Breaking the Sound Barrier: Exploiting CoreAudio via Mach Message Fuzzing

DAY 1

15:20-
16:00

This research explores macOS IPC security, specifically focusing on Mach message handlers in system daemons. These handlers, which expose privileged functionality, present a significant attack surface for sandbox escapes and local privilege escalation.

I’ll demonstrate how I used structured fuzzing and a technique called API call chaining to uncover vulnerabilities in the coreaudiod system daemon on MacOS. My custom fuzzing harness, dynamic instrumentation, and a blend of static and runtime analysis led to several security flaws, including two major memory corruption bugs. I’ll detail the full exploit chain I developed to leverage one of these for a sandbox escape on modern macOS.

I’ll also discuss challenges faced, such as initializing CoreAudio, mocking components, and building targeted grammars for fuzzing. Finally, I’ll share the open-source fuzzing harness and tools developed during this research, aiming to enhance macOS IPC fuzzing accessibility for the security community.

Location :
- Track 1(HALL B)
Category :
- Technical
Share :

Speakers

Dillon Franke

ディロン・フランケ

Dillon Franke（aka dillon_franke） is a seasoned security researcher with a track record of uncovering high-impact vulnerabilities in complex systems. Throughout his career, Dillon has focused on identifying and exploiting weaknesses in widely used products, working closely with organizations across various industries to improve their security posture and protect against emerging threats. His work has been featured in numerous industry publications and news outlets, and he has spoken at major security conferences around the world, including Black Hat Arsenal, OffensiveCon, TROOPERS, CanSecWest, NullCon, and the Qualcomm Product Security Summit.In his current role as a Senior Security Engineer at Google, Dillon continues to perform cutting edge application security research and release open source tools. He is passionate about sharing his knowledge with others and inspiring the next generation of security professionals to take up the mantle and continue the fight for a safer, more secure online world.

Dillon Franke（aka dillon_franke） is a seasoned security researcher with a track record of uncovering high-impact vulnerabilities in complex systems. Throughout his career, Dillon has focused on identifying and exploiting weaknesses in widely used products, working closely with organizations across various industries to improve their security posture and protect against emerging threats. His work has been featured in numerous industry publications and news outlets, and he has spoken at major security conferences around the world, including Black Hat Arsenal, OffensiveCon, TROOPERS, CanSecWest, NullCon, and the Qualcomm Product Security Summit.In his current role as a Senior Security Engineer at Google, Dillon continues to perform cutting edge application security research and release open source tools. He is passionate about sharing his knowledge with others and inspiring the next generation of security professionals to take up the mantle and continue the fight for a safer, more secure online world.

Back to Time Table