This research presents an in-depth investigation of MacOS Inter-Process Communication (IPC) security, with a focus on Mach message handlers. It explores how Mach message handlers are utilized to execute privileged RPC-like functions and how this introduces vectors for sandbox escapes and privilege escalations. This involves a detailed examination of MacOS internals, particularly the calling and processing of Mach messages, their data formats, and statefulness. The core of the study is the development and application of a custom fuzzing harness targeting these identified IPC function handlers. The fuzzing process, aimed at inducing crashes indicative of memory corruption vulnerabilities, is discussed in detail. Several generated crashes will be discussed, one of which may be exploitable to obtain remote code execution. The research culminates in the open-sourcing of a bespoke Mach message corpus generation script and custom fuzzing harness, contributing to the broader cybersecurity community and laying groundwork for future exploration in this area.

To be added at a later date.

In our talk we present our approach to apply low-tech fuzzing to pursue bug finding in high profile software products. For example well-chosen corpus computed ahead of time can be as powerful as collecting coverage data while fuzzing. Also threshold information such as meta-data tipping points can allow to fine tune bug hunting campaigns. Which means the applied techniques can be supplemental, and by replacing one with the other, bugs would still be found, while aiming for simplicity in the harness setup.