macOS Advanced Evasion

GPU, ANE, and non-CPU evasion for Apple Silicon operators.

This advanced track teaches accelerator-backed macOS evasion from an offensive research standpoint: CPU scanner blind spots, Metal private buffers, command queues, blit movement, sandboxed accelerator access, ANE visibility limits, and bounded operator claims.

The course focuses on proving what is visible, what is not visible, and what must remain a bounded claim. Researchers build evidence around real Apple Silicon behavior instead of relying on generic GPU theory or recycled command references.

DEF CON prebooking promotional offer. Full course access opens on Aug 10.

00

Operator Research Model, Boundaries, and Baseline

Set the authorized research model, evidence standards, hardware baseline, and operator notebook discipline for accelerator-backed evasion work.

5 modules
0.1Course Orientation: GPU, ANE, and Non-CPU Evasion for Authorized Red Teams
Locked
0.2CPU-Centric Security Assumptions on macOS
Locked
0.3Evidence Standard: Offensive Claim, Reproduction, Measurement, Visibility, Limit
Locked
0.4Lab Baseline: Hardware, OS, Metal Availability, Tooling, and Safety Controls
Locked
0.5Building an Operator Evidence Notebook for Accelerator Research
Locked
01

Memory Visibility and Scanner Bypass Foundations

Build the CPU memory-scanner baseline so researchers can prove what traditional process-memory visibility actually sees and where it stops.

5 modules
1.1Mach Tasks, VM Regions, and What Memory Scanners Actually See
Locked
1.2`task_for_pid`, `mach_vm_region`, and `mach_vm_read_overwrite` as the Test Harness
Locked
1.3Endpoint Security mmap Visibility and Why It Misses Some Device Workflows
Locked
1.4CPU Virtual Address Space vs. Device-Managed Address Spaces
Locked
1.5Lab: Build a CPU Memory Scanner, Prove It Works, Then Define Its Blind Spots
Locked
02

Apple Silicon Accelerator Attack Surface for Operators

Map the Apple Silicon accelerator surface from an operator standpoint: GPU, ANE, command queues, DMA-style movement, and visibility assumptions.

5 modules
2.1Unified Memory Does Not Mean Unified Visibility
Locked
2.2GPU Page Tables, Driver Ownership, and IOAccelerator Concepts
Locked
2.3Command Queues, DMA-Style Copies, and Why Data Movement Has OPSEC Value
Locked
2.4ANE and Practical Visibility Problems in Accelerator-Backed Workflows
Locked
2.5Accelerator Surfaces Operators Should Profile: GPU, ANE, Media Engines, Vision, AVFoundation
Locked
03

Metal Primitives for Offensive Visibility Testing

Learn the Metal primitives that make accelerator visibility testing reproducible: devices, buffers, storage modes, command buffers, and blit boundaries.

5 modules
3.1MTLDevice, MTLBuffer, MTLCommandQueue, and Command Buffers
Locked
3.2Storage Modes: Shared, Managed, Private, and Memoryless
Locked
3.3Why `[buffer contents]` Matters to Scanner Visibility
Locked
3.4Blit Encoders: The Legal Boundary-Crossing Primitive for Staging
Locked
3.5Lab: Observe Shared vs Private Buffer Behavior with Scanner Output
Locked
04

GPU Private Memory Evasion Tradecraft

Develop the GPU private-memory evasion methodology, including staging, timing, proof hygiene, and bounded claims around scanner visibility gaps.

6 modules
4.1The Metal Private Memory Blind Spot and Red-Team Value
Locked
4.2Designing an Authorized GPU Trampoline Workflow Without Real Payloads
Locked
4.3Staging, Transforming, Blitting, Wiping, and Recovering Synthetic Operator Markers
Locked
4.4Avoiding False Proofs: String Literals, Constant Folding, and Optimizer Artifacts
Locked
4.5Timing the Exposure Window with mach_absolute_time
Locked
4.6Lab: Reproduce the Private Buffer Visibility Gap and Capture Operator Evidence
Locked
05

Execution-Proof Boundaries and W^X Reality

Separate data hiding from execution claims and prove recovery, W^X constraints, MAP_JIT boundaries, and cleanup windows with harmless byte sequences.

