Apple Kernel Vulnerability Research

Build the workflow for finding, proving, and reporting Apple kernel bugs.

This track teaches the Apple kernel vulnerability research workflow from lab setup and XNU internals through IOKit user clients, ARM64 handler analysis, crash triage, bug-class recognition, proof construction, variant hunting, accelerator surfaces, networking, filesystem parsers, security subsystems, and report-quality evidence.

The course is built around controlled lab targets and reproducible evidence. Students learn how to map reachable surface, kill weak leads early, turn a crash into a grounded proof, and package a finding in a way that survives technical review.

00

Research Workflow, Ethics, and Lab Setup

Set up the controlled workflow: the kernel research mindset, a safe two-machine lab, and the boot-to-boot loop that everything runs inside.

5 modules
00.1The Kernel Bounty Landscape: The Four Multipliers and How Findings Are Valued
Locked
00.2Ethics, Scope, Authorization, and Coordinated Disclosure
Locked
00.3The Two-Machine Lab and the Toolchain
Locked
00.4The Boot-to-Boot Loop
Locked
00.5Lab: Stand Up Your Lab, Meet the MacSec Kernel Lab, Capture a First Panic
Locked
01

The Kernel in the Shape You Need It

Build the working model of XNU from first principles: user versus kernel space, the subsystems, how memory is laid out, and what a crash actually is. Just enough to know what you are looking at when you read code and read a panic.

5 modules
01.1User Space, Kernel Space, the Boundary, and Why the Kernel Is the Prize
Locked
01.2XNU Anatomy: Mach, BSD, IOKit, and Which One You Reach How
Locked
01.3Memory for Kernel Work: Pointers, Stack, Heap, Out-of-Bounds, Use-After-Free
Locked
01.4The Kernel Heap: Zones, kalloc, Adjacency, Typed Allocations, and Grooming
Locked
01.5Slides and Crashes: KASLR, Data Aborts, Deliberate Panics, and a Lab Narration
Locked
02

The Local Attack Surface: IOKit User Clients

What user clients, selectors, and external methods actually are, and why they are the richest local surface on the whole system. Concrete, with a working simulator you drive on the lab.

5 modules
02.1Drivers, the IO Registry, User Clients, Selectors, and External Methods
Locked
02.2Opening a Client and Calling Methods: Scalars, Structure Input, and the Simulator
Locked
02.3Entitlements, the Sandbox, and What Turns a Door Into a Wall
Locked
02.4The Dispatch Table and Reading a Handler as a Parser
Locked
02.5Lab: Open and Map the MacSec Kernel Lab User Client
Locked
03

Mapping the Reachable Surface

Systematically enumerate what an unprivileged process can actually reach, read the failure codes correctly, and rank the surface. This is triage done first, and it is the habit that stops you wasting a week behind a door that was never open.

5 modules
03.1Surface Mapping as Triage, and the Collect-First Enumeration Pattern
Locked
03.2Reading Return Codes: Open, Not-Permitted, and Bad-Argument as a Green Light
Locked
03.3Characterizing a Gate: Entitlement Wall, Missing Setup Call, or Satisfiable Check
Locked
03.4The Fresh-Code Strategy and Confused-Deputy Reachability
Locked
03.5Lab: Build a Ranked Reachability Map of the MacSec Kernel Lab Surface
Locked
04

ARM64 for Kernel Reverse Engineers

Enough Apple Silicon ARM64 to follow attacker data from input to sink through real kernel code. We build it up one instruction at a time and read a genuine bug from the lab, line by line.

5 modules
04.1Disassembly, Registers, and Width (w vs x): The Ceiling on Control
Locked
04.2Loads and Stores: Where Input Enters and Corruption Lands
Locked
04.3Arithmetic, Masks, Comparisons, Branches, and Recognizing a Bounds Check
Locked
04.4Calls, Vtables, the brk Trap, and a Full Handler Read Line by Line
Locked
04.5Lab: Annotate a MacSec Kernel Lab Handler and State the One-Sentence Verdict
Locked
05

The Reverse-Engineering Workflow

String the reading skill from Phase 04 into a repeatable process: from "a selector exists" to "here is the exact code and what it trusts," worked efficiently on a giant kernelcache. Find the dispatch, follow your input to a sink, enumerate the guards, and walk up the call graph before you ever claim a bug.

