Home

Awesome

Here is some resources about macOS/iOS system security.

<h3 id="p">exploit writeup</h3>

https://blog.pangu.io/

https://starlabs.sg/advisories/

https://bugs.chromium.org/p/project-zero/issues/list

https://talosintelligence.com/vulnerability_reports#disclosed

CVEmodulesPOC/writeup link
CVE-2014-8826LaunchServiceshttps://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html
CVE-2015-????Kernelhttps://github.com/kpwn/tpwn
CVE-2016-????XPChttps://marcograss.github.io/security/apple/xpc/2016/06/17/containermanagerd-xpc-array-oob.html
CVE-2016-1758&CVE-2016-1828Kernelhttps://bazad.github.io/2016/05/mac-os-x-use-after-free/
CVE-2016-1824IOHIDFamilyhttps://marcograss.github.io/security/apple/cve/2016/05/16/cve-2016-1824-apple-iohidfamily-racecondition.html
CVE-2016-1825IOHIDFamilyhttps://bazad.github.io/2017/01/physmem-accessing-physical-memory-os-x/
CVE-2016-1865Kernelhttps://marcograss.github.io/security/apple/cve/2016/07/18/cve-2016-1865-apple-nullpointers.html
CVE-2016-1722syslogdhttps://blog.zimperium.com/analysis-of-ios-os-x-vulnerability-cve-2016-1722/
CVE-2016-1757Kernelhttps://googleprojectzero.blogspot.com/2016/03/race-you-to-kernel.html<br>http://turingh.github.io/2016/04/03/CVE-2016-1757%E7%AE%80%E5%8D%95%E5%88%86%E6%9E%90/<br>https://turingh.github.io/2016/04/19/CVE-2016-1757%E5%88%A9%E7%94%A8%E7%A8%8B%E5%BA%8F%E5%88%86%E6%9E%90/
CVE-2016-4633Intel Graphics Driverhttps://marcograss.github.io/security/apple/cve/2016/07/21/cve-2016-4633-apple-graphics-another-osx-bug.html
CVE-2016-4673CoreGraphicshttps://marcograss.github.io/security/apple/cve/macos/ios/2016/11/21/cve-2016-4673-apple-coregraphics.html
CVE-2016-7595CoreTexthttps://security.tencent.com/index.php/blog/msg/111
CVE-2017-13861IOSurfacehttps://siguza.github.io/v0rtex/<br>https://paper.seebug.org/472/
CVE-2017-13868Kernelhttps://bazad.github.io/2018/03/a-fun-xnu-infoleak/
CVE-2018-4124CoreTexthttps://blog.zecops.com/vulnerabilities/analyzing-the-ios-telugu-crash-part-i/
CVE-2018-4184sandboxhttps://ubrigens.com/posts/linking_a_microphone.html
CVE-2018-4185Kernelhttps://bazad.github.io/2018/04/kernel-pointer-crash-log-ios/
CVE-2018-4229&CVE-2020-3854sandboxhttps://ubrigens.com/posts/sandbox_initialisation_bypasses.html
CVE-2018-4248libxpchttps://bazad.github.io/2018/07/xpc-string-leak/
CVE-2018-4280libxpchttps://github.com/bazad/blanket
CVE-2018-4331&CVE-2018-4332&CVE-2018-4343Heimdalhttps://bazad.github.io/2018/11/introduction-userspace-race-conditions-ios/
CVE-2018-4346Dictionaryhttps://www.securing.pl/en/secure-implementation-of-webview-in-ios-applications/
CVE-2018-4407kernelhttps://securitylab.github.com/research/apple-xnu-icmp-error-CVE-2018-4407
CVE-2018-4415CoreAnimationhttps://ssd-disclosure.com/ssd-advisory-ios-macos-safari-sandbox-escape-via-quartzcore-heap-overflow/
CVE-2018-4431Kernelhttps://ssd-disclosure.com/ssd-advisory-ios-macos-kernel-task_inspect-information-leak/
