CINXE.COM
Project Zero: November 2014
<!DOCTYPE html> <html class='v2' dir='ltr' lang='en' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'> <head> <link href='https://www.blogger.com/static/v1/widgets/3566091532-css_bundle_v2.css' rel='stylesheet' type='text/css'/> <meta content='width=1100' name='viewport'/> <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/> <meta content='blogger' name='generator'/> <link href='https://googleprojectzero.blogspot.com/favicon.ico' rel='icon' type='image/x-icon'/> <link href='https://googleprojectzero.blogspot.com/2014/11/' rel='canonical'/> <link rel="alternate" type="application/atom+xml" title="Project Zero - Atom" href="https://googleprojectzero.blogspot.com/feeds/posts/default" /> <link rel="alternate" type="application/rss+xml" title="Project Zero - RSS" href="https://googleprojectzero.blogspot.com/feeds/posts/default?alt=rss" /> <link rel="service.post" type="application/atom+xml" title="Project Zero - Atom" href="https://www.blogger.com/feeds/4838136820032157985/posts/default" /> <!--Can't find substitution for tag [blog.ieCssRetrofitLinks]--> <meta content='https://googleprojectzero.blogspot.com/2014/11/' property='og:url'/> <meta content='Project Zero' property='og:title'/> <meta content='News and updates from the Project Zero team at Google' property='og:description'/> <title>Project Zero: November 2014</title> <style type='text/css'>@font-face{font-family:'Open Sans';font-style:normal;font-weight:400;font-stretch:normal;font-display:swap;src:url(//fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVY.eot);}</style> <style id='page-skin-1' type='text/css'><!-- /* ----------------------------------------------- Blogger Template Style Name: Simple Designer: Blogger URL: www.blogger.com ----------------------------------------------- */ /* Variable definitions ==================== <Variable name="keycolor" description="Main Color" type="color" default="#66bbdd"/> <Group description="Page Text" selector="body"> <Variable name="body.font" description="Font" type="font" default="normal normal 12px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> <Variable name="body.text.color" description="Text Color" type="color" default="#222222"/> </Group> <Group description="Backgrounds" selector=".body-fauxcolumns-outer"> <Variable name="body.background.color" description="Outer Background" type="color" default="#66bbdd"/> <Variable name="content.background.color" description="Main Background" type="color" default="#ffffff"/> <Variable name="header.background.color" description="Header Background" type="color" default="transparent"/> </Group> <Group description="Links" selector=".main-outer"> <Variable name="link.color" description="Link Color" type="color" default="#2288bb"/> <Variable name="link.visited.color" description="Visited Color" type="color" default="#888888"/> <Variable name="link.hover.color" description="Hover Color" type="color" default="#33aaff"/> </Group> <Group description="Blog Title" selector=".header h1"> <Variable name="header.font" description="Font" type="font" default="normal normal 60px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> <Variable name="header.text.color" description="Title Color" type="color" default="#3399bb" /> </Group> <Group description="Blog Description" selector=".header .description"> <Variable name="description.text.color" description="Description Color" type="color" default="#777777" /> </Group> <Group description="Tabs Text" selector=".tabs-inner .widget li a"> <Variable name="tabs.font" description="Font" type="font" default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> <Variable name="tabs.text.color" description="Text Color" type="color" default="#999999"/> <Variable name="tabs.selected.text.color" description="Selected Color" type="color" default="#000000"/> </Group> <Group description="Tabs Background" selector=".tabs-outer .PageList"> <Variable name="tabs.background.color" description="Background Color" type="color" default="#f5f5f5"/> <Variable name="tabs.selected.background.color" description="Selected Color" type="color" default="#eeeeee"/> </Group> <Group description="Post Title" selector="h3.post-title, .comments h4"> <Variable name="post.title.font" description="Font" type="font" default="normal normal 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> </Group> <Group description="Date Header" selector=".date-header"> <Variable name="date.header.color" description="Text Color" type="color" default="#000000"/> <Variable name="date.header.background.color" description="Background Color" type="color" default="transparent"/> <Variable name="date.header.font" description="Text Font" type="font" default="normal bold 11px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> <Variable name="date.header.padding" description="Date Header Padding" type="string" default="inherit"/> <Variable name="date.header.letterspacing" description="Date Header Letter Spacing" type="string" default="inherit"/> <Variable name="date.header.margin" description="Date Header Margin" type="string" default="inherit"/> </Group> <Group description="Post Footer" selector=".post-footer"> <Variable name="post.footer.text.color" description="Text Color" type="color" default="#666666"/> <Variable name="post.footer.background.color" description="Background Color" type="color" default="#f9f9f9"/> <Variable name="post.footer.border.color" description="Shadow Color" type="color" default="#eeeeee"/> </Group> <Group description="Gadgets" selector="h2"> <Variable name="widget.title.font" description="Title Font" type="font" default="normal bold 11px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> <Variable name="widget.title.text.color" description="Title Color" type="color" default="#000000"/> <Variable name="widget.alternate.text.color" description="Alternate Color" type="color" default="#999999"/> </Group> <Group description="Images" selector=".main-inner"> <Variable name="image.background.color" description="Background Color" type="color" default="#ffffff"/> <Variable name="image.border.color" description="Border Color" type="color" default="#eeeeee"/> <Variable name="image.text.color" description="Caption Text Color" type="color" default="#000000"/> </Group> <Group description="Accents" selector=".content-inner"> <Variable name="body.rule.color" description="Separator Line Color" type="color" default="#eeeeee"/> <Variable name="tabs.border.color" description="Tabs Border Color" type="color" default="transparent"/> </Group> <Variable name="body.background" description="Body Background" type="background" color="#eeeeee" default="$(color) none repeat scroll top left"/> <Variable name="body.background.override" description="Body Background Override" type="string" default=""/> <Variable name="body.background.gradient.cap" description="Body Gradient Cap" type="url" default="url(https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)"/> <Variable name="body.background.gradient.tile" description="Body Gradient Tile" type="url" default="url(https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)"/> <Variable name="content.background.color.selector" description="Content Background Color Selector" type="string" default=".content-inner"/> <Variable name="content.padding" description="Content Padding" type="length" default="10px" min="0" max="100px"/> <Variable name="content.padding.horizontal" description="Content Horizontal Padding" type="length" default="10px" min="0" max="100px"/> <Variable name="content.shadow.spread" description="Content Shadow Spread" type="length" default="40px" min="0" max="100px"/> <Variable name="content.shadow.spread.webkit" description="Content Shadow Spread (WebKit)" type="length" default="5px" min="0" max="100px"/> <Variable name="content.shadow.spread.ie" description="Content Shadow Spread (IE)" type="length" default="10px" min="0" max="100px"/> <Variable name="main.border.width" description="Main Border Width" type="length" default="0" min="0" max="10px"/> <Variable name="header.background.gradient" description="Header Gradient" type="url" default="none"/> <Variable name="header.shadow.offset.left" description="Header Shadow Offset Left" type="length" default="-1px" min="-50px" max="50px"/> <Variable name="header.shadow.offset.top" description="Header Shadow Offset Top" type="length" default="-1px" min="-50px" max="50px"/> <Variable name="header.shadow.spread" description="Header Shadow Spread" type="length" default="1px" min="0" max="100px"/> <Variable name="header.padding" description="Header Padding" type="length" default="30px" min="0" max="100px"/> <Variable name="header.border.size" description="Header Border Size" type="length" default="1px" min="0" max="10px"/> <Variable name="header.bottom.border.size" description="Header Bottom Border Size" type="length" default="1px" min="0" max="10px"/> <Variable name="header.border.horizontalsize" description="Header Horizontal Border Size" type="length" default="0" min="0" max="10px"/> <Variable name="description.text.size" description="Description Text Size" type="string" default="140%"/> <Variable name="tabs.margin.top" description="Tabs Margin Top" type="length" default="0" min="0" max="100px"/> <Variable name="tabs.margin.side" description="Tabs Side Margin" type="length" default="30px" min="0" max="100px"/> <Variable name="tabs.background.gradient" description="Tabs Background Gradient" type="url" default="url(https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)"/> <Variable name="tabs.border.width" description="Tabs Border Width" type="length" default="1px" min="0" max="10px"/> <Variable name="tabs.bevel.border.width" description="Tabs Bevel Border Width" type="length" default="1px" min="0" max="10px"/> <Variable name="post.margin.bottom" description="Post Bottom Margin" type="length" default="25px" min="0" max="100px"/> <Variable name="image.border.small.size" description="Image Border Small Size" type="length" default="2px" min="0" max="10px"/> <Variable name="image.border.large.size" description="Image Border Large Size" type="length" default="5px" min="0" max="10px"/> <Variable name="page.width.selector" description="Page Width Selector" type="string" default=".region-inner"/> <Variable name="page.width" description="Page Width" type="string" default="auto"/> <Variable name="main.section.margin" description="Main Section Margin" type="length" default="15px" min="0" max="100px"/> <Variable name="main.padding" description="Main Padding" type="length" default="15px" min="0" max="100px"/> <Variable name="main.padding.top" description="Main Padding Top" type="length" default="30px" min="0" max="100px"/> <Variable name="main.padding.bottom" description="Main Padding Bottom" type="length" default="30px" min="0" max="100px"/> <Variable name="paging.background" color="#ffffff" description="Background of blog paging area" type="background" default="transparent none no-repeat scroll top center"/> <Variable name="footer.bevel" description="Bevel border length of footer" type="length" default="0" min="0" max="10px"/> <Variable name="mobile.background.overlay" description="Mobile Background Overlay" type="string" default="transparent none repeat scroll top left"/> <Variable name="mobile.background.size" description="Mobile Background Size" type="string" default="auto"/> <Variable name="mobile.button.color" description="Mobile Button Color" type="color" default="#ffffff" /> <Variable name="startSide" description="Side where text starts in blog language" type="automatic" default="left"/> <Variable name="endSide" description="Side where text ends in blog language" type="automatic" default="right"/> */ /* Content ----------------------------------------------- */ body { font: normal normal 12px Open Sans; color: #000000; background: #eeeeee none repeat scroll top left; padding: 0 0 0 0; } html body .region-inner { min-width: 0; max-width: 100%; width: auto; } h2 { font-size: 22px; } a:link { text-decoration:none; color: #2288bb; } a:visited { text-decoration:none; color: #888888; } a:hover { text-decoration:underline; color: #33aaff; } .body-fauxcolumn-outer .fauxcolumn-inner { background: transparent none repeat scroll top left; _background-image: none; } .body-fauxcolumn-outer .cap-top { position: absolute; z-index: 1; height: 400px; width: 100%; } .body-fauxcolumn-outer .cap-top .cap-left { width: 100%; background: transparent none repeat-x scroll top left; _background-image: none; } .content-outer { -moz-box-shadow: 0 0 0 rgba(0, 0, 0, .15); -webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .15); -goog-ms-box-shadow: 0 0 0 #333333; box-shadow: 0 0 0 rgba(0, 0, 0, .15); margin-bottom: 1px; } .content-inner { padding: 10px 40px; } .content-inner { background-color: #ffffff; } /* Header ----------------------------------------------- */ .header-outer { background: transparent none repeat-x scroll 0 -400px; _background-image: none; } .Header h1 { font: normal normal 40px Open Sans; color: #000000; text-shadow: 0 0 0 rgba(0, 0, 0, .2); } .Header h1 a { color: #000000; } .Header .description { font-size: 18px; color: #000000; } .header-inner .Header .titlewrapper { padding: 22px 0; } .header-inner .Header .descriptionwrapper { padding: 0 0; } /* Tabs ----------------------------------------------- */ .tabs-inner .section:first-child { border-top: 0 solid #dddddd; } .tabs-inner .section:first-child ul { margin-top: -1px; border-top: 1px solid #dddddd; border-left: 1px solid #dddddd; border-right: 1px solid #dddddd; } .tabs-inner .widget ul { background: transparent none repeat-x scroll 0 -800px; _background-image: none; border-bottom: 1px solid #dddddd; margin-top: 0; margin-left: -30px; margin-right: -30px; } .tabs-inner .widget li a { display: inline-block; padding: .6em 1em; font: normal normal 12px Open Sans; color: #000000; border-left: 1px solid #ffffff; border-right: 1px solid #dddddd; } .tabs-inner .widget li:first-child a { border-left: none; } .tabs-inner .widget li.selected a, .tabs-inner .widget li a:hover { color: #000000; background-color: #eeeeee; text-decoration: none; } /* Columns ----------------------------------------------- */ .main-outer { border-top: 0 solid transparent; } .fauxcolumn-left-outer .fauxcolumn-inner { border-right: 1px solid transparent; } .fauxcolumn-right-outer .fauxcolumn-inner { border-left: 1px solid transparent; } /* Headings ----------------------------------------------- */ div.widget > h2, div.widget h2.title { margin: 0 0 1em 0; font: normal bold 11px 'Trebuchet MS',Trebuchet,Verdana,sans-serif; color: #000000; } /* Widgets ----------------------------------------------- */ .widget .zippy { color: #999999; text-shadow: 2px 2px 1px rgba(0, 0, 0, .1); } .widget .popular-posts ul { list-style: none; } /* Posts ----------------------------------------------- */ h2.date-header { font: normal bold 11px Arial, Tahoma, Helvetica, FreeSans, sans-serif; } .date-header span { background-color: #bbbbbb; color: #ffffff; padding: 0.4em; letter-spacing: 3px; margin: inherit; } .main-inner { padding-top: 35px; padding-bottom: 65px; } .main-inner .column-center-inner { padding: 0 0; } .main-inner .column-center-inner .section { margin: 0 1em; } .post { margin: 0 0 45px 0; } h3.post-title, .comments h4 { font: normal normal 22px Open Sans; margin: .75em 0 0; } .post-body { font-size: 110%; line-height: 1.4; position: relative; } .post-body img, .post-body .tr-caption-container, .Profile img, .Image img, .BlogList .item-thumbnail img { padding: 2px; background: #ffffff; border: 1px solid #eeeeee; -moz-box-shadow: 1px 1px 5px rgba(0, 0, 0, .1); -webkit-box-shadow: 1px 1px 5px rgba(0, 0, 0, .1); box-shadow: 1px 1px 5px rgba(0, 0, 0, .1); } .post-body img, .post-body .tr-caption-container { padding: 5px; } .post-body .tr-caption-container { color: #666666; } .post-body .tr-caption-container img { padding: 0; background: transparent; border: none; -moz-box-shadow: 0 0 0 rgba(0, 0, 0, .1); -webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .1); box-shadow: 0 0 0 rgba(0, 0, 0, .1); } .post-header { margin: 0 0 1.5em; line-height: 1.6; font-size: 90%; } .post-footer { margin: 20px -2px 0; padding: 5px 10px; color: #666666; background-color: #eeeeee; border-bottom: 1px solid #eeeeee; line-height: 1.6; font-size: 90%; } #comments .comment-author { padding-top: 1.5em; border-top: 1px solid transparent; background-position: 0 1.5em; } #comments .comment-author:first-child { padding-top: 0; border-top: none; } .avatar-image-container { margin: .2em 0 0; } #comments .avatar-image-container img { border: 1px solid #eeeeee; } /* Comments ----------------------------------------------- */ .comments .comments-content .icon.blog-author { background-repeat: no-repeat; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAASCAYAAABWzo5XAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEgAACxIB0t1+/AAAAAd0SU1FB9sLFwMeCjjhcOMAAAD+SURBVDjLtZSvTgNBEIe/WRRnm3U8RC1neQdsm1zSBIU9VVF1FkUguQQsD9ITmD7ECZIJSE4OZo9stoVjC/zc7ky+zH9hXwVwDpTAWWLrgS3QAe8AZgaAJI5zYAmc8r0G4AHYHQKVwII8PZrZFsBFkeRCABYiMh9BRUhnSkPTNCtVXYXURi1FpBDgArj8QU1eVXUzfnjv7yP7kwu1mYrkWlU33vs1QNu2qU8pwN0UpKoqokjWwCztrMuBhEhmh8bD5UDqur75asbcX0BGUB9/HAMB+r32hznJgXy2v0sGLBcyAJ1EK3LFcbo1s91JeLwAbwGYu7TP/3ZGfnXYPgAVNngtqatUNgAAAABJRU5ErkJggg==); } .comments .comments-content .loadmore a { border-top: 1px solid #999999; border-bottom: 1px solid #999999; } .comments .comment-thread.inline-thread { background-color: #eeeeee; } .comments .continue { border-top: 2px solid #999999; } /* Accents ---------------------------------------------- */ .section-columns td.columns-cell { border-left: 1px solid transparent; } .blog-pager { background: transparent url(//www.blogblog.com/1kt/simple/paging_dot.png) repeat-x scroll top center; } .blog-pager-older-link, .home-link, .blog-pager-newer-link { background-color: #ffffff; padding: 5px; } .footer-outer { border-top: 1px dashed #bbbbbb; } /* Mobile ----------------------------------------------- */ body.mobile { background-size: auto; } .mobile .body-fauxcolumn-outer { background: transparent none repeat scroll top left; } .mobile .body-fauxcolumn-outer .cap-top { background-size: 100% auto; } .mobile .content-outer { -webkit-box-shadow: 0 0 3px rgba(0, 0, 0, .15); box-shadow: 0 0 3px rgba(0, 0, 0, .15); } .mobile .tabs-inner .widget ul { margin-left: 0; margin-right: 0; } .mobile .post { margin: 0; } .mobile .main-inner .column-center-inner .section { margin: 0; } .mobile .date-header span { padding: 0.1em 10px; margin: 0 -10px; } .mobile h3.post-title { margin: 0; } .mobile .blog-pager { background: transparent none no-repeat scroll top center; } .mobile .footer-outer { border-top: none; } .mobile .main-inner, .mobile .footer-inner { background-color: #ffffff; } .mobile-index-contents { color: #000000; } .mobile-link-button { background-color: #2288bb; } .mobile-link-button a:link, .mobile-link-button a:visited { color: #ffffff; } .mobile .tabs-inner .section:first-child { border-top: none; } .mobile .tabs-inner .PageList .widget-content { background-color: #eeeeee; color: #000000; border-top: 1px solid #dddddd; border-bottom: 1px solid #dddddd; } .mobile .tabs-inner .PageList .widget-content .pagelist-arrow { border-left: 1px solid #dddddd; } --></style> <style id='template-skin-1' type='text/css'><!-- body { min-width: 1120px; } .content-outer, .content-fauxcolumn-outer, .region-inner { min-width: 1120px; max-width: 1120px; _width: 1120px; } .main-inner .columns { padding-left: 0; padding-right: 310px; } .main-inner .fauxcolumn-center-outer { left: 0; right: 310px; /* IE6 does not respect left and right together */ _width: expression(this.parentNode.offsetWidth - parseInt("0") - parseInt("310px") + 'px'); } .main-inner .fauxcolumn-left-outer { width: 0; } .main-inner .fauxcolumn-right-outer { width: 310px; } .main-inner .column-left-outer { width: 0; right: 100%; margin-left: -0; } .main-inner .column-right-outer { width: 310px; margin-right: -310px; } #layout { min-width: 0; } #layout .content-outer { min-width: 0; width: 800px; } #layout .region-inner { min-width: 0; width: auto; } body#layout div.add_widget { padding: 8px; } body#layout div.add_widget a { margin-left: 32px; } --></style> <script type='text/javascript'> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-240546891-1', 'auto', 'blogger'); ga('blogger.send', 'pageview'); </script> <link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=4838136820032157985&zx=89189630-7e30-43b5-91d3-8fdab32d43bc' media='none' onload='if(media!='all')media='all'' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=4838136820032157985&zx=89189630-7e30-43b5-91d3-8fdab32d43bc' rel='stylesheet'/></noscript> <meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/> <meta name='google-adsense-platform-domain' content='blogspot.com'/> </head> <body class='loading'> <div class='navbar section' id='navbar' name='Navbar'><div class='widget Navbar' data-version='1' id='Navbar1'><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d4838136820032157985\x26blogName\x3dProject+Zero\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dLIGHT\x26layoutType\x3dLAYOUTS\x26searchRoot\x3dhttps://googleprojectzero.blogspot.com/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttps://googleprojectzero.blogspot.com/\x26vt\x3d7568236161501195533', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe", messageHandlersFilter: gapi.iframes.CROSS_ORIGIN_IFRAMES_FILTER, messageHandlers: { 'blogger-ping': function() {} } }); } }); </script><script type="text/javascript"> (function() { var script = document.createElement('script'); script.type = 'text/javascript'; script.src = '//pagead2.googlesyndication.com/pagead/js/google_top_exp.js'; var head = document.getElementsByTagName('head')[0]; if (head) { head.appendChild(script); }})(); </script> </div></div> <div class='body-fauxcolumns'> <div class='fauxcolumn-outer body-fauxcolumn-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </div> <div class='content'> <div class='content-fauxcolumns'> <div class='fauxcolumn-outer content-fauxcolumn-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </div> <div class='content-outer'> <div class='content-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left content-fauxborder-left'> <div class='fauxborder-right content-fauxborder-right'></div> <div class='content-inner'> <header> <div class='header-outer'> <div class='header-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left header-fauxborder-left'> <div class='fauxborder-right header-fauxborder-right'></div> <div class='region-inner header-inner'> <div class='header section' id='header' name='Header'><div class='widget Header' data-version='1' id='Header1'> <div id='header-inner'> <div class='titlewrapper'> <h1 class='title'> <a href='https://googleprojectzero.blogspot.com/'> Project Zero </a> </h1> </div> <div class='descriptionwrapper'> <p class='description'><span>News and updates from the Project Zero team at Google</span></p> </div> </div> </div></div> </div> </div> <div class='header-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </header> <div class='tabs-outer'> <div class='tabs-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left tabs-fauxborder-left'> <div class='fauxborder-right tabs-fauxborder-right'></div> <div class='region-inner tabs-inner'> <div class='tabs no-items section' id='crosscol' name='Cross-Column'></div> <div class='tabs no-items section' id='crosscol-overflow' name='Cross-Column 2'></div> </div> </div> <div class='tabs-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <div class='main-outer'> <div class='main-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left main-fauxborder-left'> <div class='fauxborder-right main-fauxborder-right'></div> <div class='region-inner main-inner'> <div class='columns fauxcolumns'> <div class='fauxcolumn-outer fauxcolumn-center-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <div class='fauxcolumn-outer fauxcolumn-left-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <div class='fauxcolumn-outer fauxcolumn-right-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <!-- corrects IE6 width calculation --> <div class='columns-inner'> <div class='column-center-outer'> <div class='column-center-inner'> <div class='main section' id='main' name='Main'><div class='widget Blog' data-version='1' id='Blog1'> <div class='blog-posts hfeed'> <div class="date-outer"> <h2 class='date-header'><span>Monday, November 24, 2014</span></h2> <div class="date-posts"> <div class='post-outer'> <div class='post hentry uncustomized-post-template' itemprop='blogPost' itemscope='itemscope' itemtype='http://schema.org/BlogPosting'> <meta content='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhscRLGR4PzRhOv3qdMTWuNzdq0Y6KE1qQPK1ugiTZhFp0BP62d6e9CqfH5HkAbLf7jpoyi2peGaW7nS014dzMPac_vWmPAl7zWc8c6K8s5fbWOnkxkw7OE3-jGkvPIfDaOdCUurn6hmYgCX-Iyk03KEgVf7AD46bUPIEz-e6CNRbvPwJV-Q5Gvoz4K/s600/sf_01.png' itemprop='image_url'/> <meta content='4838136820032157985' itemprop='blogId'/> <meta content='1463890466523458293' itemprop='postId'/> <a name='1463890466523458293'></a> <h3 class='post-title entry-title' itemprop='name'> <a href='https://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html'>pwn4fun Spring 2014 - Safari - Part II</a> </h3> <div class='post-header'> <div class='post-header-line-1'></div> </div> <div class='post-body entry-content' id='post-body-1463890466523458293' itemprop='description articleBody'> <div class="post-body entry-content" id="post-body-1463890466523458293" itemprop="description articleBody"> <div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">Posted by Ian Beer</span></div> <div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><br /></span> <br /> <h2 style="line-height: 1.15;"> <span style="font-family: Trebuchet MS, sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;">TL;DR</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">An OS X GPU driver trusted a user-supplied kernel C++ object pointer and called a virtual function. The IOKit registry contained kernel pointers which were used defeat kASLR. A kernel ROP payload ran Calculator.app as root using a convenient kernel API.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Overview of part I</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We finished <a href="http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html">part I</a> with the ability to load our own native library into the Safari renderer process on OS X by exploiting an integer truncation bug in the Safari javascript engine</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Here in part II we’ll take a look at how sandboxing works on OS X, revise some OS X fundamentals and then exploit two kernel bugs to launch Calculator.app running as root from inside the Safari sandbox.</span></span><br /> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Safari process model</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Safari’s sandboxing model is based on privilege separation. It uses the <a href="https://trac.webkit.org/wiki/WebKit2">WebKit2</a> framework to communicate between multiple separate processes which collectively form the Safari browser. Each of these processes is responsible for a different part of the browser and sandboxed to only allow access to the system resources it requires.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Specifically Safari is split into four distinct process families:</span></div> <ul style="margin-bottom: 0pt; margin-top: 0pt;"> <li dir="ltr" style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WebProcesses</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> are the renderers - they’re responsible for actually drawing web pages as well as dealing with most active web content such as javascript</span></span></div> </li> <li dir="ltr" style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">NetworkProcess</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is the process which talks to the network</span></span></div> </li> <li dir="ltr" style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PluginProcesses</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> are the processes which host native plugins like Adobe Flash</span></span></div> </li> <li dir="ltr" style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">UIProcess</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is the unsandboxed parent of all the other processes and is responsible for coordinating the activity of the sandboxed processes such that a webpage is actually displayed to the user which they can interact with</span></span></div> </li> </ul> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Web, Network and Plugin process families are sandboxed. </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In order to understand how to break out of the WebProcess that we find ourselves in we’ve first got to understand how this sandbox is implemented.</span></span><br /> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS X sandboxing primitives</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS X uses the <a href="https://en.wikipedia.org/wiki/Mandatory_access_control">Mandatory Access Control</a> (MAC) paradigm</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to implement sandboxing, specifically it uses the <a href="http://www.trustedbsd.org/mac.html">TrustedBSD</a> framework</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Use of the MAC sandboxing paradigm implies that whenever a sandboxed process tries to acquire access to some system resource, for example by opening a file or creating a network socket, the OS will first check: </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Does this particular process have the right to do this?</span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">An implementation of sandboxing using TrustedBSD has two parts: firstly, hooks must be added to the kernel code wherever a sandboxing decision is required. </span><span style="font-size: 15px; line-height: 1.15; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;">A TrustedBSD hook looks like</span></span><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;"> this:</span><br /> <span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/* bsd/kern/uipc_syscalls.c */</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">int socket(struct proc *p, struct socket_args *uap, int32_t *retval)</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">{</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">#if CONFIG_MACF_SOCKET_SUBSET</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">if ((error = </span><span style="background-color: #f9cb9c; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mac_socket_check_create</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(kauth_cred_get(), uap->domain,</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> uap->type, uap->protocol)) != 0)</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">return (error);</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">#endif /* MAC_SOCKET_SUBSET */</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">...</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">That snippet of code is from the implementation of the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">socket</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> syscall on OS X. If MAC support has been enabled at compile time then the very first thing the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">socket</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> syscall implementation will do is call </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mac_socket_check_create</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, passing the credentials of the calling processes and the domain, type and protocol of the requested socket:</span><br /> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/* security/mac_socket.h */</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">int mac_socket_check_create(kauth_cred_t cred, int domain, int type, int protocol)</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">{</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">int error;</span></span></div> <span style="font-family: Courier New, Courier, monospace;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">if (!mac_socket_enforce)</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">return 0;</span></span></div> <span style="font-family: Courier New, Courier, monospace;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">MAC_CHECK(socket_check_create, cred, domain, type, protocol);</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">return (error);</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">}</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;">Here we see that if the enforcement of MAC on sockets hasn’t been globally disabled (</span><span style="font-family: Courier New, Courier, monospace;">mac_socket_enforce</span><span style="font-family: Trebuchet MS, sans-serif;"> is a variable exposed by the </span></span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sysctl</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> interface) then this function falls through to the </span><span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">MAC_CHECK</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">macro:</span><br /> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/* security/mac_internal.h */</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">#define</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">MAC_CHECK(check, args...) do {</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> \</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">for (i = 0; i < mac_policy_list.staticmax; i++) { \</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mpc = </span><span style="background-color: #f4cccc; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mac_policy_list.entries</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[i].mpc; \</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">...