5 modules
05.1Find the Dispatch, Reconstruct the Descriptor, Follow Input to a Sink
Locked
05.2Enumerate the Guards and Walk Up the Call Graph Before Declaring a Bug
Locked
05.3Working on the Kernelcache: Carving, Byte-Pattern Search, Address Arithmetic
Locked
05.4Real Kernel Observation: Read a Public, Patched Handler and Find the Fix
Locked
05.5Lab: Full RE Pass on a MacSec Kernel Lab Selector, From Dispatch to Verdict
Locked
06

Picking the Right Target (Judgment)

The heart of the course. Everything before this taught you to open doors, read code, and read a crash. This phase teaches the thing that actually separates researchers who get paid from researchers who burn out: deciding what to spend your weeks on, and, far more often, killing a lead fast before it kills your month.

5 modules
06.1Define the Threat Model Precisely and Match Your PoC to It
Locked
06.2The Reachability Chain, the Cost of Reachability, and Re-Opening Closed Paths
Locked
06.3The Five Rabbit Holes and How to Detect Each Early
Locked
06.4Adversarial Lead Review: Kill Weak Leads Fast
Locked
06.5Lab: Triage a Candidate Set Down to One Target and Justify the Pick
Locked
07

Bug Class: Memory Corruption

The integer-math and length-handling mistakes that let attacker input write where it should not, how each one looks in ARM64, and how it presents at the crash. Every class is shown with a bespoke IOKit-shaped target you build, run, and catch red-handed on the lab.

5 modules
07.1The One-Sentence Shape, and Multiplication Overflow to Undersized Allocation
Locked
07.2Missing and Oversized Length Bounds on Copies
Locked
07.3Integer Underflow, Signedness, and the Value That Walks Backward
Locked
07.4Out-of-Bounds Indexing, Read vs Write, Linear vs Non-Linear, and a Public Fix
Locked
07.5Lab: Find, Trigger, and Confirm a Memory-Safety Bug in the MacSec Kernel Lab
Locked
08

Bug Class: Races and Use-After-Free

The crown jewels. Lifecycle bugs, double-fetches, refcount errors, and the real engineering of winning a window. This is the class that keeps paying out on a kernel that has been hardened against everything in Phase 07, so it is the class worth learning best.

5 modules
08.1Why UAF and Races Beat Bounds Bugs, and the Close-vs-Call Window
Locked
08.2The Double-Fetch: Shared Memory, the Re-Read Tell, and TOCTOU
Locked
08.3Refcount Errors and Triaging a Race/UAF Crash (Assertion as Confirmation)
Locked
08.4Winning the Window: Widening, Hammering, Contention, Probabilistic Success
Locked
08.5Lab: Win a Close-vs-Call Race in the MacSec Kernel Lab Simulator
Locked
09

Bug Class: Logic and the Confused Deputy

Privilege bugs with no memory corruption, and the privileged daemons that will act on your behalf. This is the class where the kernel's own hardening (typed zones, poison-on-free, bounds-checked copies) buys the defender nothing, because you are not corrupting memory at all. You are convincing a program to break its own rules, or to lend you its authority.

5 modules
09.1Logic Bugs and Privileged-Daemon IPC as an Attack Surface
Locked
09.2The Confused Deputy in Depth: Borrowed Privilege and the Analysis Questions
Locked
09.3Authorization Bugs, Identifier/Path Confusion, and Introspecting a Daemon Safely
Locked
09.4Variant Hunting: Reading a Public Advisory and Diffing the Incomplete Fix
Locked
09.5Lab: Find a Confused-Deputy Path Against a Lab Daemon and Prove the Impact
Locked
10

Reading a Crash

The thirty-second triage: what to read in a panic and in what order, why the fault address decides most of it, how to tell a real corruption from the kernel deliberately stopping itself, how to map a fault back to the exact instruction with certainty, and how to decide worth-a-week in minutes.

6 modules
10.1Anatomy of a Panic Log: What to Read, In Order
Locked
10.2The Fault Address Decides a Lot: NULL, Page-Aligned, Attacker-Scaled
Locked
10.3The Assertion Trap: Deliberate Panics vs Uncontrolled Faults
Locked
10.4De-Sliding and Confirming the Fault Site With a Unique Byte Pattern
Locked
10.5The Exploitability Rubric: Deciding Worth-a-Week in Minutes
Locked
10.6Lab: Triage Real (Sanitized) and Lab-Generated Panics to a Verdict Each
Locked
11

From Crash to Proof

Show control, prove it with a value a reviewer can re-derive, keep the proof of concept safe and minimal, and know when to stop. This is the phase that turns "the kernel died" into "watch me put a value I chose into the register the kernel faults on, and here is how you check me."