CVE-2019-6225Kernelhttps://blogs.360.cn/post/IPC%20Voucher%20UaF%20Remote%20Jailbreak%20Stage%202.html<br>https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-5.html<br>https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html<br>http://highaltitudehacks.com/2020/06/01/from-zero-to-tfp0-part-1-prologue/<br>http://highaltitudehacks.com/2020/06/01/from-zero-to-tfp0-part-2-a-walkthrough-of-the-voucher-swap-exploit/
CVE-2019-6231CoreAnimationhttps://www.fortinet.com/blog/threat-research/detailed-analysis-of-macos-ios-vulnerability-cve-2019-6231
CVE-2019–6238xarhttps://yilmazcanyigit.medium.com/cve-2019-6238-apple-xar-directory-traversal-vulnerability-9a32ba8b3b7d
CVE-2019-8507CoreAnimationhttps://www.fortinet.com/blog/threat-research/detailed-analysis-mac-os-vulnerability-cve-2019-8507
CVE-2019-8549Power Managementhttps://ssd-disclosure.com/ssd-advisory-ios-powerd-uninitialized-mach-message-reply-to-sandbox-escape-and-privilege-escalation/
CVE-2019-8561PackageKithttps://0xmachos.com/2021-04-30-CVE-2019-8561-PoC//
CVE-2019-8605Kernelhttps://googleprojectzero.blogspot.com/2019/12/sockpuppet-walkthrough-of-kernel.html<br>https://github.com/jakeajames/sock_port<br>http://blog.asm.im/2019/11/17/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E4%B8%80%EF%BC%89UAF-%E4%B8%8E-Heap-Spraying/<br>http://blog.asm.im/2019/11/24/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E4%BA%8C%EF%BC%89%E9%80%9A%E8%BF%87-Mach-OOL-Message-%E6%B3%84%E9%9C%B2-Port-Address/<br>http://blog.asm.im/2019/12/01/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E4%B8%89%EF%BC%89IOSurface-Heap-Spraying/<br>http://blog.asm.im/2019/12/08/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E5%9B%9B%EF%BC%89The-tfp0/
CVE-2019-8635AMDhttps://www.trendmicro.com/en_us/research/19/f/cve-2019-8635-double-free-vulnerability-in-apple-macos-lets-attackers-escalate-system-privileges-and-execute-arbitrary-code.html
CVE-2019-8656autofshttps://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass
CVE-2019-8761UIFoundationhttps://www.paulosyibelo.com/2021/04/this-man-thought-opening-txt-file-is.html
CVE-2019-8794&CVE-2019-8795&CVE-2019-8797Kernel&AVEVideoEncoder&Audiohttps://ssd-disclosure.com/ssd-advisory-via-ios-jailbreak-sandbox-escape-and-kernel-r-w-leading-to-rce/
CVE-2020-3847&CVE-2020-3848CoreBluetoothhttps://blogs.360.cn/post/macOS_Bluetoothd_0-click.html
CVE-2020-3852&CVE-2020-3864&CVE-2020-3865&CVE-2020-3885&CVE-2020-3887&CVE-2020-9784&CVE-2020-9787safari&webkithttps://www.ryanpickren.com/webcam-hacking
CVE-2020-3919IOHIDFamilyhttps://alexplaskett.github.io/CVE-2020-3919/
CVE-2020-9771sandboxhttps://theevilbit.github.io/posts/cve_2020_9771/<br>https://theevilbit.github.io/posts/reversing_cve_2020_9771/
CVE-2020-9817PackageKithttps://research.nccgroup.com/2020/07/02/technical-advisory-macos-installer-local-root-privilege-escalation-cve-2020-9817/
CVE-2020-9854Securityhttps://a2nkf.github.io/unauthd_Logic_bugs_FTW/
CVE-2020-9934CoreFoundationhttps://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8
