good afternoon everybody welcome to the last day of Def Con 26 yeah and I'm assuming most of you are still waking up but this will be a really good presentation you wearing is going to be our young is going to be talking about attacking the Mac OS kernel graphics driver so please give him a hand and welcome him here hello everyone welcome to my presentation especially during a long time my name is Wang Yi from Dede research America what I I'd like to share with you today is related to Mac OS graphics driver vulnerability and max watts kernel security I started to pay attention to Mac OS kernel security last year including a kernel driver development bug hunting and vulnerability exploitation before that I prefer to study the Windows kernel security and Android Linux kernel root after entering the Mac OS kernel were last year I learned a lot of oil and kernel vulnerabilities and I pick it up four of them as a background for today the first case is from a MBA from Google PJ they are and the CV number is the CVE 2015 3 7 12 it's a media g-force driver arbitrary kernel memory write vulnerability this one err ability can eventually lead to code execution due to lack of input parameter validation and at here you can find a beauty [Music] the second water ability comes from Cisco Talos research team which is an on point the reference back it seems that the non pointing the reference type of vulnerability can be exploited two years ago which also means which also means that I'm late you can see that there's a for exploit code on the exploit abyss which is a good starting point for exploitation

research in the next case is from my

friend Chen Liang the text surface he choose is user mode graphics demon and he owns a punchy own game pong game with this vulnerability two years ago the user mode demon associated with the graphics library has certain permissions and they are usually accessible in the sandbox process and the logic of those demon is usually very complicated this condition determines that the demon our nature attack surface and you can get more detailed information from the right house the last is also from King lab the CV number is 2016 15 1850 it's a it's an Iowa accelerator family out of bounds Colonel maverick right a burner ability the graphics rendering engine is one of the hardest hit areas from adding operating system platform from the UK driver on Windows 2 to the Iowa accelerator family and colonel axe extension on math class those type of the type of those for one area military's ranged from non pointy reference type of free and use have afraid arbitrary kernel memory right Warner ability and also the Ranger form user mode to kernel mode this case has repeatedly reminded us that the graphic security cannot be not so therefore I decided to start my kernel Mac OS kernel research from here and part 2 r2 is from NTP SAT there are days when I decide to investigate the Apple graphic driver 1 durability last year I started my research from the POC samples from MBO such as 2017 2 4 4 3 and to 2017 2 4 8 9 the reason for choosing this example is that they are very easy to learn the logic of the Busic code is clear and the amount of the code is less than 100 we can take a to the first one the the 2 4 4 3 s example 2 4 4 3 is a arbitrary code execution 1 derivative as you can say the target of the POS a is in here every client can show as a it's an emerald number one in green color and the input selector here it's a number 3 in blue color I think this Factory is a 291 new hacks format and then the only thing we need to do is fill the input buffer with random garbage data it's a neighboring red color so justice so I sink for the security research community each of us we are think about how to start a new round of kernel code auditing from here after I had this idea well my friend told me that starting from here might be a waste of time because the binary has already carefully examined by Google pages era this reminds me of my Windows kernel phone scooter engine 1 or ability presentation at blackhat USA four years ago at that time juror from Google preview 0 a large number of kernel phones skater vulnerabilities but I can still find a new find new kernel double fetch the other days in the code that has been audited such as CVE 2015 1 I 1 8 1 9 so this time I still want to give it a try but but then I began to feel that my friend was probably right my fasting too didn't have any valid it's out food on the first day and and even the break points I studied in Mac OS kernel didn't trigger fortunately for me I didn't give up at that time otherwise I don't think we will meet today when I analysis the root cause I found at least three problems hidden the work of my filing system without first serving these problems the whole system we have become very efficient efficient there are yeah there are three obstacles the first one is a target selection and second one is this a few driver protection and third one is unremarkable selectors let me discuss it it's indeed held first target selection they are we are many different targets on the Mac OS system from kernel extension to internal classes and we mentioned before in QRF we client control it's just one of the very small branch of the graphics kernel I list the some of the target drivers here they are a lot from AMD to Nvidia to Intel and also of our family drivers it's a MD Inca is like mini pot driver and and the family driver is a more general driver kernel driver and I think as a professional security researcher we should not miss any possibility and next one is most more important a seventh obstacle is a few driver before targeting the target wife's driver they are you roll a few drivers that protected them which can cause our fuzzing tour 2002 and the effective loop these units figure we can see that before touching the graphics driver apple intel freeing buffer also future driver apple graphics device can show is defining against a malicious input for the graphics driver here is the filter driver in right line and the green lies it's a graphics driver itself most

specifically in this example selector 707 represents half piece at EDID and Kosmo namely in the filter driver here and here if the input buffer lens is not equal to four zero eight bytes all fuzzing attempts for the interface are meaningless this means that if we only rely on the static analysis of the target driver and then view the funding process it's obviously not enough we need to consider the entire architecture of the graphics driver set otherwise we are just wasting our time the third obstacle is all remarkable selectors after actually getting to the target driver I found that there are still some hidden Kaneko's or sectors and I found they are also observed the country code contributed a fact the if in fashion see of the passing system indeed this control code are important because they are the key to open the door to another word meaning that there are a lot of unknown code behind their doors the stores after extracted all the validated control codes with ID script last year I found at least one such key this eight zero zero zero zero and some random data

