into an in-depth exploration of macOS Inter-Process Communication (IPC) security in this 53-minute conference talk from Nullcon Berlin 2024. Uncover the intricacies of Mach message handlers and their role in executing privileged RPC-like functions, potentially leading to sandbox escapes and privilege escalations. Examine macOS internals, focusing on Mach message calling, processing, data formats, and statefulness. Learn about the development and application of a custom fuzzing harness targeting IPC function handlers, designed to induce crashes indicative of memory corruption vulnerabilities. Analyze several generated crashes, including one with potential for remote code execution. Gain insights into the open-sourced Mach message corpus generation script and custom fuzzing harness, contributing to the cybersecurity community and paving the way for future research in this area.