This research presents a deep dive into macOS Inter-Process Communication (IPC) security, focusing on the often-overlooked attack surface of Mach message handlers. These handlers are commonly used by system daemons to expose privileged, RPC-like functionality—and their complexity creates opportunities for sandbox escapes and local privilege escalation.
In this talk, I’ll share how I used structured fuzzing to uncover vulnerabilities in these message handlers, specifically targeting the `coreaudiod` system daemon. Central to this effort is a technique I call *API call chaining*—a powerful way to guide coverage-based fuzzers through complex, stateful API interactions.
Using a custom-built fuzzing harness, dynamic instrumentation, and a combination of static and runtime analysis, I discovered several security issues—including a high-impact memory corruption vulnerability. I’ll walk through the full exploitation process I developed to turn this bug into a sandbox escape on modern macOS.
Along the way, I’ll discuss the key challenges I faced, such as properly initializing the CoreAudio subsystem, mocking unstable components, and building a targeted grammar to drive deeper fuzzing coverage.
Finally, I’ll introduce the open-source fuzzing harness and tools I developed during this research, aimed at making IPC-focused fuzzing on macOS more accessible to the security community.
Dillon Franke is a seasoned security researcher with a track record of uncovering high-impact vulnerabilities in complex systems. Throughout his career, Dillon has focused on identifying and exploiting weaknesses in widely used products, working closely with organizations across various industries to improve their security posture and protect against emerging threats. His work has been featured in numerous industry publications and news outlets, and he has spoken at major security conferences around the world, including Black Hat Arsenal, TROOPERS, CanSecWest, NullCon, and the Qualcomm Product Security Summit.
In his current role as a Senior Security Engineer at Google, Dillon continues to perform cutting edge application security research and release open source tools. He is passionate about sharing his knowledge with others and inspiring the next generation of security professionals to take up the mantle and continue the fight for a safer, more secure online world.