In last year's POC, I presented KidFuzzer, which revealed numerous bugs in IOKit Drivers. Following redesign and development, I'm excited to introduce KidFuzzerV2.0, which includes an innovative Driver collection method that could expand driver attack surfaces by 95%. Then I will demonstrate how to do the lateral migration with the "Backward Fuzzing" idea in Apple Kernel space and discuss the bugs found in XNU kernel, IOKit Drivers, and various firmwares, including DCP/SEP/AOP, etc.
This presentation would first do a quick review of the attack surfaces and mitigations in Apple Kernel space as well as my ideas towards future trend. Next, it will discuss the new design and how it extracts abstract patterns from several public and unpublic Apple N-day bugs. The abstract patterns will then be converted to "Backward Fuzzing" and applied to iPhone/SRD/M1/Intel devices, resulting in the discovery of over 50 bugs, including XNU kernel, Apple Drivers, and Co-processor firmwares such as DCP/SEP/AOP. These efforts have already yielded more than ten assigned CVEs, such as CVE-2023-28187/CVE-2023-28186/CVE-2023-28185/CVE-2023-28184/CVE-2023-23502/CVE-2023-23501/CVE-2023-23500/CVE-2022-42854/CVE-2022-42833/CVE-2022-42820/CVE-2022-32916, with others currently in progress.
Additionally, this talk will dive into the details of several unpublic bugs found in XNU/Drivers/Co-processor firmwares and an intriguing flaw pattern in Apple Drivers, which existed for 20 years and resulted in more than 20 kernel infoleak bugs.
Zhenpeng Pan(@Peterpan0927) is a security researcher at STAR LABS SG, focusing on iOS/macOS/Web bug hunting and exploitation. He used to work in Alibaba Security Pandora Lab and Qihoo 360 Nirvan Team. He was a speaker of Zer0Con2021 and POC2022