際際滷

際際滷Share a Scribd company logo

CodeQL + DTrace = Memory Disclosure Vulnerabilities in XNU

A
Arsenii Kostromin

CodeQL + DTrace = in XNU The document discusses using CodeQL and DTrace to find kernel memory disclosure vulnerabilities in XNU, the kernel for macOS. It describes building a CodeQL database for XNU, writing CodeQL queries to find unsafe array index patterns, and how these patterns could be exploited via the DTrace framework in the kernel to leak kernel memory. One example shows an out-of-bounds read issue in a DTrace function that was addressed by Apple.

1 of 57
Download to read offline
CodeQL + DTrace = in XNU HowtofindmultiplememorydisclosuresinXNUusingCodeQL
whoami ArseniiKostromin Securityresearcher FocusonmacOSsecurity:userlandandkernel Twitter@0x3C3E
Agenda KernelMemoryDisclosure,my and bugsinXNU
Motivation AppleintervieweraskedmeseveraltimeswhyIdon'tlookforbugsinthekernel Is it hard for you? Before December 2022 ,Ihaven'tlookedintothe XNU sourcecode 4
CodeQL + DTrace = Memory Disclosure Vulnerabilities in XNU
KernelMemoryDisclosure
Myapproach Searchonlineandtagwriteups Prepareadebuggingenvironment UseCodeQLtosearchforsomepatterns 7
Some easy bugsinXNU AtaleofasimpleApplekernelbug Weggliwasusedtofindaspecificpattern FindingamemoryexposurevulnerabilitywithCodeQL CodeQLwasused,theauthorfoundabugintheDTracemoduleofXNU 8
HowtodebugkernelonasingleM1laptop? QEMUemulatesIntel-basedmacOS DTrace,dynamictracingframeworkinXNU 9
DTrace Releasedin 2005 byOracle ApplemergeditintoXNUin 2007 Wasitthoroughlyaudited? It'scomplexandhasitsemulatorin the kernel #define DIF_OP_OR 1 /* or r1, r2, rd */ #define DIF_OP_XOR 2 /* xor r1, r2, rd */ ... #define DIF_OP_STRIP 80 /* strip r1, key, rd */ bsd/sys/dtrace.h 10
CodeQL Frameworkfordoingstaticanalysis Modelscodeasdatadatabase Writelogic-basedSQL-likequeriestofindpatterns 11
BuildingaCodeQLdatabase Havetocompiletheprogramwewanttoquery Bydefault,somefilesweremissing AgreatscripttobuildaCodeQLdatabaseforXNUbypwn0rz 12
Codepattern IdecidedtolookforOOBissues.Forthat,Iwroteaquerytofindsuchcode,whichmeets theconditionsbelow: a >= b ,where a issigned,and b isnot No a <= 0 and a < 0 checks a isanarrayindex 13
a >= b ,where a issigned,and b isnot from Variable arg where exists( GEExpr ge | ge.getLeftOperand() = arg.getAnAccess() and ge.getLeftOperand(). getExplicitlyConverted(). getUnderlyingType().(IntegralType).isSigned() and ge.getRightOperand(). getExplicitlyConverted(). getUnderlyingType().(IntegralType).isUnsigned() ) select arg 14
No a < 0 and a <= 0 checks from Variable arg where not exists( LTExpr le | le.getLeftOperand() = arg.getAnAccess() and le.getRightOperand().getValue() = "0" ) and not exists( LEExpr le | le.getLeftOperand() = arg.getAnAccess() and le.getRightOperand().getValue() = "0" ) select arg 15
a isanarrayindex from Variable arg, ArrayExpr ae where ae.getArrayOffset() = arg.getAnAccess() select ae.getArrayOffset(), ae.getEnclosingFunction() 16
Combined from Variable arg, ArrayExpr ae where exists( GEExpr ge | ge.getLeftOperand() = arg.getAnAccess() and ge.getLeftOperand(). getExplicitlyConverted(). getUnderlyingType().(IntegralType).isSigned() and ge.getRightOperand(). getExplicitlyConverted(). getUnderlyingType().(IntegralType).isUnsigned() ) and not exists( LTExpr le | le.getLeftOperand() = arg.getAnAccess() and le.getRightOperand().getValue() = "0" ) and not exists( LEExpr le | le.getLeftOperand() = arg.getAnAccess() and le.getRightOperand().getValue() = "0" ) and ae.getArrayOffset() = arg.getAnAccess() select ae.getArrayOffset(), ae.getEnclosingFunction() 17