</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">if (mpc->mpc_ops->mpo_ ## check != NULL) \</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">error = mac_error_select( </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> \</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #f4cccc; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mpc->mpc_ops->mpo_ ## check</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (args), \</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> error);</span></span><br /> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This macro is the core of TrustedBSD. </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mac_policy_list.entries</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (the first highlighted chunk) is a list of </span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">policies</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and the second highlighted chuck is TrustedBSD </span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">consulting</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> the policy. In actual fact a policy is nothing more than a C </span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">struct</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (</span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">struct policy_ops</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">) containing function pointers (one per hook type) and consultation of a policy simply means calling the right function pointer in that struct.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;">If that policy function returns </span><span style="font-family: Courier New, Courier, monospace;">0</span><span style="font-family: Trebuchet MS, sans-serif;"> (or isn’t implemented at all by the policy) then the MAC check succeeds. If the policy function returns a non-zero value then the MAC check fails and, in the case of this </span></span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">socket</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> hook, the syscall will fail passing the error code back up to userspace and the rest of the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">socket</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> syscall won’t be executed.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The second part of an implementation of sandboxing using TrustedBSD is the provision of these policy modules. Although TrustedBSD allows multiple policy modules to be present at the same time in practice on OS X there’s only one and it’s implemented in its own kernel extension: Sandbox.kext. When it's loaded Sandbox.kext registers itself as a policy with TrustedBSD by passing a pointer to its </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">policy_ops</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> structure. TrustedBSD adds this to the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mac_policy_list.entries</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> array seen earlier and will then call into Sandbox.kext whenever a sandboxing decision is required.</span><br /> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Sandbox.kext and the OS X sandbox policy_ops</span></h2> </div> <div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif; line-height: 1.15;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="http://reverse.put.as/wp-content/uploads/2011/06/The-Apple-Sandbox-BHDC2011-Paper.pdf">This</a> paper from Dionysus Blazakis</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, <a href="http://2013.zeronights.org/includes/docs/Meder_Kydyraliev_-_Mining_Mach_Services_within_OS_X_Sandbox.pdf">this</a> talk from Meder </span></span><span style="font-family: Trebuchet MS, sans-serif;"><span style="font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">Kydyraliev </span></span><span style="color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; vertical-align: baseline; white-space: pre-wrap;">and <a href="http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf">this</a> reference from <a href="https://twitter.com/osxreverser">@osxreverser</a> </span><span style="color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; vertical-align: baseline; white-space: pre-wrap;">go into great detail about Sandbox.kext and its operation and usage.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Summarizing those linked resources, every process can have a unique sandbox profile. For (almost) every MAC hook type Sandbox.kext allows a sandbox profile to specify a decision tree to be used to determine whether the MAC check should pass or fail. This decision tree is expressed in a simple scheme-like DSL built from tuples of actions, operations and filters (for a more complete guide to the syntax refer to the linked docs):</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(action operation filter)</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <br /> <ul> <li><span style="color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Actions</span><span style="color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> determine whether a particular rule corresponds to passing or failing the MAC check. Actions are the literals </span><span style="color: black; font-family: Courier New, Courier, monospace; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">allow</span><span style="color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="color: black; font-family: Courier New, Courier, monospace; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">deny</span><span style="color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">.</span></li> <li><span style="color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Operations</span><span style="color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> define which MAC hooks this rule applies to. For example the </span><span style="color: black; font-family: Courier New, Courier, monospace; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">file-read</span><span style="color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> operation allows restricting read access to files.</span></li> <li><span style="color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Filters</span><span style="color: black; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;"> allow a more granular application of operations, for example a filter applied to the </span><span style="font-family: Courier New, Courier, monospace;">file-read</span><span style="font-family: Trebuchet MS, sans-serif;"> operation could define a specific file which is or isn’t allowed.</span></span></li> </ul> </div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here’s a snippet from the WebProcess sandbox profile to illustrate that:</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(deny default (with partial-symbolication))</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">...</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(allow file-read*</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ;; Basic system paths</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (subpath "/Library/Dictionaries")</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (subpath "/Library/Fonts")</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (subpath "/Library/Frameworks")</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (subpath "/Library/Managed Preferences")</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (subpath "/Library/Speech/Synthesizers")</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (regex #"^/private/etc/(hosts|group|passwd)$")</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">...</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">)</span></span><br /> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As you can see sandbox profiles are very readable on OS X. It’s usually quite clear what any particular sandbox profile allows and denies. In this example the profile is using regular expressions to define allowed file paths (there’s a small regex matching engine in the kernel in AppleMatch.kext.)</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Sandbox.kext also has a mechanism which allows userspace programs to ask for policy decisions. The main use of this is to restrict access to system IPC services, access to which isn’t mediated by the kernel (so there’s nowhere to put a MAC hook) but by the userspace daemon launchd.</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Enumerating the attack surface of a sandboxed process</span></h2> <h2> <span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-weight: normal; line-height: 1.15; white-space: pre-wrap;">Broadly speaking there are two aspects to consider when enumerating the attack surface reachable from within a particular sandbox on OS X:</span></h2> </div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <ul style="margin-bottom: 0pt; margin-top: 0pt;"> <li dir="ltr" style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Actions which are specifically allowed by the sandbox policy - these are easy to enumerate by looking at the sandbox policy files.</span></div> </li> <li dir="ltr" style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Those actions which are allowed because either because the Sandbox.kext </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">policy_ops </span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">doesn’t implement the hook callback or because there’s no hook in place at all.</span></div> </li> </ul> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Safari WebProcess sandbox profile is located here:</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/System/Library/StagedFrameworks/Safari/WebKit.framework/Versions/A/Resources/com.apple.WebProcess.sb</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This profile uses an </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">import</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> statement to load the contents of </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/System/Library/Sandbox/Profiles/system.sb</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> which uses the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">define</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> statement to declare various broad sandboxing rulesets which define all the rules required to use complete OS X subsystems such as graphics or networking. Amongst others the Webprocess.sb profile uses </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(system-graphics)</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> which is defined here in system.sb:</span><br /> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(define (system-graphics)</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">...</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (allow iokit-open</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (iokit-connection "IOAccelerator")</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (iokit-user-client-class "IOAccelerationUserClient")</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (iokit-user-client-class "IOSurfaceRootUserClient")</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (iokit-user-client-class "IOSurfaceSendRight"))</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> )</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">)</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This tells us that the WebProcess sandbox has pretty much unrestricted access to the GPU drivers. In order to understand what the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">iokit-user-client-class</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> actually means and what this gives us access to we have to step back and take a look at the various parts of OS X involved in the operation of device drivers.</span><br /> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span> <br /> <h2> <span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-weight: bold; line-height: 1.15; white-space: pre-wrap;">OS X kernel fundamentals</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">There are two great books I’d recommend to learn more about the OS X kernel: the older but still relevant “<a href="http://osxbook.com/">Mac OS X Internals</a>” by Amit Singh </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">and the more recent “<a href="http://www.newosxbook.com/index.php">Mac OS X and iOS Internals: To the Apple’s Core</a>” by Jonathan Levin</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 1.15; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The OS X <a href="https://en.wikipedia.org/wiki/OS_X">wikipedia article</a> contains a detailed taxonomic discussion of OS X and its place in the <a href="https://en.wikipedia.org/wiki/File:Unix_timeline.en.svg">UNIX phylogenetic tree</a> </span><span style="background-color: transparent; color: black; vertical-align: baseline;"><span style="font-size: 15px; line-height: 1.15; white-space: pre-wrap;">but for our purposes it’s sufficient to divide the OS X kernel into three broad subsystems which </span><span style="font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">collectively</span><span style="font-size: 15px; line-height: 1.15; white-space: pre-wrap;"> are known as XNU:</span></span></span><br /> <h4> <span style="color: #444444; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;"> BSD</span></h4> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The majority of OS X syscalls are BSD syscalls. The BSD-derived code is responsible for things like file systems and networking.</span><br /> <h4> <span style="color: #444444; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-weight: bold; line-height: 1.15; white-space: pre-wrap;"> Mach</span></h4> </div> <div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; vertical-align: baseline;"><span style="font-size: 15px; line-height: 1.15; white-space: pre-wrap;">Originally a <a href="https://en.wikipedia.org/wiki/Mach_%28kernel%29">research microkernel from CMU</a> mach is responsible for many of the low-level </span><span style="font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">idiosyncrasies</span><span style="font-size: 15px; line-height: 1.15; white-space: pre-wrap;"> of OS X. The mach IPC mechanism is one of the most fundamental parts of OS X but the mach kernel code is also responsible for things like virtual memory management.</span></span></span><br /> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; vertical-align: baseline;"><span style="font-size: 15px; line-height: 1.15; white-space: pre-wrap;">Mach only has a handful of dedicated mach syscalls (mach calls them traps) and almost all of these only exist to support the mach IPC system. All further interaction with the mach kernel subsystems from userspace is via mach IPC.</span></span></span><br /> <h4> <span style="color: #444444; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-weight: bold; line-height: 1.15; white-space: pre-wrap;"> IOKit</span></h4> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOKit is the framework used for writing device drivers on OS X. IOKit code is written in C++ which brings with it a whole host of new bug classes and exploitation possibilities. We'll return to a more detailed discussion of IOKit later.