as you can see after entering the corresponding handler there's another word hidden there and after taking after taking so upset takings there are small cerise most apps things quickly become clear and I found a lot of problems in just one day let me show share some examples miss you the

first the first one is a unpatched lock of henyk caused by a division by zero error but be aware that the route cars behind this arrow is is a out-of-bounds read access to the input buffer it's a it's a division by zero register R tau R tau is 0 and a kids - Kris - is

a is an impaired local panic caused by an OnPoint dereference when the root cause of the problem is that the driver incorrectly in utilized and the dereference variable adhere RSI register is 0 and offset is 370 next case is a

kernel stack that base the buffalo owner ability as you can see here this stack overflow vulnerability is mitigated by step cookie so in order to explore this case we need to have a we need to have the kernel arbitrary memory reading capability what initially I quickly found one CVT 2017 one sorcery 8/3 a combined with two owner abilities become bypasses their cookie protection and can kernel arbitrary code execution capability but you arbitrary code no memory reading I think colonel arbitrary memory of writing capability is often what we really want and here is the example CVID seven one five five and through it I find more cases such as CV 2017 seven 163 let's take the that takes this one as an example to discuss the kernel arbitrary memory write warner ability the root cause of this vulnerability is that freeing buffer driver lack lacks input validation and sanitization

and as you can see here this instruction Oh this more this instruction new EDX to our ax plus RSI this instruction is going to write value in our the EDX to offset of to the offset of re X plus RSI and re X adhere it's a piece address of a kernel object is it and we can lock it through the arbitrary kernel memory read vulnerability and we can confuse that yes I register at here it's all a we can confuse this register this means that we can confuse a target memory address of arbitrary right primitive and then we can fully confuse it are the edx register adhere edx is or controlled by attacker this means that we can can choose a value to be right in the bob conditions are perfect to achieve arbitrary memory arbitrary memory right arbitrary values so in my opinion the quality of this vulnerability is very good yeah but I still choose to report it to Apple last year yeah yeah because I'm not using my lob laptop I'm unable to only one who makes the demonstration yeah I didn't take the radio for it but trust me this type of demo is boring just wrong the exploit and pop up with share and and and the quality of this because the quality of this vulnerability is pretty pretty good so it's very easy to write x 4 x sy code for this I think you can give it a try the first part is uh yeah yes yeah and then from there NDP OC to 0 the next part I think is more interesting a chemo framework and and other projects I I did last year last year one of my task was to build a kernel monitoring system for our DLP project data leakage prevention and project and when I went to study the existing kernel monitoring this I have found that the building monitoring mechanisms were not very friendly for a third-party development specifically they are to building monitoring mechanisms available in subsystem and mandatory access control policy subsystem but the bad news is is that they are not suitable for the current security related kernel development tasks as a kernel authorization subsystem was introduced in the Mac OS 10 point for tagger kernel in 2005 and probably know is that this callback interface lack the necessary maintenance and have not been upgraded for about 13 years yeah for for the scope file operation number 2 for the file operation listener they are only in 7 file operation related callbacks available I think which is not which is obviously not enough they are only a file open close delayed read write rename exchange and quick process but I think this is obvious not enough and for for the operation by operation listeners they are unable to block any file operations are just notification just notification is unacceptable say I will be detected ransomware and we can Odin watch it and we cannot block it so if my endpoint security solution is this I think my boss might find me and for some specific callbacks the input parameter often lack critical contacts the information for example for quit process callback handler the input parameter is missing command line information is very important to us and in the fire operation callback handler we cannot distinguish between new file creation and open existing it's also important to us and for we know the listeners not every file system operation triggers and authorization request this means that our monitor can be bypassed is also not acceptable yeah compared with kernel saturation subsystem manager access control framework has a series of more granular callback interface which are introduced in current into kernel from math class 10.5 yeah 10.5 however Apple quickly and sir parties from using this interface and the client yet that this interface were not part of the KPI KPI Stratfor kernel programming to this this means that mandatory access control framework is totally private yeah we cannot use that interface but if you really want to use adding the facing kernel this since we are all convex nation we have permission to lock it the target function in kernel and and then invoke it yeah if you really want to use the interface in kernel I think you will meet the following capability compatibility issues I reviewed almost all the kernel open-source code about Mac policy and I found this one the following cases the case one Chris one shows that the interface were dilated or replaced replace that directly by colonel this is unacceptable because the the feature disappeared this fear directly it can't I I cannot accept this and case to case two shows that particles and the input parameters were changed directly it's also unacceptable because my driver will panic you cannot add a parameter directly into the prototype right and

