Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

XNU is an operating system developed by Apple. Several parts of this ecosystem are open source, making it nice for vulnerability research.

While Ian beer was auditing code, he was looking for code with strange or unexpected semantics, including obscure failure cases. While reviewing the function ipc_port_copy_send, they noticed interesting return cases that may not be checked.

In the context of XNU ports, there are 4 possible states for ports that can be sent to this function. IP_NULL, IP_DEAD, a dead port and a live port. If you sent a dead port in, then the code needs to validate that the port does not return an error condition of IP_DEAD. Since the reference count is not incremented on the callback, the error handling is extremely important.

If the function is called without the return value being validated, the reference count may not be updated. The author found a code path with just this at ipc_right_copyin_two! What happens when there is a desync in reference counting? A use after free, since there is a pointer to an object being used which could be freed at any point.

Ian Beer comments on the mitigations added to the system, such as pointer authentication (PAC), heap allocation randomization and validation to make port faking with UAFs harder. To Apple, the name of the game is overarching mitigations instead of writing secure code.

There is a discussion on the exploitability as well. A large chunk of the discussion appears to be about bypassing the mechanisms put in place by Apple to make exploitation harder. This is over my head but would be worth reading if you are into iOS or MacOS exploitation.