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Mach IPC</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you want to change the permissions of a memory mapping in your process, talk to a device driver, render a system font, symbolize a crash dump, debug another process or determine the current network connectivity status then on OS X behind the scenes you’re really sending and receiving mach messages. In order to find and exploit bugs in all those things it’s important to understand how mach IPC works:</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: #444444; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Messages, ports and queues</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Mach terminology can be a little unclear at times and OS X doesn’t ship with the man pages for the mach APIs (but you can view them online <a href="http://web.mit.edu/darwin/src/modules/xnu/osfmk/man/">here</a>.</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">)</span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Fundamentally mach IPC is message-oriented protocol. The messages sent via mach IPC are known as mach messages. </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Sending</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> a mach message really means the message gets enqueued into a kernel-maintained message queue known as a </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mach port</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Only one process can dequeue messages from a particular port. In mach terminology this process has a </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">receive-right</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> for the port. Multiple processes can enqueue messages to a port - these processes hold </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">send-rights</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to that port.</span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Within a process these send and receive rights are called mach port </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">names</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. A mach port name is used to index a per-process mapping between mach port names and message queues (akin to how a process-local UNIX file descriptor maps to an actual file):</span></span></div> <a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhscRLGR4PzRhOv3qdMTWuNzdq0Y6KE1qQPK1ugiTZhFp0BP62d6e9CqfH5HkAbLf7jpoyi2peGaW7nS014dzMPac_vWmPAl7zWc8c6K8s5fbWOnkxkw7OE3-jGkvPIfDaOdCUurn6hmYgCX-Iyk03KEgVf7AD46bUPIEz-e6CNRbvPwJV-Q5Gvoz4K/s624/sf_01.png' style='display: block; padding: 1em 0; text-align: center;'><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhscRLGR4PzRhOv3qdMTWuNzdq0Y6KE1qQPK1ugiTZhFp0BP62d6e9CqfH5HkAbLf7jpoyi2peGaW7nS014dzMPac_vWmPAl7zWc8c6K8s5fbWOnkxkw7OE3-jGkvPIfDaOdCUurn6hmYgCX-Iyk03KEgVf7AD46bUPIEz-e6CNRbvPwJV-Q5Gvoz4K/s600/sf_01.png" style="max-height: 750; max-width: 600;" /></a> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In this diagram we can see that the process with PID </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">123</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> has a mach port name </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0xabc</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. It’s important to notice that this Mach port name only has a meaning within this process - we can see that in the kernel structure for this process </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0xabc</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is just a key which maps to a pointer to a message queue.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When the process with PID </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">456</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> tries to dequeue a message using the mach port name </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0xdef</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> the kernel uses </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0xdef</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to index that process’s map of mach ports such that it can find the correct message queue from which to dequeue a message.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Mach messages</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A single mach message can have up to four parts:</span></div> <ul style="margin-bottom: 0pt; margin-top: 0pt;"> <li dir="ltr" style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Message header - this header is mandatory and specifies the port name to send the message to as well as various flags.</span></div> </li> <li dir="ltr" style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Kernel processed </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">descriptors</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> - this optional section can contain multiple descriptors which are parts of the message which need to be interpreted by the kernel.</span></span></div> </li> <li dir="ltr" style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Inline data - this is the inline binary payload.</span></div> </li> <li dir="ltr" style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Audit trailer - The message receiver can request that the kernel append an audit trailer to received messages.</span></div> </li> </ul> <a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVJW-5AYhyLNUeHjXX35U2z-qLT4dm14ehOYO3E9eriGZ0qmcp8YPIRAKvbaG0Df8ZVz8pb__nDQaj_sfM6LJigAO1OY7TUzHZ763ro_7zjsq6mzaSPYlh6Yh5z1ivZekHcnqP5OK_YkBE4FuTjJg4SGsU38-EJn9iGJU5rs6Dk3mabRazecQazmAC/s624/sf_02.png' style='display: block; padding: 1em 0; text-align: center;'><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVJW-5AYhyLNUeHjXX35U2z-qLT4dm14ehOYO3E9eriGZ0qmcp8YPIRAKvbaG0Df8ZVz8pb__nDQaj_sfM6LJigAO1OY7TUzHZ763ro_7zjsq6mzaSPYlh6Yh5z1ivZekHcnqP5OK_YkBE4FuTjJg4SGsU38-EJn9iGJU5rs6Dk3mabRazecQazmAC/s600/sf_02.png" style="max-height: 750; max-width: 600;" /></a> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When a simple mach message containing no descriptors is sent it will first be copied entirely into a kernel heap-allocated buffer in the kernel. A pointer to that copy is then appended to the correct mach message queue and when the process with a receive right to that queue dequeues that message the kernel copy of the message gets copied into the receiving process.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Out-of-line memory</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Copying large messages into and out of the kernel is slow, especially if the messages are large. In order to send large amounts of data you can use the “out-of-line memory” descriptor. This enables the message sender to instruct the kernel to make a copy-on-write virtual memory copy of a buffer in the receiver process when the message is dequeued.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <h2> <span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-weight: bold; line-height: 1.15; white-space: pre-wrap;">Bi-directional messages</span></h2> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Mach IPC is fundamentally uni-directional. In order to build a two-way IPC mechanism mach IPC allows for messages to carry port rights. In a mach message, along with binary data you can also send a mach port right.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Mach IPC is quite flexible when it comes to sending port rights to other processes. You can use the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">local_port</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> field of the mach message header, use a port descriptor or use an OOL-ports descriptor. There are a multitude of flags to control exactly what rights should be transferred, or if new rights should be created during the send operation (it’s common to use the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">MAKE_SEND</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> flag which creates and sends a new send right to a port which you hold the receive right for.)</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Bootstrapping Mach IPC</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">There’s a fundamental bootstrapping problem with mach IPC: how do you get a send right to a port for which another process has a receive right without first sending them a message (thus encountering the same problem in reverse.)</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">One way around this could be to allow mach ports to be inherited across a </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">fork()</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> akin to setting up a pipe between a parent and child process using </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">socketpair()</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. However, unlike file descriptors, mach port rights are not inherited across a fork so you can’t implement such a system.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Except, some mach ports </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">are</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> inherited across a fork! These are the special mach ports, one of which is the bootstrap port. The parent of all processes on OS X is launchd, and one of its roles is to set the default bootstrap port which will then be inherited by every child.</span></span><br /> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Launchd</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Launchd holds the receive-right to this bootstrap port and plays the role of the bootstrap server, allowing processes to advertise named send-rights which other processes can look up. These are OS X Mach IPC services.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">MIG</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We’re now at the point where we can see how the kernel and userspace Mach IPC systems use a few hacks to get bootstrapped such that they’re able to send binary data. This is all that you get with raw Mach IPC.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">MIG is the <a href="https://www.gnu.org/software/hurd/microkernel/mach/mig/gnu_mig.html">Mach Interface Generator</a> and it provides a simple RPC (remote procedure call) layer on top of the raw mach message IPC. </span><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;">MIG is used by all the Mach kernel services and many userspace services.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">MIG interfaces are declared in </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.defs</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> files. These use a simple Interface Definition Language which can define function prototypes and simple data structures. The MIG tool compiles the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.defs </span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">into C code which implements all the required argument serialization/deserialization.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Calling a MIG RPC is completely transparent, it’s just like calling a regular C function and if you’ve ever programed on a Mac you’ve almost certainly used a MIG generated header file.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOKit</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;">As mentioned earlier IOKit is the framework and kernel subsystem used for device drivers. All interactions with IOKit begin with the IOKit master port. This is another special mach port which allows access to the IOKit registry. </span><span style="font-family: Courier New, Courier, monospace;"><a href="http://www.opensource.apple.com/source/xnu/xnu-2782.1.97/osfmk/device/device.defs">devices.defs</a></span><span style="font-family: Trebuchet MS, sans-serif;"> is the relevant MIG definition file. The <a href="https://developer.apple.com/library/mac/documentation/devicedrivers/conceptual/IOKitFundamentals/Introduction/Introduction.html">Apple developer documentation</a> describes the IOKit registry in great detail.</span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The IOKit registry allows userspace programs to find out about available hardware. Furthermore, device drivers can expose an interface to userspace by implementing a <a href="https://developer.apple.com/library/mac/documentation/DeviceDrivers/Conceptual/WritingDeviceDriver/MakingHWAccessible/MakingHWAccessible.html">UserClient</a>.</span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The main way which userspace actually interacts with an IOKit driver's UserClient is via the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">io_connect_method</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> MIG RPC:</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">type io_scalar_inband64_t = array[*:16] of uint64_t;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">type io_struct_inband_t = array[*:4096] of char;</span></div> <span style="font-family: Courier New, Courier, monospace;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">routine io_connect_method(</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> connection : io_connect_t;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in selector : uint32_t;</span></div> <span style="font-family: Courier New, Courier, monospace;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in scalar_input : io_scalar_inband64_t;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in inband_input : io_struct_inband_t;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in ool_input</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> : mach_vm_address_t;</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in ool_input_size : mach_vm_size_t;</span></div> <span style="font-family: Courier New, Courier, monospace;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> out inband_output : io_struct_inband_t, CountInOut;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> out scalar_output : io_scalar_inband64_t, CountInOut;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in ool_output : mach_vm_address_t;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> inout ool_output_size : mach_vm_size_t </span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">);</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This method is wrapped by the IOKitUser library function </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOConnectCallMethod</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The kernel implementation of this MIG API is in </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOUserClient.cpp</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in the function </span><br /> <span style="color: black; font-family: Courier New, Courier, monospace; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span> <span style="color: black; font-family: Courier New, Courier, monospace; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">is_io_connect_method</span><span style="color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">:</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> kern_return_t is_io_connect_method</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> io_connect_t connection,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> uint32_t selector,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> io_scalar_inband64_t scalar_input,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mach_msg_type_number_t scalar_inputCnt,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> io_struct_inband_t inband_input,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mach_msg_type_number_t inband_inputCnt,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mach_vm_address_t ool_input,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mach_vm_size_t ool_input_size,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> io_struct_inband_t inband_output,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mach_msg_type_number_t *inband_outputCnt,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> io_scalar_inband64_t scalar_output,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mach_msg_type_number_t *scalar_outputCnt,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mach_vm_address_t ool_output,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mach_vm_size_t *ool_output_size</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> )</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> {</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> CHECK( IOUserClient, connection, client );</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> IOExternalMethodArguments args;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">... </span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> args.selector = selector;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> args.scalarInput = scalar_input;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> args.scalarInputCount = scalar_inputCnt;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> args.structureInput = inband_input;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> args.structureInputSize = inband_inputCnt;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">...