CVE-2020-9964IOSurfaceAcceleratorhttps://muirey03.blogspot.com/2020/09/cve-2020-9964-ios-infoleak.html
CVE-2020-9967Kernelhttps://alexplaskett.github.io/CVE-2020-9967/
CVE-2020-9968sandboxhttps://blog.xpnsec.com/we-need-to-talk-about-macl/
CVE-2020-9971libxpchttps://xlab.tencent.com/en/2021/01/11/cve-2020-9971-abusing-xpc-service-to-elevate-privilege/
CVE-2020-9979Assetshttps://blog.chichou.me/2020/08/06/x-site-escape-part-ii-look-up-a-shell-in-the-dictionary/
CVE-2020-9992IDE Device Supporthttps://blog.zimperium.com/c0ntextomy-lets-debug-together-cve-2020-9992/
CVE-2020-27897Kernelhttps://www.zerodayinitiative.com/blog/2020/12/9/cve-2020-27897-apple-macos-kernel-oob-write-privilege-escalation-vulnerability
CVE-2020-27932Kernelhttps://worthdoingbadly.com/specialreply/
CVE-2020-27935XNUhttps://github.com/LIJI32/SnatchBox
CVE-2020-27949Kernelhttps://github.com/seemoo-lab/dtrace-memaccess_cve-2020-27949
CVE-2020-27950Kernelhttps://www.synacktiv.com/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak.html
CVE-2020-9900&CVE-2021-1786Crash Reporterhttps://theevilbit.github.io/posts/macos_crashreporter/
CVE-2020-9905Kernelhttps://blog.zecops.com/vulnerabilities/from-a-comment-to-a-cve-content-filter-strikes-again/
CVE-2020–9922Mailhttps://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c
CVE-2020-10005&CVE-2021-1878&CVE-2021-30712&CVE-2021-30716&CVE-2021-30717&CVE-2021-30721&CVE-2021-30722smbxhttps://blog.talosintelligence.com/vuln-spotlight-smb-mac-deep-dive/
CVE-2021-1740&CVE-2021-30855&CVE-2021-30995Preferenceshttps://jhftss.github.io/CVE-2021-1740-Invalid-Patch/<br>https://www.trendmicro.com/en_us/research/22/a/analyzing-an-old-bug-and-discovering-cve-2021-30995-.html
CVE-2021-1747CoreAudiohttps://mp.weixin.qq.com/s/9dmQH4qIw95Gsx92wLSr6w
CVE-2021-1757IOSkywalkFamilyhttps://github.com/b1n4r1b01/n-days/tree/main/CVE-2021-1757
CVE-2021-1782Kernelhttps://github.com/ModernPwner/cicuta_virosa<br>https://www.synacktiv.com/publications/analysis-and-exploitation-of-the-ios-kernel-vulnerability-cve-2021-1782
CVE-2021-1810Archive Utilityhttps://labs.withsecure.com/publications/the-discovery-of-cve-2021-1810<br>https://labs.withsecure.com/publications/analysis-of-cve-2021-1810-gatekeeper-bypass
CVE-2021-1815Preferenceshttps://www.offensive-security.com/offsec/macos-preferences-priv-escalation/
CVE-2021-30655Wi-Fihttps://wojciechregula.blog/post/press-5-keys-and-become-root-aka-cve-2021-30655/
CVE-2021-30657System Preferenceshttps://objective-see.com/blog/blog_0x64.html
CVE-2021-30659CoreFoundationhttps://sector7.computest.nl/post/2022-08-process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability/
CVE-2021-30660Kernelhttps://alexplaskett.github.io/CVE-2021-30660/
CVE-2021-30713TCChttps://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/
CVE-2021-30724CVMShttps://gist.github.com/jhftss/1bdb0f8340bfd56f7f645c080e094a8b https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
CVE-2021-30734&CVE-2021-30735WebKit&Graphics Drivershttps://github.com/ret2/Pwn2Own-2021-Safari
