The security architecture of modern operating systems is intricate and layered. To effectively challenge these defenses, attackers must extensively audit the security policies of the operating system across various dimensions. In July 2023, the speaker redirected their focus from Android and IoT vulnerabilities to those within macOS. This transition was motivated by an intent to adapt methodologies typically employed by Android security researchers for use in macOS environments, which subsequently led to the identification of numerous vulnerabilities.

In this presentation, the speaker will introduce a generic method for escaping macOS application sandboxes.

Additionally, the speaker will discuss a permission granting mechanism on macOS

Moreover, macOS 14.0 introduced new TCC protections, preventing non-sandboxed apps from accessing the private container folders of sandboxed apps. Previously, executing a malicious non-sandboxed app could leak sensitive data from sandboxed apps like WeChat, Slack, and WhatsApp. However, this is no longer possible on macOS due to the new TCC protections. The speaker will explain how macOS implements these new TCC protections, which are complex and involve multiple high-privilege system processes and Sandbox.kext. If abused, there is potential to gain access to arbitrary files.

By: Zhongquan Li | Senior Security Researcher, Dawn Security Lab, JD.com Qidan He | Director, Chief Researcher, Dawn Security Lab, JD.com