Build the workflow for finding, proving, and reporting Apple kernel bugs.
This track teaches the Apple kernel vulnerability research workflow from lab setup and XNU internals through IOKit user clients, ARM64 handler analysis, crash triage, bug-class recognition, proof construction, variant hunting, accelerator surfaces, networking, filesystem parsers, security subsystems, and report-quality evidence.
The course is built around controlled lab targets and reproducible evidence. Students learn how to map reachable surface, kill weak leads early, turn a crash into a grounded proof, and package a finding in a way that survives technical review.
Research Workflow, Ethics, and Lab Setup
Set up the controlled workflow: the kernel research mindset, a safe two-machine lab, and the boot-to-boot loop that everything runs inside.
The Kernel in the Shape You Need It
Build the working model of XNU from first principles: user versus kernel space, the subsystems, how memory is laid out, and what a crash actually is. Just enough to know what you are looking at when you read code and read a panic.
The Local Attack Surface: IOKit User Clients
What user clients, selectors, and external methods actually are, and why they are the richest local surface on the whole system. Concrete, with a working simulator you drive on the lab.
Mapping the Reachable Surface
Systematically enumerate what an unprivileged process can actually reach, read the failure codes correctly, and rank the surface. This is triage done first, and it is the habit that stops you wasting a week behind a door that was never open.
ARM64 for Kernel Reverse Engineers
Enough Apple Silicon ARM64 to follow attacker data from input to sink through real kernel code. We build it up one instruction at a time and read a genuine bug from the lab, line by line.
The Reverse-Engineering Workflow
String the reading skill from Phase 04 into a repeatable process: from "a selector exists" to "here is the exact code and what it trusts," worked efficiently on a giant kernelcache. Find the dispatch, follow your input to a sink, enumerate the guards, and walk up the call graph before you ever claim a bug.
Picking the Right Target (Judgment)
The heart of the course. Everything before this taught you to open doors, read code, and read a crash. This phase teaches the thing that actually separates researchers who get paid from researchers who burn out: deciding what to spend your weeks on, and, far more often, killing a lead fast before it kills your month.
Bug Class: Memory Corruption
The integer-math and length-handling mistakes that let attacker input write where it should not, how each one looks in ARM64, and how it presents at the crash. Every class is shown with a bespoke IOKit-shaped target you build, run, and catch red-handed on the lab.
Bug Class: Races and Use-After-Free
The crown jewels. Lifecycle bugs, double-fetches, refcount errors, and the real engineering of winning a window. This is the class that keeps paying out on a kernel that has been hardened against everything in Phase 07, so it is the class worth learning best.
Bug Class: Logic and the Confused Deputy
Privilege bugs with no memory corruption, and the privileged daemons that will act on your behalf. This is the class where the kernel's own hardening (typed zones, poison-on-free, bounds-checked copies) buys the defender nothing, because you are not corrupting memory at all. You are convincing a program to break its own rules, or to lend you its authority.
Reading a Crash
The thirty-second triage: what to read in a panic and in what order, why the fault address decides most of it, how to tell a real corruption from the kernel deliberately stopping itself, how to map a fault back to the exact instruction with certainty, and how to decide worth-a-week in minutes.
From Crash to Proof
Show control, prove it with a value a reviewer can re-derive, keep the proof of concept safe and minimal, and know when to stop. This is the phase that turns "the kernel died" into "watch me put a value I chose into the register the kernel faults on, and here is how you check me."
The Report, the Program, and the Long Game
Write something that gets taken seriously, and survive duplicates, downgrades, and the wait. Phase 11 gave you a re-derivable proof bundle. This phase turns that bundle into a submission that reproduces on the reviewer's first try, and it teaches the professional habits that decide what happens to it after you hit send.
Using AI on the Real Work (Not to Learn It)
A working researcher's use of AI as a tool on the actual tasks: drafting a trace you then verify, scripting the glue, attacking your own lead to kill it, drafting a report from confirmed notes. Not a substitute for the craft you built in Phases 00 to 12; a force multiplier on top of it, run behind a hard verification discipline.
Static Analysis at Scale and Variant Discovery
Turn one bug, or one dangerous pattern, into many leads across a whole image. This is the phase where a single fix or a single mistake stops being one finding and becomes a lens you point at the entire kernelcache.
Attack Surface Tour: Graphics and Media Accelerators
The largest and most rewarding local surface on the machine: GPU command submission over shared memory, and the media, scaler, and neural/compute accelerators that parse rich attacker structures. Taught as generalized method, with one bespoke accelerator you build, gate, submit to, and break on the lab.
Attack Surface Tour: Networking and Remote-Reachable Parsers
Where impact can rise from local to remote: packet parsers, socket paths, and wireless protocol stacks. This is the phase where the value ladder gets a new top rung, because a bug in a parser that runs on a packet that simply arrives is no longer a local privilege escalation, it is remote code execution in the kernel.
Attack Surface Tour: Peripheral, Storage, and Sensor Drivers
The wide field of hardware-backed drivers: storage controllers, interconnects, sensors, and management chips. They vend user clients (some open unprivileged), expose big dispatch tables, and back onto real silicon, which means most of the "interesting" surface is dead behind hardware reality, and a small slice is genuinely reachable and parses your input. This phase teaches you to tell those two apart, fast.
Attack Surface Tour: Filesystems and Mountable Media
Reach the kernel through mountable images and file metadata, a surface where the impact can rise above local: get a victim to mount or open a crafted image, or have one auto-mount from a download, and your parser bug executes in their kernel.
Attack Surface Tour: Security Subsystems and Core-Kernel Primitives
The subsystems that enforce security, and the primitives everything shares, where a logic slip is a boundary break. We tour the keystore and key-management user clients (gated by an entitlement bitmap, guarded by single-opener locks), the code-signing and trust-cache paths, the privacy/consent and sandbox-token delegation surfaces, and the shared Mach and process/VM primitives (vouchers, serialization, personas, VM, timers). The recurring skill is decoding a gated dispatch: recovering the bitmap that decides which selectors an unentitled caller can reach, and knowing which crash classes here actually pay.
Attack Surface Tour: User-to-Root via Privileged Daemons
The confused-deputy field in practice. Phase 09 taught the class on a single hand-built deputy; this phase is the working researcher's map of the whole territory: the population of privileged services a normal, unentitled process can talk to, and what they will do for you with their privileges. Zero memory corruption anywhere in this phase. The bugs are all in delegation and policy, and on a modern hardened macOS they are where user-to-root actually comes from.
Capstone: A Full Hunt, End to End
Run the whole lifecycle once, unassisted, and produce a submission-quality finding package against the lab. Everything the course taught, in the order you actually use it: scope the hunt, map and reverse and pick a target, find the bug and trigger it and triage the crash, escalate to a proof of control, bundle the evidence, and write the report. This is the phase where the twenty phases before it stop being separate skills and become one motion.