CVE-2021-30740&CVE-2021-30768&CVE-2021-30769&CVE-2021-30770&CVE-2021-30773Kernel&dyld&Identity Servicehttps://github.com/LinusHenze/Fugu14
CVE-2021-30798TCChttps://jhftss.github.io/CVE-2021-30798-TCC-Bypass-Again-Inspired-By-XCSSET/
CVE-2021-30807IOMobileFrameBufferhttps://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/
CVE-2021-30833xarhttps://research.nccgroup.com/2021/10/28/technical-advisory-apple-xar-arbitrary-file-write-cve-2021-30833/
CVE-2021-30853GateKeeperhttps://objective-see.com/blog/blog_0x6A.html
CVE-2021-30860CoreGraphicshttps://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html<br>https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
CVE-2021-30861&CVE-2021-30975Script Editor&WebKithttps://www.ryanpickren.com/safari-uxss
CVE-2021-30864LaunchServiceshttps://perception-point.io/a-technical-analysis-of-cve-2021-30864-bypassing-app-sandbox-restrictions/
CVE-2021-30869XNUhttps://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/
CVE-2021-30883IOMobileFrameBufferhttps://saaramar.github.io/IOMFB_integer_overflow_poc/
CVE-2021-30892zshhttps://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/
CVE-2021-30902Voice Controlhttps://blog.zecops.com/research/use-after-free-in-voice-control-cve-2021-30902/
CVE-2021-30955Kernelhttps://www.cyberkl.com/cvelist/cvedetail/24<br>https://github.com/tihmstar/desc_race-fun_public<br>https://gist.github.com/jakeajames/37f72c58c775bfbdda3aa9575149a8aa
CVE-2021-30970TCChttps://www.microsoft.com/security/blog/2022/01/10/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access/
CVE-2021-30990LaunchServiceshttps://ronmasas.com/posts/bypass-macos-gatekeeper
CVE-2022-22582xarhttps://research.nccgroup.com/2022/03/15/technical-advisory-apple-macos-xar-arbitrary-file-write-cve-2022-22582/
CVE-2022-22616Safari Downloadshttps://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/
CVE-2022-22639SoftwareUpdatehttps://www.trendmicro.com/en_us/research/22/d/macos-suhelper-root-privilege-escalation-vulnerability-a-deep-di.html
CVE-2022-22655TCChttps://theevilbit.github.io/posts/cve-2022-22655/
CVE-2022-22660System Preferenceshttps://rambo.codes/posts/2022-03-15-how-a-macos-bug-could-have-allowed-for-a-serious-phishing-attack-against-users
CVE-2022-26696Terminalhttps://wojciechregula.blog/post/macos-sandbox-escape-via-terminal/
CVE-2022-26706LaunchServiceshttps://www.microsoft.com/security/blog/2022/07/13/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706/
CVE-2022-26712PackageKithttps://jhftss.github.io/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/
CVE-2022-26743Kernelhttps://pwning.systems/posts/easy-apple-kernel-bug/
CVE-2022-26766&CVE-2022-26763CoreTrust&DriverKithttps://worthdoingbadly.com/coretrust/
CVE-2022-32787ICUhttps://ssd-disclosure.com/ssd-advisory-apple-safari-icu-out-of-bounds-write/
CVE-2022-32816WebKithttps://ssd-disclosure.com/ssd-advisory-apple-safari-idn-url-spoofing/
CVE-2022-32832APFShttps://github.com/Muirey03/CVE-2022-32832