</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> args.scalarOutput = scalar_output;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> args.scalarOutputCount = *scalar_outputCnt;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> args.structureOutput = inband_output;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> args.structureOutputSize = *inband_outputCnt; </span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">...</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ret = client->externalMethod( selector, &args );</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here we can see that the code fills in an </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOExternalMethodArguments</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> structure from the arguments passed to the MIG RPC and then calls the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">::externalMethod</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> method of the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOUserClient</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;">What happens next depends on the structure of the driver’s </span><span style="font-family: Courier New, Courier, monospace;">IOUserClient</span><span style="font-family: Trebuchet MS, sans-serif;"> subclass. If the driver overrides </span></span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">externalMethod</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> then this calls straight into driver code. Typically the </span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">selector</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> argument to </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOConnectCallMethod</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> would be used to determine what function to call, but if the subclass overrides </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">externalMethod</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> it’s free to implement whatever method dispatch mechanism it wants. However if the driver subclass doesn’t override </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">externalMethod</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOUserClient</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> implementation of it will call </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">getTargetAndMethodForIndex</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> passing the selector argument - this </span><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;">is the method which most </span><span style="font-size: 15px; line-height: 1.15; white-space: pre-wrap;"><span style="font-family: Courier New, Courier, monospace;">IOUserClient</span></span><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;"> subclasses override - it returns a pointer to an </span><span style="font-size: 15px; line-height: 1.15; white-space: pre-wrap;"><span style="font-family: Courier New, Courier, monospace;">IOExternalMethod</span></span><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;"> structure:</span><br /> <span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">struct IOExternalMethod {</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> IOService * object;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> IOMethod func;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> IOOptionBits flags;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> IOByteCount count0;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> IOByteCount count1;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">};</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 1.15; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;">Most drivers have a simple implementation of </span><span style="font-family: Courier New, Courier, monospace;">getTargetAndMethodForType</span><span style="font-family: Trebuchet MS, sans-serif;"> which uses the </span><span style="font-family: Courier New, Courier, monospace;">selector</span><span style="font-family: Trebuchet MS, sans-serif;"> argument to index an array of </span><span style="font-family: Courier New, Courier, monospace;">IOExternalMethod</span><span style="font-family: Trebuchet MS, sans-serif;"> structures. This structure contains a pointer to the method to be invoked (and since this is C++ this isn’t actually a function pointer but a pointer-to-member-method which means things can get very fun when you get to control it! See the bug report for </span></span><span style="font-family: Trebuchet MS, sans-serif;"><span style="font-size: 15px; line-height: 17.25px; white-space: pre-wrap;"><a href="https://code.google.com/p/google-security-research/issues/detail?id=20">CVE-2014-1379</a></span></span><span style="color: black; font-size: 15px; line-height: 1.15; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;"> in the Project Zero bugtracker</span></span><span style="color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; vertical-align: baseline; white-space: pre-wrap;"> for an example of this.)</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;">The </span><span style="font-family: Courier New, Courier, monospace;">flags</span><span style="font-family: Trebuchet MS, sans-serif;"> member is used to define what mixture of input and output types the </span><span style="font-family: Courier New, Courier, monospace;">ExternalMethod</span><span style="font-family: Trebuchet MS, sans-serif;"> supports and the </span><span style="font-family: Courier New, Courier, monospace;">count0</span><span style="font-family: Trebuchet MS, sans-serif;"> and </span><span style="font-family: Courier New, Courier, monospace;">count1</span><span style="font-family: Trebuchet MS, sans-serif;"> fields define the number or size in bytes of the input and output arguments. There are various shim functions which make sure that </span></span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">func</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is called with the correct prototype depending on the declared number and type of arguments.</span><br /> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Putting all that together</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">At this point we know that when we call </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOConnectCallMethod</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> what really happens is that C code auto-generated by MIG serializes all the arguments into a data buffer which is wrapped in a mach message which is sent to a mach port we received received from the IOKit registry which we knew how to talk to because every process has a special device port. That message gets copied into the kernel where more MIG generated C code deserializes it and calls </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">is_io_connect_method</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> which calls the driver’s </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">externalMethod</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> virtual method.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Writing an IOKit fuzzer</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When auditing code alongside manual analysis it’s often worth writing a fuzzer. As soon as you’ve understood where attacker-controlled data could enter a system you can write a simple piece of code to throw randomness at it. As your knowledge of the code improves you can make incremental improvements to the fuzzer, allowing it to explore the code more deeply.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Courier New, Courier, monospace;">IOConnectCallMethod</span><span style="font-family: Trebuchet MS, sans-serif;"> is the perfect example of a API where this applies. It’s very easy to write a simple fuzzer to make random </span><span style="font-family: Courier New, Courier, monospace;">IOConnectCallMethod</span><span style="font-family: Trebuchet MS, sans-serif;"> calls. One approach to slightly improve on just using randomness is to try to mutate real data. In this case, we want to mutate valid arguments to </span><span style="font-family: Courier New, Courier, monospace;">IOConnectCallMethod</span><span style="font-family: Trebuchet MS, sans-serif;">. Check out <a href="http://www.slideshare.net/inggmartinez/find-your-own-ios-kernel-bug">this</a> talk from Chen Xiaobo and Xu Hao about how to do exactly that</span></span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span><br /> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">DYLD interposing</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dyld is the OS X dynamic linker. Similar to using LD_PRELOAD on linux dyld supports dynamic link time interposition of functions. This means we can intercept function calls between different libraries and inspect and modify arguments.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here’s the complete </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOConnectCallMethod</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> fuzzer interpose library I wrote for pwn4fun:</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">#include <stdint.h></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">#include <stdio.h></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">#include <stdlib.h></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">#include <time.h></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">#include <IOKit/IOKitLib.h></span></div> <span style="font-family: Courier New, Courier, monospace;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">int maybe(){</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> static int seeded = 0;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> if(!seeded){</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> srand(time(NULL));</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> seeded = 1;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> }</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> return !(rand() % 100);</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">}</span></div> <span style="font-family: Courier New, Courier, monospace;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">void flip_bit(void* buf, size_t len){</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> if (!len)</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> return;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> size_t offset = rand() % len;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ((uint8_t*)buf)[offset] ^= (0x01 << (rand() % 8));</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">}</span></div> <span style="font-family: Courier New, Courier, monospace;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">kern_return_t</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">fake_IOConnectCallMethod(</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mach_port_t connection,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> uint32_t selector,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> uint64_t *input,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> uint32_t inputCnt,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> void *inputStruct,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> size_t inputStructCnt,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> uint64_t *output,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> uint32_t *outputCnt,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> void *outputStruct,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> size_t *outputStructCntP)</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">{</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> if (maybe()){</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> flip_bit(input, sizeof(*input) * inputCnt);</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> }</span></div> <span style="font-family: Courier New, Courier, monospace;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> if (maybe()){</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> flip_bit(inputStruct, inputStructCnt);</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> }</span></div> <span style="font-family: Courier New, Courier, monospace;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> return IOConnectCallMethod(</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> connection,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> selector,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> input,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> inputCnt,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> inputStruct,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> inputStructCnt,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> output,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> outputCnt,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> outputStruct,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> outputStructCntP);</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">}</span></div> <span style="font-family: Courier New, Courier, monospace;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">typedef struct interposer {</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> void* replacement;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> void* original;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">} interpose_t;</span></div> <span style="font-family: Courier New, Courier, monospace;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__attribute__((used)) static const interpose_t interposers[]</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> __attribute__((section("__DATA, __interpose"))) =</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> {</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> { .replacement = (void*)fake_IOConnectCallMethod,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> .original = (void*)IOConnectCallMethod</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> } </span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> };</span></div> <span style="font-family: Trebuchet MS, sans-serif;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Compile that as a dynamic library:</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ clang -Wall -dynamiclib -o flip.dylib flip.c -framework IOKit -arch i386 -arch x86_64</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">and load it:</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ DYLD_INSERT_LIBRARIES=./flip.dylib hello_world</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1% of the time this will flip one bit in any struct input and scalar input to an IOKit external method. This was the fuzzer which found the bug used to get kernel instruction pointer control for pwn4fun, and it found it well before I had any clue how the Intel GPU driver worked at all.