At the MOSEC and Black Hat USA 2020 I presented a topic related to the Apple IO80211Family, which discussed the architecture, attack surfaces, and numerous cases of kernel vulnerabilities for the Apple 80211 Wi-Fi kernel extensions. Two years have passed, maybe you will be concerned about what new changes have taken place in the above fields? I would say, first of all, that new kernel vulnerabilities and attack surfaces are constantly being introduced while old bugs are being fixed. It's an endless game. Second, the IO80211Skywalk subsystems are becoming more and more important, and some of them have even been open sourced since XNU-8019.80.24. As security researchers we need to regularly update our domain knowledge and fuzzing framework. Next, the IO80211Family subsystem has been refactored again, and the version number in the IO80211FamilyV2 name has been removed. Of course, the changes behind this are not as simple as they seem.

As the research progressed, I quickly realized a new problem: the attack surfaces of the 80211 Wi-Fi subsystem are scattered all over the operating system, from user mode daemons to the network protocol stack, and to IO80211Family.kext, IONetworkingFamily.kext, AppleBCMWLANCoreMac.kext, IOSkywalkFamily.kext and other kernel extensions. So, it became very important to integrate the fuzzing framework and make all the components work together, which motivated me to design a new 80211 Wi-Fi fuzzing system. As part of the output of this system, I will share with you more than a dozen zero-day kernel vulnerabilities, such as CVE-2022-32837, CVE-2022-32847, CVE-2022-26761, CVE-2022-26762, CVE-2022-32860, etc. Through these brand new cases, this presentation will help you better understand the design of the Apple 80211 Wi-Fi subsystem and the security challenges it faces.

Yu Wang is the Co-founder and CEO of CyberServal. He loves everything regarding Operating System kernel, from kernel architecture, device driver development, Rootkit/Anti-rootkit solutions to vulnerability hunting, exploitation and mitigation. He has previously presented at MOSEC 2020, Black Hat USA 2014, 2020 & 2022, Black Hat Asia 2016 & 2021, Black Hat Europe 2020 and other conferences.

Vulnerability researchers always dream of a magic wand that with target phone model fed in, 0day vulnerabilities are automatically spat out. Although static program analysis is essentially an unsolvable turning halting problem, with the advance of technology we are still getting closer and closer to this ultimate goal. In this talk I will introduce my theory and practice on Java program analysis, including pointer analysis, inter-procedure taint analysis, call graph analysis and context, flow, object-sensitivity, and my effort to improve the precision and performance for existing algorithms. Then, I will introduce the RIDE (Rom Intelligent Defect assEsment) vulnerability hunting platform for android systems made on this engine. Finally, I will for the first time share the details of tens of high severity CVEs in Google Android and Samsung and other major vendors found by RIDE, including system-level privilege escalation, StartAnyWhere and sensitive information leak, arbitrary application install, etc.

Flanker (a.k.a Qidan He), Senior Director of Shaechi Security Lab. He is the winner of multiple Pwn2Own championships and Pwnie Award Best Privilege Escalation. He is recognized in Google and Samsung's global top security researcher hall of fame, and has spoken at conferences like Black Hat, DEFCON, RECON, CanSecWest, MOSEC, HITB, PoC, etc.

Mach IPC is one of the most fundamental part of Mach subsystem in XNU, and it supports most of the inter process communication and the communications between userspace and kernel . We will talk about the implementation of Mach IPC and share some findings in the process of understanding the Mach IPC, which in turn would deepen our understanding of Mach IPC. We will also introduce the exploit method for CVE-2021-30955 which helped us achieve kernel AARW on iOS 15.1 in detail.

Brightiup, security researcher from Kunlun Lab, focus on kernel security.

MediaTek is the world’s 4th largest global fabless semiconductor company. They are market leaders in developing innovative systems-on-chip (SoC) for mobile device, home entertainment, connectivity and IoT products. Ultimately, MediaTek powers more than 2 billion devices a year – that’s in 20 percent of homes and nearly 1 of every 3 mobile phones globally. Therefore the security problem of MediaTek SOC will affect millions of smartphones and IoT devices. Secure boot chain uses a set of policy objects to verify the next entity before execution and provides security in the booting process. Once we break secure boot chain, we can take control over the booting process and run unsigned code execution on devices.In this presentation, we will cover our journey from breaking MTK boot chain through exploiting BootROM vulnerabilities. We will walk through the process of how to obtain bootrom, the exploitations of vulnerabilities, some specific mechanism of MTK. Finally, a demo of a working exploit will be presented.

Xuewen Zhang: a security researcher from Pangu Team. In recent years, her primary interests are low-level security, such as kernel, bootloader, trustzone.

The debate between microkernel and macrokernel has been going on for many years, and this topic will introduce a microkernel operating system inspired by Little Kernel and mainly used for IOT devices. Based on it, we will introduce several core features, including the component isolation mechanism based on NameSpace, the user-mode file system, the virtual memory management implementation in the microkernel, and the design of the application sandbox. For a brand-new operating system, in order to more conveniently fuzz its kernel, we selected the Syzkaller engine to adapt it, and added coverage feedback-related implementations and Syscall support to make it better Supports Syzkaller for fuzzing and found multiple kernel crashes. We will also explain in detail the adaptation process of the system and the problems found.

Shenrong Liu- Senior security researcher at Singularity Lab, currently mainly researching mobile and kernel security, and has delivered speeches at BlackHat and other conferences.

Pengju Liu- Security researcher at Singularity Lab, member of Tianshu Dubhe team of Beijing University of Posts and Telecommunications, currently mainly researching kernel security.

Electric vehicles (EV) market is one of the most promising industries in the world. Without the constraints of gas engine and multi-gear ratio transmission, a lot of new EV makers are emerging. Thanks to the power of lithium-ion batteries, these new players have been able to take infotainment system to the next level by introducing new features such as autopilot, over the air updates, voice assistant, navigation, online music and film streaming.

Hearing that they are fast and fun to drive, I decided to get into the EV world and bought my first car in 2021. This talk is about the journey on owning one of China’s most successful EV brands' infotainment system. The journey begins with zero knowledge of its internals and ends with our ability to compromise the infotainment system. In addition to a step-by-step instruction for building exploit chains that enable a remote shell, I'll share some interesting discoveries: controlling windows and doors, debugging via USB port, subsystem communication mechanisms, and more.

Guanxing Wen is a security researcher at Pangu in Shanghai, mainly focusing on low-level systems such as trustzone, kernel and peripheral firmware. He is also a fan of pwning smart devices such as TV, speakers, POS and earbuds. He was a speaker at various conferences such as MOSEC，BHEU, Infiltrate and 44CON.