CVE-2022-32883Mapshttps://github.com/breakpointHQ/CVE-2022-32883
CVE-2022-32895PackageKithttps://www.trendmicro.com/en_us/research/22/k/cve-2019-8561-a-hard-to-banish-packagekit-framework-vulnerabilit.html
CVE-2022-32902ATShttps://jhftss.github.io/CVE-2022-32902-Patch-One-Issue-and-Introduce-Two/
CVE-2022-32910Archive Utilityhttps://www.jamf.com/blog/jamf-threat-labs-macos-archive-utility-vulnerability/
CVE-2022-32929Backuphttps://theevilbit.github.io/posts/cve-2022-32929/
CVE-2022-32845&CVE-2022-32899&CVE-2022-32948&CVE-2022-42805Apple Neural Enginehttps://github.com/0x36/weightBufs
CVE-2022-32898Apple Neural Enginehttps://0x36.github.io/CVE-2022-32898/
CVE-2022-32932Apple Neural Enginehttps://0x36.github.io/CVE-2022-32932/
CVE-2022-42821Gatekeeperhttps://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/
CVE-2022-42837iTunes Storehttps://www.anquanke.com/post/id/284452
CVE-2022-42841PackageKithttps://sector7.computest.nl/post/2023-01-xar/
CVE-2022-42845Kernelhttps://adamdoupe.com/blog/2022/12/13/cve-2022-42845-xnu-use-after-free-vulnerability-in-ndrv-dot-c/
CVE-2022-42864IOHIDFamilyhttps://muirey03.blogspot.com/2023/01/cve-2022-42864-diabolical-cookies.html
CVE-2022-46689Kernelhttps://github.com/zhuowei/MacDirtyCowDemo
CVE-2023-23504Kernelhttps://adamdoupe.com/blog/2023/01/23/cve-2023-23504-xnu-heap-underwrite-in-dlil-dot-c/
CVE-2023-23513&CVE-2023-23539&CVE-2023-28180&CVE-2023-27934&CVE-2023-27935&CVE-2023-27953&CVE-2023-27958&CVE-2023-32387dcerpchttps://blog.talosintelligence.com/weaknesses-mac-os-vmware-msrpc/
CVE-2023-23525LaunchServiceshttps://jhftss.github.io/CVE-2023-23525-Get-Root-via-A-Fake-Installer/
CVE-2023-27941&CVE-2023-28200Kernelhttps://github.com/0x3c3e/slides/blob/main/2023/zer0con/README.md
CVE-2023-27943LaunchServiceshttps://redcanary.com/blog/gatekeeper-bypass-vulnerabilities/
CVE-2023-27951Archive Utilityhttps://redcanary.com/blog/gatekeeper-bypass-vulnerabilities/
CVE-2023-32364AppSandboxhttps://gergelykalman.com/CVE-2023-32364-a-macOS-sandbox-escape-by-mounting.html
CVE-2023-32369libxpchttps://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/
CVE-2023-32407Metalhttps://gergelykalman.com/lateralus-CVE-2023-32407-a-macos-tcc-bypass.html
CVE-2023-32422SQLitehttps://gergelykalman.com/sqlol-CVE-2023-32422-a-macos-tcc-bypass.html
CVE-2023-38571Musichttps://gergelykalman.com/CVE-2023-38571-a-macOS-TCC-bypass-in-Music-and-TV.html
CVE-2023-41061&CVE-2023-41064Wallet&ImageIOhttps://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
CVE-2023-42931DiskArbitrationhttps://hackhunting.com/2024/04/05/easy-root-privilege-escalation-in-apple-macos-ventura-sonoma-monterey-cve-2023-42931/
CVE-2023-42942libxpchttps://jhftss.github.io/CVE-2023-42942-xpcroleaccountd-Root-Privilege-Escalation/
CVE-2024-27822PackageKithttps://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html
multiplelock screen bypasshttps://blog.dinosec.com/2014/09/bypassing-ios-lock-screens.html
<h3 id="p">tools</h3>