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IntelAccelerator bug</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;">Running the fuzzer shown above with any program using the GPU lead within seconds to a crash in the following method in the </span><span style="font-family: Courier New, Courier, monospace;">AppleIntelHD4000Graphics</span><span style="font-family: Trebuchet MS, sans-serif;"> kernel extension at the instruction at offset </span></span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0x8BAF</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">:</span><br /> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IGAccelGLContext::unmap_user_memory( ;rdi == this</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> IntelGLUnmapUserMemoryIn *, ;rsi</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> unsigned long long) ;rdx</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__text:8AD6</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__text:8AD6 var_30 = qword ptr -30h</span></div> <div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">...</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__text:8AED cmp rdx, 8</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__text:8AF1 jnz loc_8BFB</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__text:8AF7 mov rbx, [rsi] ;rsi points to controlled data</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__text:8AFA mov [rbp+var_30], rbx ;rbx completely controlled</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">...</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__text:8BAB mov rbx, [rbp+var_30]</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: #f4cccc; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__text:8BAF mov rax, [rbx] ;crash</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__text:8BB2 mov rdi, rbx</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__text:8BB5 call qword ptr [rax+140h]</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;">Looking at the cross references to this function in <a href="https://www.hex-rays.com/products/ida/">IDA Pro</a> we can see that </span><span style="font-family: Courier New, Courier, monospace;">unmap_user_memory</span><span style="font-family: Trebuchet MS, sans-serif;"> is selector </span><span style="font-family: Courier New, Courier, monospace;">0x201</span><span style="font-family: Trebuchet MS, sans-serif;"> of the </span><span style="font-family: Courier New, Courier, monospace;">IGAccelGLContent</span><span style="font-family: Trebuchet MS, sans-serif;"> user client. This external method has one struct input so on entry to this function </span></span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rsi</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> points to controlled data (and </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rdx</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> contains the length of that struct input in bytes.)</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">At address </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0x8af7</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> this function reads the first </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">8</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> bytes of the struct input as a qword and saves them in </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rbx.</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> At this point </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rbx</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is completely controlled. This controlled value is then saved into the local variable </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">var_30</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Later at </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0x8bab</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> this value is read back into </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rbx</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, then at </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0x8baf</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> that controlled value is dereferenced without any checks leading to a crash. If that dereferences doesn't crash however, then the qword value at offset </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0x140</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> from the read value will be called.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In other words, this external method is treating the struct input bytes as containing a pointer to a C++ object and it’s calling a virtual method of that object without checking whether the pointer is valid. Kernel space is just trusting that userspace will only ever pass a valid kernel object pointer. So by crafting a fake IOKit object and passing a pointer to it as the struct input of selector 0x201 of </span><span style="font-family: 'Courier New', Courier, monospace; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">IGAccelGLContent</span><span style="font-size: 15px; line-height: 17.25px; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;"> we can get kernel instruction pointer control! Now what?</span></span><br /> <span style="font-size: 15px; line-height: 17.25px; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;"><br /></span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SMEP/SMAP</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/">SMEP</a> and <a href="http://lwn.net/Articles/517475/">SMAP</a> are two CPU features designed to make exploitation of this type of bug trickier.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Mavericks supports Supervisor Mode Execute Prevention which means that when the processor is executing kernel code the cpu will fault if it tries to execute code on pages belonging to userspace. This prevents us from simply mapping an executable kernel shellcode payload at a known address in userspace and getting the kernel to jump to it.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The generic defeat for this mitigation is code-reuse (<a href="https://en.wikipedia.org/wiki/Return-oriented_programming">ROP</a>). Rather than diverting execution directly to shellcode in userspace instead we have to divert it to existing executable code in the kernel. By “pivoting” the stack pointer to controlled data we can easily chain together multiple code chunks and either turn off SMEP or execute an entire payload just in ROP.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The second generic mitigation supported at the CPU level is Supervisor Mode Access Prevention. As the name suggests this prevents kernel code from even reading user pages directly. This would mean we’d have to be able to get controlled data at a known location in kernel space for the fake IOKit object and the ROP stack since we wouldn’t be able to dereference userspace addresses, even to read them.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">However, Mavericks doesn’t support SMAP so this isn’t a problem, we can put the fake IOKit object, vtable and ROP stack in userspace.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">kASLR</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To write the ROP stack we need to know the exact location of the kernel code we’re planning to reuse. On OS X kernel <a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization">address space layout randomisation</a> means that there are 256 different addresses where the kernel code could be located, one of which is randomly chosen at boot time. Therefore to find the addresses of the executable code chunks we need some way to determine the distance kASLR has shifted the code in memory (this value is known as the kASLR slide.)</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOKit registry</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We briefly mentioned earlier that the IOKit registry allows userspace programs to find out about hardware, but what does that actually mean? The IOKit registry is really just a place where drivers can publish (key:value) pairs (where the key is a string and the value something equivalent to a <a href="https://developer.apple.com/library/mac/documentation/CoreFoundation/Reference/CoreFoundation_Collection/_index.html">CoreFoundation</a> data type.) The drivers can also specify that some of these keys are configurable which means userspace can use the IOKit registry API to set new values.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here are the MIG RPCs for reading and settings IOKit registry values:</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">routine io_registry_entry_get_property(</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> registry_entry : io_object_t;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in property_name</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> : io_name_t;</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> out properties : io_buf_ptr_t, physicalcopy );</span></div> <span style="font-family: Courier New, Courier, monospace;"></span><br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">routine io_registry_entry_set_properties(</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> registry_entry : io_object_t;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in properties : io_buf_ptr_t, physicalcopy;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> out result : kern_return_t );</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">And here are the important parts of the kernel-side implementation of those functions, f</span><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;">irstly, for setting a property:</span><br /> <span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">kern_return_t is_io_registry_entry_set_properties</span><span style="color: black; font-family: Courier New, Courier, monospace; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">( </span><br /> <span style="font-family: 'Courier New', Courier, monospace; font-size: 15px; line-height: 1.15; white-space: pre-wrap;"> io_object_t registry_entry,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> io_buf_ptr_t properties,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mach_msg_type_number_t propertiesCnt,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> kern_return_t * result)</span><span style="font-family: 'Courier New', Courier, monospace; font-size: 15px; line-height: 1.15; white-space: pre-wrap;">{</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ... </span></div> <span style="font-family: Courier New, Courier, monospace;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> obj = OSUnserializeXML( (const char *) data, propertiesCnt );</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ...</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: #e6b8af; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">#if CONFIG_MACF</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: #e6b8af; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> else if (0 != mac_iokit_check_set_properties(kauth_cred_get(),</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: #e6b8af; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> registry_entry,</span><br /> <span style="background-color: #e6b8af; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> obj))</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: #e6b8af; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> res = kIOReturnNotPermitted;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: #e6b8af; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">#endif</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> else</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #c9daf8; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">res = entry->setProperties( obj );</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ...</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">and secondly, for reading a property:</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">kern_return_t is_io_registry_entry_get_property(</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> io_object_t registry_entry,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> io_name_t property_name,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> io_buf_ptr_t *properties,</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mach_msg_type_number_t *propertiesCnt )</span><span style="font-family: 'Courier New', Courier, monospace; font-size: 15px; line-height: 1.15; white-space: pre-wrap;">{</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ...</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #c9daf8; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">obj = entry->copyProperty(property_name);</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> if( !obj)</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> return( kIOReturnNotFound );</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> OSSerialize * s = OSSerialize::withCapacity(4096);</span></div> <div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="font-size: 15px; line-height: 17.25px; white-space: pre-wrap;"> ...</span></span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> if( obj->serialize( s )) {</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> len = s->getLength();</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> *propertiesCnt = len;</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #c9daf8; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">err = copyoutkdata( s->text(), len, properties );</span></span><br /> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: white; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ...</span></span><br /> <span style="font-family: Courier New, Courier, monospace;"><span style="background-color: white; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">These functions are pretty simple wrappers around the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">setProperties</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">copyProperty</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> functions implemented by the drivers themselves.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">There’s one very important thing to pick up on here though: in the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">is_io_registry_entry_set_properties</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> function there’s a MAC hook, highlighted here in red, which allows sandbox profiles to restrict the ability to set IOKit registry values. (This hook is exposed by Sandbox.kext as the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">iokit-set-properties</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> operation.) Contrasts this with the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">is_io_registry_entry_get_property</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> function which has no MAC hook. This means that read access to the IOKit registry cannot be restricted. </span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Every</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> OS X process has full access to read every single (key:value) pair exposed by every IOKit driver.</span><br /> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Enumerating the iokit registry</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS X ships with the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ioreg</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> tool for exploring the IOKit registry on the command line. By passing the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-l</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> flag we can get </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ioreg</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to enumerate all the registry keys and dump their values. Since we’re looking for kernel pointers, lets grep the output looking for a byte pattern we’d expect to see in a kernel pointer:</span><br /> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ ioreg -l | grep 80ffffff</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> | "IOPlatformArgs" =<00901d2880ffffff00c01c2880ffffff90fb222880ffffff0000000000000000></span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">That looks an awful lot like a hexdump of some kernel pointers :)</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Looking for the "</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Courier New, Courier, monospace;">IOPlatformArgs</span><span style="font-family: Trebuchet MS, sans-serif;">" string in the XNU source code</span></span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> we can see that the first of these pointers is actually the address of the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://theiphonewiki.com/wiki/DeviceTree">DeviceTree</a></span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> that’s passed to the kernel at boot. And it just so happens that the same kASLR slide that gets applied to the kernel image also gets applied to that </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">DeviceTree</span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> pointer, meaning that we can simply subtract a constant from this leaked pointer to determine the runtime load address of the kernel allowing us to rebase our ROP stack.