5 modules
5.1Data Hiding vs Code Execution: Operator Claims Must Stay Separate
Locked
5.2MAP_JIT, W^X, Apple Silicon, and the JIT Entitlement Boundary
Locked
5.3Safe Shellcode Proofs: Read-Only Syscalls and Return-Value Validation
Locked
5.4Measuring Recovery, Execution, and Wipe Windows
Locked
5.5Lab: Execute a Harmless Recovered Byte Sequence, Measure Exposure, and Prove Cleanup
Locked
06

Low-Privilege and Sandboxed Tradecraft

Test what still works from low-privilege and sandboxed contexts, with explicit proof of sandbox state and accelerator access boundaries.

5 modules
6.16.1 What App Sandbox Removes and What It Does Not Remove
Locked
6.2Proving Sandbox State: sandbox_check, Syscall Denial, and Container Paths
Locked
6.3Metal from Sandboxed Apps: Why the Permission Model Matters
Locked
6.4Operator Meaning: Low-Privilege Accelerator Use, OPSEC, and Control Assumptions
Locked
6.5Lab: Run the Private Memory Proof from a Sandboxed App Bundle
Locked
07

Operator Instrumentation and Visibility Checks

Instrument accelerator workflows enough to validate operator claims without turning the course into a detection-engineering track.

5 modules
7.1Minimal Visibility Checks Without Turning the Course into Detection Engineering
Locked
7.2Using a Metal API Watcher as an Operator Validation Tool
Locked
7.3Establishing What Remains Observable During the GPU Trampoline
Locked
7.4Avoiding False Confidence: Private Buffers Are Not the Whole Operation
Locked
7.5Lab: Run a Lightweight Watcher to Bound the Offensive Claim
Locked
08

ANE Visibility Assumptions and Operator Reality

Frame ANE and Apple Intelligence-adjacent visibility limits from an offensive research perspective without overclaiming internal access.

5 modules
8.1What the ANE Is and Where Operators Actually Encounter It
Locked
8.2Why ANE Is Harder to Inspect Than GPU from Userland
Locked
8.3Accelerator Boundary Testing Without Claiming Direct ANE Introspection
Locked
8.4Apple Intelligence and System Framework Touchpoints as Operator Clues
Locked
8.5Lab: Build an ANE Visibility Assumption Matrix from Observable Artifacts
Locked
09

Non-CPU Staging Patterns Beyond Metal

Explore non-CoreML accelerator workflows across media, Vision, AVFoundation, IOSurface, and temporary processing artifacts.

5 modules
9.1Media, Vision, and AVFoundation Pipelines as Transient Data Paths
Locked
9.2Pixel Buffers, Sample Buffers, IOSurface, and Shared Resource Boundaries
Locked
9.3Temporary Accelerator Artifacts and Where Operators Should Look
Locked
9.4Local vs Remote Processing Claims: How to Avoid Bad Assumptions
Locked
9.5Lab: Profile a Non-CoreML Accelerator Workflow for Operator-Relevant Evidence
Locked
10

Operator OPSEC, Client Impact, and Reporting

Convert accelerator behavior into operator-grade findings: OPSEC matrix, artifact review, claim limits, and professional reporting language.

5 modules
10.1Media, Vision, and AVFoundation Pipelines as Accelerator Entry Points
Locked
10.2Logs, Files, Process Events, Code Signing, Network, and User-Visible Artifacts
Locked
10.3When an Evasion Claim Is Too Broad
Locked
10.4How to Present Accelerator Findings to a Client Without Overclaiming
Locked
10.5Lab: Write an Offensive Finding with Impact, Limits, and Responsible Boundaries
Locked
11

Capstone: Authorized Accelerator Evasion Assessment

Run the capstone target range and produce a complete bounded finding package for GPU, ANE, and non-CPU evasion research.

6 modules
11.1Lab: Build the Target Range: Metal Training App, Accelerator Workflow Harness, Scanner, Watcher, Evidence Notebook
Locked
11.2Establish Baseline Visibility Across CPU, Metal, Files, Logs, Process Events, and App Artifacts
Locked
11.3Execute the GPU Private Memory Proof: Combined Evidence Workflow
Locked
11.4Analyze ANE Assumptions and Non-CoreML Accelerator Workflow Artifacts
Locked
11.5Bound the Claim: Evidence Classification, Claim Boundaries, and Quality Gates for the Capstone Report
Locked
11.6Final Report: Offensive Impact, OPSEC Limits, Responsible Use, and Detection Handoff Notes
Locked