Just some little dev tools to probe IOKit:

https://github.com/Siguza/iokit-utils

Dyld Shared Cache Support for BinaryNinja:

https://github.com/cxnder/bn-dyldsharedcache

iOS/MacOS Kernelcache/Extensions analysis tool:

https://github.com/lilang-wu/p-joker

Extract Binaries from Apple's Dyld Shared Cache:

https://github.com/arandomdev/DyldExtractor

An Application for Inspecting macOS Installer Packages:

https://mothersruin.com/software/SuspiciousPackage/

static analysis tool for analyzing the security of Apple kernel drivers:

https://github.com/alibaba-edu/Driver-Security-Analyzer

Coralsun is a small utility cython library used to provide python support for low level kernel features:

https://github.com/FSecureLABS/coralsun

Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research:

https://github.com/redcanaryco/mac-monitor

a set of developer tools that help in analyzing crashes on macOS:

CrashWrangler

crashwrangler with support for Apple Silicon:

https://github.com/ant4g0nist/crashwrangler

Reliable, open-source crash reporting for iOS, macOS and tvOS:

https://github.com/microsoft/plcrashreporter

<h3 id="p">fuzzers</h3>

public:

macOS 10.13 kernel fuzzer

https://github.com/FSecureLABS/OSXFuzz

binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM

https://github.com/ant4g0nist/ManuFuzzer

automate the generation of syscall specifications for closed-source macOS drivers and facilitate interface-aware fuzzing

https://github.com/seclab-ucr/SyzGen_setup

binary code-coverage fuzzer for Windows and macOS

https://github.com/googleprojectzero/Jackalope

a fork of XNU that contains support for fuzzing the network stack in userland on macOS and Linux-based hosts

https://github.com/googleprojectzero/SockFuzzer

fuzzing OSX kernel vulnerability based on passive inline hook mechanism in kernel mode

https://github.com/SilverMoonSecurity/PassiveFuzzFrameworkOSX

patch honggfuzz to get coverage guided fuzzing of closed source libraries on macOS based on trap

https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz

patch honggfuzz to fuzz iOS library on M1 mac

https://github.com/googleprojectzero/p0tools/tree/master/iOSOnMac

patch that build WebKitGTK+ with ASAN and make some changes that make fuzzing easier

https://github.com/googleprojectzero/p0tools/tree/master/WebKitFuzz

AArch64 fuzzer based on the Apple Silicon hypervisor

https://github.com/Impalabs/hyperpom

private:

fuzz macOS kernel extension

KextFuzz: Fuzzing macOS Kernel EXTensions on Apple Silicon via Exploiting Mitigations

Improving Mac OS X Security Through Gray Box Fuzzing Technique

fuzzer based on LLDB

Debug for Bug: Crack and Hack Apple Core by Itself

port syzkaller to macOS

Drill Apple Core: Up and Down - Fuzz Apple Core Component in Kernel and User Mode for Fun and Profit

<h3 id="p">conference</h3>
conferencelink
blackhat asia 2021Racing the Dark: A New TOCTTOU Story from Apple's Core
blackhat asia 2021Apple Neural Engine Internal: From ML Algorithm to HW Registers
blackhat asia 2021The Price of Compatibility: Defeating macOS Kernel Using Extended File Attributes
blackhat europe 2015Attacking the XNU Kernel in El Capitan
blackhat usa 202120+ Ways to Bypass Your macOS Privacy Mechanisms
blackhat usa 2021Everything has Changed in iOS 14,but Jailbreak is Eternal
blackhat usa 2021Reverse Engineering the M1
blackhat usa 2021Hack Different:Pwning iOS 14 With Generation Z Bugz
blackhat usa 2021Wibbly Wobbly, Timey Wimey:What's Really Inside Apple's U1 Chip
CanSecWest 2016Don't Trust Your Eye: Apple Graphics Is Compromised!
CanSecWest 2017Port(al) to the iOS Core
CSS 2019如何批量挖掘macOS/iOS内核信息泄漏漏洞
defcon26Attacking the macOS Kernel Graphics Driver
defcon29Caught you - reveal and exploit IPC logic bugs inside Apple
hexacon2022Cinema time!
hexacon2022More Tales from the iOS/macOS Kernel Trenches
hexacon2022Attacking Safari in 2022
HITB AMS 2021macOS local security:escaping the sandbox and bypassing TCC
HITB GSEC 2019Recreating an iOS 0-day jailbreak out of Apple’s security patches
HITB SIN 2022One-Click to Completely Take Over A macOS Device
ISC 2017手把手教你突破 iOS 9.x 用户空间防护
mch2022My journey to find vulnerabilities in macOS
Objective by the Seahttps://objectivebythesea.com/
syscan360 2016Memory corruption is for wusies!