</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Check out <a href="http://winocm.com/technical/2014/05/30/disarming-the-ios-kernel/">this</a> blog post from winocm for a lot more insight into this bug</span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and its applicability to iOS.</span></span><br /> <span style="font-family: Trebuchet MS, sans-serif;"><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS X kernel ROP pivot</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Looking at the disassembly of </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">unmap_user_memory</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> we can see that when the controlled virtual method is called the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rax</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> register points to the fake vtable which we've put in userspace. The pointer at offset </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0x140h</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> will be the function pointer that gets called which makes the vtable a convenient place for the ROP stack. We just need to find a sequence of instructions which will move the value of </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rax</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> into </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rsp</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. The </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/mach_kernel</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> binary has following instruction sequence:</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> push rax</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> add [rax], eax</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> add [rbx+0x41], bl</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> pop rsp</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> pop r14</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> pop r15</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> pop rbp</span></div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ret</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This will push the vtable address on to the stack, corrupt the first entry in the vtable and write a byte to </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rbx+0x41</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rbx</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> will be the this pointer of the fake IOKit object which we control and have pointed into userspace so neither of these writes will crash. </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">pop rsp</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> then pops the top of the stack into </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rsp</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> - since we just pushed </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rax</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> on to the stack this means that </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rsp</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> now points to the fake vtable in userspace. The code then pops values for </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">r14</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">r15</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rbp</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> then returns meaning that we can place a full ROP stack in the fake vtable of the fake IOKit object.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <h2> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Payload and continuation</span></h2> </div> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The OS X kernel function </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="http://phrack.org/issues/66/16.html">KUNCExecute</a></span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is a really easy way to launch GUI applications from kernel code:</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">kern_return_t KUNCExecute(char executionPath[1024], int uid, int gid)</span><br /> <span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The payload for the pwn4fun exploit was a ROP stack which called this, passing a pointer to the string </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">“/Applications/Calculator.app/Contents/MacOS/Calculator”</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> as the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">executionPath</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> as the </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">uid</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">gid</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> parameters. This launches the OS X calculator as root :-)</span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Take a look at <a href="https://code.google.com/p/google-security-research/issues/detail?id=126">this</a> exploit </span><span style="background-color: transparent; color: black; font-family: 'Trebuchet MS', sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">for <a href="https://code.google.com/p/google-security-research/issues/detail?id=40">this</a> other IOKit bug </span><span style="background-color: transparent; color: black; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Trebuchet MS, sans-serif;">which takes a slightly different approach by using a handful of ROP gadgets to first disable SMEP then call a more complicated shellcode payload in userspace. And if you're still running OS X Mavericks or below then why not try it out?</span></span></div> <span style="font-family: Trebuchet MS, sans-serif;"> </span> <br /> <div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"> <div style="line-height: 1.15;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">After executing the kernel payload we can call the kernel function </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">thread_exception_return</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to return back to usermode. If we just do this however it will appear as if the whole system has frozen. The kernel payload has actually run (and we can verify this by attaching a kernel debugger) but we can no longer interact with the system. This is because before we got kernel code execution </span><span style="background-color: transparent; color: black; font-family: Courier New, Courier, monospace; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">unmap_user_memory</span><span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> took two locks - if we don’t drop those locks then no other functions will be able to get them and the GPU driver grinds to a halt. Again, check out that linked exploit above to see some example shellcode which drops the locks.</span><br /> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> <h2 style="line-height: 1.15;"> <span style="background-color: transparent; color: black; font-family: Trebuchet MS, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Conclusion</span></h2> <div> <span style="font-family: Trebuchet MS, sans-serif;"><span style="font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">The actual development process of this sandbox escape was nothing like as linear as this writeup made it seem. There were many missed turns and other bugs which looked like far too much effort to exploit. Naturally these were reported to Apple too, just in case.</span></span><br /> <span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;"><br /></span> <br /> <div style="line-height: 1.15;"> <span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 1.15; white-space: pre-wrap;">A few months after the conclusion of pwn4fun 2014 I decided to take another look at GPU drivers on OS X, this time focusing on manual analysis. Take a look at the following bug reports for PoC code and details of all the individual bugs: </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=18" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-1372</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">,</span><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;"> </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=22" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-1373</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=19" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-1376</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=17" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-1377</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=20" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-1379</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=28" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-4394</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=29" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-4395</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=32" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-4398</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=30" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-4401</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=30" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-4396</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=30" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-4397</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=30" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-4400</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=30" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-4399</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=34" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-4416</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=31" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-4376</a><span style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">, </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=33" style="font-family: 'Trebuchet MS', sans-serif; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">CVE-2014-4402</a><br /> <br /></div> </div> <div> <span style="font-family: Trebuchet MS, sans-serif;"><span style="font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">Finally, why not <a href="https://code.google.com/p/google-security-research/issues/subscriptions">subscribe to the Project Zero bug tracker</a> and follow along with all our latest research?</span></span></div> </div> </div> <div style='clear: both;'></div> </div> <div class='post-footer'> <div class='post-footer-line post-footer-line-1'> <span class='post-author vcard'> Posted by <span class='fn' itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <span itemprop='name'>Anonymous</span> </span> </span> <span class='post-timestamp'> at <meta content='https://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html' itemprop='url'/> <a class='timestamp-link' href='https://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html' rel='bookmark' title='permanent link'><abbr class='published' itemprop='datePublished' title='2014-11-24T15:52:00-08:00'>3:52 PM</abbr></a> </span> <span class='post-comment-link'> <a class='comment-link' href='https://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html#comment-form' onclick=''> 1 comment: </a> </span> <span class='post-icons'> <span class='item-control blog-admin pid-836442233'> <a href='https://www.blogger.com/post-edit.g?blogID=4838136820032157985&postID=1463890466523458293&from=pencil' title='Edit Post'> <img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/> </a> </span> </span> <div class='post-share-buttons goog-inline-block'> <a class='goog-inline-block share-button sb-email' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1463890466523458293&target=email' target='_blank' title='Email This'><span class='share-button-link-text'>Email This</span></a><a class='goog-inline-block share-button sb-blog' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1463890466523458293&target=blog' onclick='window.open(this.href, "_blank", "height=270,width=475"); return false;' target='_blank' title='BlogThis!'><span class='share-button-link-text'>BlogThis!</span></a><a class='goog-inline-block share-button sb-twitter' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1463890466523458293&target=twitter' target='_blank' title='Share to X'><span class='share-button-link-text'>Share to X</span></a><a class='goog-inline-block share-button sb-facebook' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1463890466523458293&target=facebook' onclick='window.open(this.href, "_blank", "height=430,width=640"); return false;' target='_blank' title='Share to Facebook'><span class='share-button-link-text'>Share to Facebook</span></a><a class='goog-inline-block share-button sb-pinterest' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1463890466523458293&target=pinterest' target='_blank' title='Share to Pinterest'><span class='share-button-link-text'>Share to Pinterest</span></a> </div> </div> <div class='post-footer-line post-footer-line-2'> <span class='post-labels'> </span> </div> <div class='post-footer-line post-footer-line-3'> <span class='post-location'> </span> </div> </div> </div> </div> </div></div> </div> <div class='blog-pager' id='blog-pager'> <span id='blog-pager-newer-link'> <a class='blog-pager-newer-link' href='https://googleprojectzero.blogspot.com/search?updated-max=2015-01-02T04:28:00-08:00&max-results=1&reverse-paginate=true' id='Blog1_blog-pager-newer-link' title='Newer Posts'>Newer Posts</a> </span> <span id='blog-pager-older-link'> <a class='blog-pager-older-link' href='https://googleprojectzero.blogspot.com/search?updated-max=2014-11-24T15:52:00-08:00&max-results=1' id='Blog1_blog-pager-older-link' title='Older Posts'>Older Posts</a> </span> <a class='home-link' href='https://googleprojectzero.blogspot.com/'>Home</a> </div> <div class='clear'></div> <div class='blog-feeds'> <div class='feed-links'> Subscribe to: <a class='feed-link' href='https://googleprojectzero.blogspot.com/feeds/posts/default' target='_blank' type='application/atom+xml'>Posts (Atom)</a> </div> </div> </div></div> </div> </div> <div class='column-left-outer'> <div class='column-left-inner'> <aside> </aside> </div> </div> <div class='column-right-outer'> <div class='column-right-inner'> <aside> <div class='sidebar section' id='sidebar-right-1'><div class='widget BlogSearch' data-version='1' id='BlogSearch1'> <h2 class='title'>Search This Blog</h2> <div class='widget-content'> <div id='BlogSearch1_form'> <form action='https://googleprojectzero.blogspot.com/search' class='gsc-search-box' target='_top'> <table cellpadding='0' cellspacing='0' class='gsc-search-box'> <tbody> <tr> <td class='gsc-input'> <input autocomplete='off' class='gsc-input' name='q' size='10' title='search' type='text' value=''/> </td> <td class='gsc-search-button'> <input class='gsc-search-button' title='search' type='submit' value='Search'/> </td> </tr> </tbody> </table> </form> </div> </div> <div class='clear'></div> </div><div class='widget PageList' data-version='1' id='PageList1'> <h2>Pages</h2> <div class='widget-content'> <ul> <li> <a href='https://googleprojectzero.blogspot.com/p/about-project-zero.html'>About Project Zero</a> </li> <li> <a href='https://googleprojectzero.blogspot.com/p/working-at-project-zero.html'>Working at Project Zero</a> </li> <li> <a href='https://googleprojectzero.blogspot.com/p/0day.html'>0day "In the Wild"</a> </li> <li> <a href='https://googleprojectzero.github.io/0days-in-the-wild/rca.html'>0day Exploit Root Cause Analyses</a> </li> <li> <a href='https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html'>Vulnerability Disclosure FAQ</a> </li> </ul> <div class='clear'></div> </div> </div><div class='widget BlogArchive' data-version='1' id='BlogArchive1'> <h2>Archives</h2> <div class='widget-content'> <div id='ArchiveList'> <div