Thequeryproduces 20 results Only 6 differentfunctions 18
fasttrap_pid_getargdesc // args: (void *arg, dtrace_id_t id, void *parg, dtrace_argdesc_t *desc) if (probe->ftp_prov->ftp_retired != 0 || desc->dtargd_ndx >= probe->ftp_nargs) { desc->dtargd_ndx = DTRACE_ARGNONE; return; } ndx = (probe->ftp_argmap != NULL) ? probe->ftp_argmap[desc->dtargd_ndx] : desc->dtargd_ndx; Docs:gettheargumentdescriptionforargs[X] bsd/dev/dtrace/fasttrap.c 19
dtargd_ndx is int typedef struct dtrace_argdesc { ... int dtargd_ndx; /* arg number (-1 iff none) */ ... } dtrace_argdesc_t; ftp_nargs is unsigned char struct fasttrap_probe { ... uint8_t ftp_nargs; /* translated argument count */ ... }; bsd/sys/dtrace.h,bsd/sys/fasttrap_impl.h 20
Bothsidesareconvertedto int As desc->dtargd_ndx is int and probe->ftp_nargs is unsigned char if (probe->ftp_prov->ftp_retired != 0 || desc->dtargd_ndx >= probe->ftp_nargs) { desc->dtargd_ndx = DTRACE_ARGNONE; return; } If desc->dtargd_ndx < 0 ,then desc->dtargd_ndx >= probe->ftp_nargs isalways false 21
OOBRead, desc->dtargd_ndx isanindex ndx = (probe->ftp_argmap != NULL) ? probe->ftp_argmap[desc->dtargd_ndx] : desc->dtargd_ndx; If probe->ftp_argmap isn't null ,it'spossibletoreachthefirstexpressionanduse desc->dtargd_ndx withvalueslessthan 0 22
Nodirectcallstothefunction It'scalledasaC-style virtual function 23
dtrace_pops typedef struct dtrace_pops { ... void (*dtps_getargdesc)(void *arg, dtrace_id_t id, void *parg, dtrace_argdesc_t *desc); ... } dtrace_pops_t; dtrace_pops_t static dtrace_pops_t pid_pops = { ... .dtps_getargdesc = fasttrap_pid_getargdesc, ... }; bsd/sys/dtrace.h,bsd/dev/dtrace/fasttrap.c 24
dtps_getargdesc mightbeapointerto fasttrap_pid_getargdesc prov->dtpv_pops.dtps_getargdesc( prov->dtpv_arg, probe->dtpr_id, probe->dtpr_arg, &desc ); bsd/dev/dtrace/dtrace.c 25
Upperboundcheckin fasttrap_pid_getargdesc if (probe->ftp_prov->ftp_retired != 0 || desc->dtargd_ndx >= probe->ftp_nargs) { desc->dtargd_ndx = DTRACE_ARGNONE; return; } Comparingto -1 in dtrace_ioctl if (desc.dtargd_ndx == DTRACE_ARGNONE) return (EINVAL); bsd/dev/dtrace/fasttrap.c,bsd/dev/dtrace/dtrace.c 26
Howtoleakout-of-boundsvalues? ndx = (probe->ftp_argmap != NULL) ? probe->ftp_argmap[desc->dtargd_ndx] : desc->dtargd_ndx; str = probe->ftp_ntypes; for (i = 0; i < ndx; i++) { str += strlen(str) + 1; } (void) strlcpy(desc->dtargd_native, str, sizeof(desc->dtargd_native)); Wecontrolintegerindex desc->dtargd_ndx andarrayof null delimitedstrings probe->ftp_ntypes (arrayofchars) Wehavetoleak probe->ftp_argmap[desc->dtargd_ndx] ( ndx isinteger)value into desc->dtargd_native 27
Theidea str = probe->ftp_ntypes; // { 1, 1, 0, 1, 0, 2, 0, 3, 0, ...} for (i = 0; i < ndx; i++) { // ndx is a value to leak str += strlen(str) + 1; } (void) strlcpy(desc->dtargd_native, str, sizeof(desc->dtargd_native)); Wecouldpopulate probe->ftp_ntypes withanarrayofnulldelimitedstrings [1, 1, 0, 1, 0, 2, 0, 3, 0, ..., 255] from0to255(showedasbytes) Encode 0 forexampleas [1, 1, 0] ,soit'scopiedtotheuserland Then ndx equalstovaluein str Specialcase 0 is "x01x01x00" 28