5 modules
11.1What a Proof Must Prove, and the Ground-Truth (Preflight-Value) Technique
Locked
11.2Honesty About the Ceiling: Why Precise Partial Control Beats Vague Claims
Locked
11.3Minimal Reproduction, Environment Pinning, and Reproduction Rate
Locked
11.4Safety, Stopping at the Primitive, and Packaging the Evidence Bundle
Locked
11.5Lab: Turn a MacSec Kernel Lab Crash Into a Ground-Truth Proof Bundle
Locked
12

The Report, the Program, and the Long Game

Write something that gets taken seriously, and survive duplicates, downgrades, and the wait. Phase 11 gave you a re-derivable proof bundle. This phase turns that bundle into a submission that reproduces on the reviewer's first try, and it teaches the professional habits that decide what happens to it after you hit send.

5 modules
12.1Coordinated Disclosure and the Apple Security Bounty Lifecycle
Locked
12.2The Anatomy of a Report That Reproduces on the First Try
Locked
12.3Addenda: Strengthening a Live Report With Persistence and Better Evidence
Locked
12.4Duplicates, Severity Disputes, Won't-Fix, and Your Portfolio Record
Locked
12.5Lab: Write a Full Report From a Lab Finding and Self-Review It
Locked
13

Using AI on the Real Work (Not to Learn It)

A working researcher's use of AI as a tool on the actual tasks: drafting a trace you then verify, scripting the glue, attacking your own lead to kill it, drafting a report from confirmed notes. Not a substitute for the craft you built in Phases 00 to 12; a force multiplier on top of it, run behind a hard verification discipline.

5 modules
13.1What AI Is Actually Good For in RE, and Where It Confidently Fakes
Locked
13.2Feeding It the Real Artifact: Drafting a Data-Flow Trace You Then Verify
Locked
13.3Adversarial Use: Making the Model Attack Your Own Lead to Kill It Fast
Locked
13.4Scripting Tools, Parsing Panics, and Drafting Reports From Confirmed Notes
Locked
13.5Lab: Use AI on a Real Lab Handler, Then Catch and Correct Its Hallucination
Locked
14

Static Analysis at Scale and Variant Discovery

Turn one bug, or one dangerous pattern, into many leads across a whole image. This is the phase where a single fix or a single mistake stops being one finding and becomes a lens you point at the entire kernelcache.

5 modules
14.1Pattern-Based Hunting: Encoding a Bug Shape as a Searchable Signature
Locked
14.2Kernelcache-Wide Scans for a Sink Pattern and Triaging the Hits
Locked
14.3Bindiffing Two Releases to Localize Security-Relevant Changes
Locked
14.4From a Fix to Its Siblings: Systematic Variant Enumeration (Public Example)
Locked
14.5Lab: Scan the MacSec Kernel Lab for a Pattern and Rank the Candidates
Locked
15

Attack Surface Tour: Graphics and Media Accelerators

The largest and most rewarding local surface on the machine: GPU command submission over shared memory, and the media, scaler, and neural/compute accelerators that parse rich attacker structures. Taught as generalized method, with one bespoke accelerator you build, gate, submit to, and break on the lab.

5 modules
15.1The Graphics Stack: User Clients, Command Submission, Shared-Memory Buffers
Locked
15.2Where GPU Bugs Live, and the State-Gated Init-Sequence Problem
Locked
15.3Media, Scaler, and Neural/Compute Accelerators as Parsers (Pointer-in-Struct Risk)
Locked
15.4Real Kernel Observation: A Public Graphics/Media Bug Class, Explained Generically
Locked
15.5Lab: Map and Reverse the MacSec Kernel Lab Accelerator Target
Locked
16

Attack Surface Tour: Networking and Remote-Reachable Parsers

Where impact can rise from local to remote: packet parsers, socket paths, and wireless protocol stacks. This is the phase where the value ladder gets a new top rung, because a bug in a parser that runs on a packet that simply arrives is no longer a local privilege escalation, it is remote code execution in the kernel.

5 modules
16.1The Networking Threat Model, Socket Options, and Control Messages
Locked
16.2In-Kernel Packet Parsers: Headers, TLVs, Length Fields, and mbuf Handling
Locked
16.3Wireless, Proximity, File-Sharing, and Tunneling Stacks as Legacy Surface
Locked
16.4Real Kernel Observation: A Public Network-Stack Bug Class, Explained Generically
Locked
16.5Lab: Reverse and Fuzz the MacSec Kernel Lab Packet-Parser Target
Locked
17

Attack Surface Tour: Peripheral, Storage, and Sensor Drivers

The wide field of hardware-backed drivers: storage controllers, interconnects, sensors, and management chips. They vend user clients (some open unprivileged), expose big dispatch tables, and back onto real silicon, which means most of the "interesting" surface is dead behind hardware reality, and a small slice is genuinely reachable and parses your input. This phase teaches you to tell those two apart, fast.