id='BlogArchive1_ArchiveList'> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/'> 2024 </a> <span class='post-count' dir='ltr'>(9)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/11/'> November </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/10/'> October </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/06/'> June </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/04/'> April </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/'> 2023 </a> <span class='post-count' dir='ltr'>(11)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/11/'> November </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/10/'> October </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/09/'> September </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/08/'> August </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/04/'> April </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/03/'> March </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/01/'> January </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/'> 2022 </a> <span class='post-count' dir='ltr'>(17)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/12/'> December </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/11/'> November </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/10/'> October </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/08/'> August </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/06/'> June </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/04/'> April </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/03/'> March </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/02/'> February </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/01/'> January </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/'> 2021 </a> <span class='post-count' dir='ltr'>(24)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/12/'> December </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/10/'> October </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/09/'> September </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/08/'> August </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/06/'> June </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/04/'> April </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/03/'> March </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/02/'> February </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/01/'> January </a> <span class='post-count' dir='ltr'>(10)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/'> 2020 </a> <span class='post-count' dir='ltr'>(36)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/12/'> December </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/11/'> November </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/10/'> October </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/09/'> September </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/08/'> August </a> <span class='post-count' dir='ltr'>(5)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/07/'> July </a> <span class='post-count' dir='ltr'>(8)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/06/'> June </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/04/'> April </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/02/'> February </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/01/'> January </a> <span class='post-count' dir='ltr'>(5)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/'> 2019 </a> <span class='post-count' dir='ltr'>(27)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/12/'> December </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/11/'> November </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/10/'> October </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/09/'> September </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/08/'> August </a> <span class='post-count' dir='ltr'>(11)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/04/'> April </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/03/'> March </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/02/'> February </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/01/'> January </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/'> 2018 </a> <span class='post-count' dir='ltr'>(22)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/12/'> December </a> <span class='post-count' dir='ltr'>(7)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/11/'> November </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/10/'> October </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/09/'> September </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/08/'> August </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/07/'> July </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/06/'> June </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/04/'> April </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/01/'> January </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/'> 2017 </a> <span class='post-count' dir='ltr'>(19)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/12/'> December </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/10/'> October </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/09/'> September </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/08/'> August </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/07/'> July </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/04/'> April </a> <span class='post-count' dir='ltr'>(6)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/03/'> March </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/02/'> February </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/'> 2016 </a> <span class='post-count' dir='ltr'>(17)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/12/'> December </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/11/'> November </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/10/'> October </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/09/'> September </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/08/'> August </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/07/'> July </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/06/'> June </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/03/'> March </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/02/'> February </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/01/'> January </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/'> 2015 </a> <span class='post-count' dir='ltr'>(33)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/12/'> December </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/11/'> November </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/10/'> October </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/09/'> September </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/08/'> August </a> <span class='post-count' dir='ltr'>(6)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/07/'> July </a> <span class='post-count' dir='ltr'>(5)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/06/'> June </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/04/'> April </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/03/'> March </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/02/'> February </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/01/'> January </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <a class='toggle' href='javascript:void(0)'> <span class='zippy toggle-open'> ▼  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/'> 2014 </a> <span class='post-count' dir='ltr'>(11)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/12/'> December </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <a class='toggle' href='javascript:void(0)'> <span class='zippy toggle-open'> ▼  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/11/'> November </a> <span class='post-count' dir='ltr'>(2)</span> <ul class='posts'> <li><a href='https://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html'>pwn4fun Spring 2014 - Safari - Part II</a></li> <li><a href='https://googleprojectzero.blogspot.com/2014/11/project-zero-patch-tuesday-roundup.html'>Project Zero Patch Tuesday roundup, November 2014</a></li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/10/'> October </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/09/'> September </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/08/'> August </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/07/'> July </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> </li> </ul> </div> </div> <script type='text/javascript'> //<![CDATA[ (function(){ let archive_list = document.getElementById('ArchiveList'); if (archive_list == null) return; let cur_year = archive_list.querySelector('.post-count-link').innerText.trim() - 0; let last_year = 2014; let elements = []; const MONTHS = ',Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec'.split(','); let parent = document.getElementById('ArchiveList'); while (parent.childNodes.length) parent.removeChild(parent.childNodes[0]); function fetch_next_year() { let url = 'https://googleprojectzero.blogspot.com/?action=getTitles&widgetId=BlogArchive1&widgetType=BlogArchive&responseType=js&path=https%3A%2F%2Fgoogleprojectzero.blogspot.com%2F'+cur_year; fetch(url).then(resp => { if (!resp.ok) { console.log('http error'); return; } resp.text().then(text => { let scope = { _WidgetManager: { _HandleControllerResult: (name, method, results) => { elements.push(document.createElement('hr')); let year_header = document.createElement('div'); year_header.appendChild(document.createTextNode(cur_year)); year_header.style.fontSize = 'large'; elements.push(year_header); let list = document.createElement('ul'); elements.push(list); for (let obj of results.posts) { let link_parts = obj.url.split('/'); let year = link_parts[3]; let month = link_parts[4]; let el = document.createElement(/*'div'*/'li'); el.style.listStyleType = 'square'; el.style.listStylePosition = 'inside'; let link = document.createElement('a'); el.appendChild(link); link.appendChild(document.createTextNode(obj.title)); link.href = obj.url; let date_trailer = document.createElement('span'); el.appendChild(date_trailer); //date_trailer.appendChild(document.createTextNode(' ('+year+'-'+month+')')); date_trailer.appendChild(document.createTextNode(' ('+MONTHS[parseInt(month, 10)]+')')); //date_trailer.style.textAlign = 'right'; //elements.push(el); list.appendChild(el); } } } }; with (scope) { eval(text); } if (cur_year == last_year) { finish(); } else { cur_year--; fetch_next_year(); } }); }); } fetch_next_year(); function finish() { for (let obj of elements) { parent.appendChild(obj); } console.log(elements); } })(); //]]> </script> <div class='clear'></div> </div> </div></div> <table border='0' cellpadding='0' cellspacing='0' class='section-columns columns-2'> <tbody> <tr> <td class='first columns-cell'> <div class='sidebar no-items section' id='sidebar-right-2-1'></div> </td> <td class='columns-cell'> <div class='sidebar no-items section' id='sidebar-right-2-2'></div> </td> </tr> </tbody> </table> <div class='sidebar no-items section' id='sidebar-right-3'></div> </aside> </div> </div> </div> <div style='clear: both'></div> <!-- columns --> </div> <!-- main --> </div> </div> <div class='main-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <footer> <div class='footer-outer'> <div class='footer-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left footer-fauxborder-left'> <div class='fauxborder-right footer-fauxborder-right'></div> <div class='region-inner footer-inner'> <div class='foot no-items section' id='footer-1'></div> <table border='0' cellpadding='0' cellspacing='0' class='section-columns columns-2'> <tbody> <tr> <td class='first columns-cell'> <div class='foot no-items section' id='footer-2-1'></div> </td> <td class='columns-cell'> <div class='foot no-items section' id='footer-2-2'></div> </td> </tr> </tbody> </table> <!-- outside of the include in order to lock Attribution widget --> <div class='foot section' id='footer-3' name='Footer'><div class='widget Attribution' data-version='1' id='Attribution1'> <div class='widget-content' style='text-align: center;'> Powered by <a href='https://www.blogger.com' target='_blank'>Blogger</a>. </div> <div class='clear'></div> </div></div> </div> </div> <div class='footer-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </footer> <!-- content --> </div> </div> <div class='content-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </div> <script type='text/javascript'> window.setTimeout(function() { document.body.className = document.body.className.replace('loading', ''); }, 10); </script> <script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/984859869-widgets.js"></script> <script type='text/javascript'> window['__wavt'] = 'AOuZoY7MNntQRSnmt2lageXIw9hArmZhpw:1732538838304';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d4838136820032157985','//googleprojectzero.blogspot.com/2014/11/','4838136820032157985'); _WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '4838136820032157985', 'title': 'Project Zero', 'url': 'https://googleprojectzero.blogspot.com/2014/11/', 'canonicalUrl': 'https://googleprojectzero.blogspot.com/2014/11/', 'homepageUrl': 'https://googleprojectzero.blogspot.com/', 'searchUrl': 'https://googleprojectzero.blogspot.com/search', 'canonicalHomepageUrl': 'https://googleprojectzero.blogspot.com/', 'blogspotFaviconUrl': 'https://googleprojectzero.blogspot.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': false, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'UA-240546891-1', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Project Zero - Atom\x22 href\x3d\x22https://googleprojectzero.blogspot.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Project Zero - RSS\x22 href\x3d\x22https://googleprojectzero.blogspot.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Project Zero - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/4838136820032157985/posts/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/da8f33dd880cc4f1', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'X', 'key': 'twitter', 'shareMessage': 'Share to X', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'archive', 'pageName': 'November 2014', 'pageTitle': 'Project Zero: November 2014'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Project Zero', 'description': 'News and updates from the Project Zero team at Google', 'url': 'https://googleprojectzero.blogspot.com/2014/11/', 'type': 'feed', 'isSingleItem': false, 'isMultipleItems': true, 'isError': false, 'isPage': false, 'isPost': false, 'isHomepage': false, 'isArchive': true, 'isLabelSearch': false, 'archive': {'year': 2014, 'month': 11, 'rangeMessage': 'Showing posts from November, 2014'}}}]); _WidgetManager._RegisterWidget('_NavbarView', new _WidgetInfo('Navbar1', 'navbar', document.getElementById('Navbar1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/2646514562-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/1964470060-lightbox_bundle.css'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogSearchView', new _WidgetInfo('BlogSearch1', 'sidebar-right-1', document.getElementById('BlogSearch1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_PageListView', new _WidgetInfo('PageList1', 'sidebar-right-1', document.getElementById('PageList1'), {'title': 'Pages', 'links': [{'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/about-project-zero.html', 'id': '4384467920505278144', 'title': 'About Project Zero'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/working-at-project-zero.html', 'id': '2459334498880008057', 'title': 'Working at Project Zero'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/0day.html', 'id': '3414239791814532209', 'title': '0day \x22In the Wild\x22'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.github.io/0days-in-the-wild/rca.html', 'title': '0day Exploit Root Cause Analyses'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html', 'id': '2935252455704572784', 'title': 'Vulnerability Disclosure FAQ'}], 'mobile': false, 'showPlaceholder': true, 'hasCurrentPage': false}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar-right-1', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_AttributionView', new _WidgetInfo('Attribution1', 'footer-3', document.getElementById('Attribution1'), {}, 'displayModeFull')); </script> </body> </html>