ndx = 0 str = probe->ftp_ntypes; // { 1, 1, 0, 1, 0, 2, 0, 3, 0, ...} for (i = 0; i < ndx; i++) { // ^ str += strlen(str) + 1; } // str points to "x01x01x00" (void) strlcpy(desc->dtargd_native, str, sizeof(desc->dtargd_native)); ndx = 1 str = probe->ftp_ntypes; // { 1, 1, 0, 1, 0, 2, 0, 3, 0, ...} for (i = 0; i < ndx; i++) { // ^ str += strlen(str) + 1; } // str points to "x01x00" (void) strlcpy(desc->dtargd_native, str, sizeof(desc->dtargd_native)); 29
Howtoreach? _dtrace_ioctl DTRACEIOC_PROBEARG switchcase fasttrap_pid_getargdesc 30
CVE-2023-27941 Kernel Available for: macOS Ventura Impact: An app may be able to disclose kernel memory Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. Details Thebugallowsreadingdatabytebybyteinarangeof2GB Requiresrootaccess 31
Patch Reversed fasttrap_pid_getargdesc changes if (probe->ftp_prov->ftp_retired != 0 || desc->dtargd_ndx < 0 || // added desc->dtargd_ndx >= probe->ftp_nargs) { desc->dtargd_ndx = DTRACE_ARGNONE; return; } Applehasn'treleasedthenew XNU sourcecode 32
KernelMemoryDisclosure
Codepattern a < b ,where a issigned Thecomparisonabovehappensin IfStmt No a <= 0 and a < 0 checks a isanarrayindex 34
a < b ,where a issigned,happensin IfStmt from Variable arg where exists( LTExpr le | le.getLeftOperand() = arg.getAnAccess() and le.getParent() instanceof IfStmt and le.getLeftOperand(). getExplicitlyConverted(). getUnderlyingType().(IntegralType).isSigned() ) select arg IfStmt is if (a < b) {} ,butnot a < b in for (a = 0; a < b; a++) 35
No a < 0 and a <= 0 checks from Variable arg where not exists( LTExpr le | le.getLeftOperand() = arg.getAnAccess() and le.getRightOperand().getValue() = "0" ) and not exists( LEExpr le | le.getLeftOperand() = arg.getAnAccess() and le.getRightOperand().getValue() = "0" ) select arg 36
a isanarrayindex from Variable arg, ArrayExpr ae where ae.getArrayOffset() = arg.getAnAccess() select ae.getArrayOffset(), ae.getEnclosingFunction() 37
Filterresultsbyafilepath from ArrayExpr ae where ae.getFile().getAbsolutePath(). matches("%/xnu-build/xnu/%") and not ae.getFile().getAbsolutePath(). matches("%/xnu-build/xnu/SETUP/%") select ae.getArrayOffset(), ae.getEnclosingFunction() 38
Combined from Variable arg, ArrayExpr ae where exists( LTExpr le | le.getLeftOperand() = arg.getAnAccess() and le.getParent() instanceof IfStmt and le.getLeftOperand(). getExplicitlyConverted(). getUnderlyingType().(IntegralType).isSigned() ) and not exists( LTExpr le | le.getLeftOperand() = arg.getAnAccess() and le.getRightOperand().getValue() = "0" ) and not exists( LEExpr le | le.getLeftOperand() = arg.getAnAccess() and le.getRightOperand().getValue() = "0" ) and ae.getArrayOffset() = arg.getAnAccess() and ae.getFile().getAbsolutePath().matches("%/xnu-build/xnu/%") and not ae.getFile().getAbsolutePath().matches("%/xnu-build/xnu/SETUP/%") select ae.getArrayOffset(), ae.getEnclosingFunction() 39
Thequeryproduces 169 results Only 45 differentfunctions 40
OOBRead, argno isanindexon arm64 uint64_t fasttrap_pid_getarg(void *arg, dtrace_id_t id, void *parg, int argno, int aframes) { arm_saved_state_t* regs = find_user_regs(current_thread()); /* First eight arguments are in registers */ if (argno < 8) { return saved_state64(regs)->x[argno]; } Docs:getthevalueforanargXorargs[X]variable bsd/dev/arm64/fasttrap_isa.c 41
OOBRead, argno isanindexon x86_64 uint64_t fasttrap_pid_getarg(void* arg, dtrace_id_t id, void* parg, int argno, int aframes) { pal_register_cache_state(current_thread(), VALID); return (fasttrap_anarg( (x86_saved_state_t*)find_user_regs(current_thread()), 1, argno)); } fasttrap_anarg // args: (x86_saved_state_t *regs, int function_entry, int argno) if (argno < 6) return ((&regs64->rdi)[argno]); bsd/dev/i386/fasttrap_isa.c,bsd/dev/i386/fasttrap_isa.c 42