5 modules
17.1Storage Controllers and DMA-Backed Paths (SMART, Namespace)
Locked
17.2Interconnect, Bus, Management, and Power Controllers
Locked
17.3Sensor, Input, and Haptic Drivers and Their Writable Shared-Memory Queues
Locked
17.4Time-Sync and Clock Families: Rich Dispatch, Hardware-Gated Reality
Locked
17.5Lab: Enumerate and Triage the MacSec Kernel Lab Peripheral Drivers
Locked
18

Attack Surface Tour: Filesystems and Mountable Media

Reach the kernel through mountable images and file metadata, a surface where the impact can rise above local: get a victim to mount or open a crafted image, or have one auto-mount from a download, and your parser bug executes in their kernel.

5 modules
18.1Why Filesystem Parsers Matter, and How a Mount Reaches Kernel Code
Locked
18.2Length, Count, and Offset Fields in On-Disk Metadata (and MUL Overflow)
Locked
18.3Journal Replay, Extended Attributes, and Continuation-Record Parsing
Locked
18.4Building and Mounting a Crafted Image Safely, and a Public Parser Class
Locked
18.5Lab: Trigger a Parser Bug in the MacSec Kernel Lab Filesystem Target
Locked
19

Attack Surface Tour: Security Subsystems and Core-Kernel Primitives

The subsystems that enforce security, and the primitives everything shares, where a logic slip is a boundary break. We tour the keystore and key-management user clients (gated by an entitlement bitmap, guarded by single-opener locks), the code-signing and trust-cache paths, the privacy/consent and sandbox-token delegation surfaces, and the shared Mach and process/VM primitives (vouchers, serialization, personas, VM, timers). The recurring skill is decoding a gated dispatch: recovering the bitmap that decides which selectors an unentitled caller can reach, and knowing which crash classes here actually pay.

5 modules
19.1Keystore and Key-Management User Clients: Bitmap-Gated Dispatch, Single-Opener Locks
Locked
19.2Code-Signing, Trust-Cache, and the Privacy/Consent and Sandbox-Token Surfaces
Locked
19.3Mach and Process/VM Primitives: Vouchers, Serialization, Personas, VM, Timers
Locked
19.4The Entitlement-Bitmap Analysis and a Public Security-Subsystem Logic Bug
Locked
19.5Lab: Decode a Gated Dispatch Bitmap in the MacSec Kernel Lab Security Target
Locked
20

Attack Surface Tour: User-to-Root via Privileged Daemons

The confused-deputy field in practice. Phase 09 taught the class on a single hand-built deputy; this phase is the working researcher's map of the whole territory: the population of privileged services a normal, unentitled process can talk to, and what they will do for you with their privileges. Zero memory corruption anywhere in this phase. The bugs are all in delegation and policy, and on a modern hardened macOS they are where user-to-root actually comes from.

5 modules
20.1Mapping Privileged Daemons That Accept Unprivileged IPC
Locked
20.2File-Operation Daemons and Proxy Deputies That Open Caller-Named Services
Locked
20.3Preference, Knowledge-Store, and Configuration Daemons as Write Surfaces
Locked
20.4Introspecting a Daemon Protocol, and Proving Concrete Impact vs Same-User Write
Locked
20.5Lab: Reach a Lab Deputy Daemon and Demonstrate a Bounded Privilege Gain
Locked
21

Capstone: A Full Hunt, End to End

Run the whole lifecycle once, unassisted, and produce a submission-quality finding package against the lab. Everything the course taught, in the order you actually use it: scope the hunt, map and reverse and pick a target, find the bug and trigger it and triage the crash, escalate to a proof of control, bundle the evidence, and write the report. This is the phase where the twenty phases before it stop being separate skills and become one motion.

5 modules
21.1Scope the Hunt: Threat Model, Surface Choice, and a Plan
Locked
21.2Map, Reverse, and Pick a Target in the MacSec Kernel Lab
Locked
21.3Find the Bug, Form the Hypothesis, Trigger It, and Triage
Locked
21.4Escalate to a Proof of Control and Bundle the Evidence
Locked
21.5Capstone Lab: Write the Report and Deliver a Complete Finding Package
Locked