case three shows that in the face worse insert it into the middle of the dispatch table yeah my driver will will panic too you know and here's the case

for the interface has been rewriting but forgot to up the policy version number so my point is that as a third-party developer we have to use this mechanism very very carefully and in order to bring on some changes I'd like to introduce you to chemo open source and open source pre and post callback based a framework for Mac OS kernel monitoring since there's no card or similar kernel subtraction subsystem I build the pre and post operation callback interface based on my kernel in logic engine by using this framework I can add new features to any function I care about the the the basic idea of the pre and post operation callback architecture is actually supported from - colonel-general speaking things a pre callback handler I can feel the input parameters and in the post callback handler I can reset the functions return value if you need it I have two examples here the first one is it's a credential

monitor our current central firewall you know I know there's there are similar functions in mac metrics as contra policy mechanism but i still want to use my own master to achieve it again as can be seen here the first lie is a pre callback handler and in the pre handler I can feel the input parameters it is small such as I can get the UID I can get PID parent ID and the kernel extension name is calm thought man innate thought monitor and the past and also version number module base and a module motor sites yeah in this case I use a five man in it - are it's named monitor dot APB as an example the reason it is just because it contains the driver and we load that driver into kernel this is true yeah and things opposed to callback handler I in the pre come back under here by using a disassembled to search the endpoint of the target driver and I can patch the driver and the point so as can be seen here the driver failed to load and then the post callback handler I can reset the function return value if needed

but not a more interesting example in the mandatory access control policy is a mandatory access control policy monitor so are you rendered rendered about which module in the system use the mandatory access control policy and which policy said to the use I think here is the answer as as can be seeing the first one I talked from colonel is amfi MFI is short for air Palmer file integrity and it's all handlers of this module including basic as a module of set and policy name yeah that's a can be CMMI and this one's the sandbox Mac sandbox registered a large number of Mac policies yeah the the tricky part of this feature is how to get a mutex lock I mean we need to hold the lock before accessing kernel data structures but the policy lock policy mutex lock is not exported the fortunately I found a finally found a way to to lock that that's a mutex lock and they you will you can reveal my code form for more information and the addition to

numerating and monitoring manual access into policy caiman can also block or hendrik arbitrary hundreds if needed in this case i still use the fireman in it store monitored a PPS an example the reason is this true or will try to register five it may say callbacks the first one is is for process monitoring seven life for dynamic library monitoring and serve lines for keyboard monitoring and the it's a fire operation last one is a canoe extension and the kimmm camp blocks they also request here's the example

yeah demo I demonstrated demonstrated this at blackhat arson or so it is a girl and I didn't make the video voice yeah but but don't worry talk is cheap show me the color right definitely I realized all my source code yeah please check out my source code for more detailed information in addition to the to application of all I also implement a cutting heifer by using by using camo framework I call it paper cheaper can randomly inject arrows assists in recording the input and call stacks of the graphics driver for me this features are very helpful as can be seen here I I you know hook the anchor I have weak client control to attributes and and this is my tour a Slattery's is a random and input data is it's also random and and this figure

shows that the input data is is a random data and I can do bit flipping here actually I also implement another to a lot of project for monitoring IPC community I could be say communication okay okay yeah last part last part is a discussion of the earth days and Mac OS kernel protection um first let me show you a graphics driver related our day I have a simple demo this system has all the system patches in store [Music] and after running my poz let's do some crushed and here is the caustic information it's a heap overwrite vulnerability and the panic cost actuals that it's a victim shred this victims route is accessing the corrupted heap and and this is another crash crash red

in fact they are all victims of the vulnerability because shred our crops the heap is not years and the root cause

of this vulnerability is the following piece of code let me give you some background on this code the input in the yellow color the input is the length of my include change data and the lens of the ink should be a multiple of ten and all members are in hex the format should be a marker of ten and the general logic of this code is that it processed one round every ten bytes if the final length is less than ten adhere if the final lens is less than ten the code breaks the loop so can you find the body in this code I find the bug manually yes the problem comes from this subtraction operation if the input power lens is greater than 10 this code is fine but but if the the buffer sites are positing is lesson 10 you can see here less than 10 this subtraction will cause a total flaw and then the memory copy here at here with this choice a chastened keep and I submitted this vulnerability to Apple security is this week and I also met them this morning yeah I'm sure the vulnerability will be fixed the suit and to protect against as

a threat from the graphics drivers I did some extra work based on the chemo framework by using the kernel unity engine I hooked up some key functions of graphics driver such as two attributes interface as can be saying in those handlers I can future the opening and setting operations of untrusted domain the untrusted domain is my graphics further process so which means I can reject some malicious request by the way I'm very much hope that Apple can add the similar functionality to kernels through the manual access control policy and our dtrace interface yeah it's

almost my presentation we discussed the bug hunting zeirdo zero day vulnerabilities and came on open source project I also mentioned third party kernel protection and medication I released all the source code please check it for for more detailed information yeah that's it thank you guys [Applause]