From Collaborative RCE Knowledge Library

Jump to: navigation, search

Having fun with Apples IOKit

Item name: Having fun with Apples IOKit
Rating: 0.0 (0 votes)
Author: Ilja van Sprundel                        
Home URL:
Last updated: July 4, 2010
Version (if appl.):
Direct D/L link:
Description: IOKit is the main interface to write drivers in Mac OSX. it’s unlike most other driver interfaces for other operating systems. the data parsing code where the trust boundary is passed is not a simple ioctl() call away, and it’s not written in c (they’re written in c++). A complex system that goes through mach messages and uses rpc is used to communicate with drivers, oh, and it’s virtually undocumented (and the documentation that is there is poorly written at best).

This talk will describe what I’ve found out in my journey as I try to figure out how the IOKit works, and what exactly an attacker has control over (e.g. what pointers are userland pointers, whats the length limitation placed on them, is the buffer already captured by the time it reaches input handling code, …). The IOKit also has several entrypoints, 2 different ways of using 1 entrypoints and offers the possibility to expose 1 system call specifically for your driver.
Related URLs: No related URLs have been submitted for this item yet

RSS feed Feed containing all updates for this item.

You are welcome to add your own useful notes about this tool, for others to see!

If you find that any information for the item above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)

Category Navigation Tree