dtrace_pops typedef struct dtrace_pops { ... uint64_t (*dtps_getargval)(void *arg, dtrace_id_t id, void *parg, int argno, int aframes); ... } dtrace_pops_t; dtrace_pops_t static dtrace_pops_t pid_pops = { ... .dtps_getargval = fasttrap_pid_getarg, ... }; bsd/dev/dtrace/fasttrap.c 43
dtps_getargval mightbeapointerto fasttrap_pid_getarg // func: dtrace_dif_variable // args: (dtrace_mstate_t *mstate, dtrace_state_t *state, uint64_t v, // uint64_t ndx) val = pv->dtpv_pops.dtps_getargval(pv->dtpv_arg, mstate->dtms_probe->dtpr_id, mstate->dtms_probe->dtpr_arg, ndx, aframes); bsd/dev/dtrace/dtrace.c 44
Boundscheck? // func: dtrace_dif_variable // args: (dtrace_mstate_t *mstate, dtrace_state_t *state, uint64_t v, // uint64_t ndx) if (ndx >= sizeof (mstate->dtms_arg) / sizeof (mstate->dtms_arg[0])) { ... dtrace_provider_t *pv; uint64_t val; pv = mstate->dtms_probe->dtpr_provider; if (pv->dtpv_pops.dtps_getargval != NULL) val = pv->dtpv_pops.dtps_getargval(pv->dtpv_arg, mstate->dtms_probe->dtpr_id, mstate->dtms_probe->dtpr_arg, ndx, aframes); ndx isan unsigned long long ,laterit'sconvertedintoan int in fasttrap_pid_getarg , argno argument 45
Howtoreach? dtrace_dif_emulate DIF_OP_LDGA opcode dtrace_dif_variable fasttrap_pid_getarg 46
AnoldPoChelpedtotriggerthevulnerablefunction AlmostthesamecodeflowasinCVE-2017-13782byKevinBackhouse Butyouhavetousea fasttrap provider,whichallowstracinguserlandfunctions It'spossibletodefineafunction void foo() {} TraceitusingDTrace: pid$target::foo:entry { ... } 47
Codeflowdifference pv = mstate->dtms_probe->dtpr_provider; if (pv->dtpv_pops.dtps_getargval != NULL) val = pv->dtpv_pops.dtps_getargval(pv->dtpv_arg, mstate->dtms_probe->dtpr_id, mstate->dtms_probe->dtpr_arg, ndx, aframes); // CVE-2023-28200 ... else val = dtrace_getarg(ndx, aframes, mstate, vstate); // CVE-2017-13782 9 linesdifference bsd/dev/dtrace/dtrace.c 48
CVE-2023-28200 Kernel Available for: macOS Ventura Impact: An app may be able to disclose kernel memory Description: A validation issue was addressed with improved input sanitization. Details Thebugallowsreadingdatainarangeof16GB Requiresrootaccess 49
Patch Reversed dtrace_dif_variable changes if (ndx >= sizeof (mstate->dtms_arg) / sizeof (mstate->dtms_arg[0])) { if ((ndx & 0x80000000) != 0) return 0; // added ... dtrace_provider_t *pv; uint64_t val; pv = mstate->dtms_probe->dtpr_provider; if (pv->dtpv_pops.dtps_getargval != NULL) val = pv->dtpv_pops.dtps_getargval(pv->dtpv_arg, mstate->dtms_probe->dtpr_id, mstate->dtms_probe->dtpr_arg, ndx, aframes); Additionalcheckaddedincallerfunction Calleefunctionsareunfixedforsomereason 50
@jaakerblom 51
Why? root access!= kernel accessonmacOS SIP putsthewholesystemintoasandbox even root can'tloaduntrustedkernelextensions +Ihad App Sandbox Escape user to root LPEchain 52
PoCs CVE-2023-27941matcheskerneladdressesfromleakeddata CVE-2023-28200onlypanicsthekernel 53
Conclusion Applehastomaintaintwoarchitectures: x86_64 and arm64 C-like virtual functions make static analysisharder 54
Resources Realhackersdon'tleaveDTrace FindingamemoryexposurevulnerabilitywithCodeQL ThereisnoSinmacOSSIP 55
Thankyou
Q&A

Recommended

Xdp and ebpf_maps
Xdp and ebpf_mapsXdp and ebpf_maps
Xdp and ebpf_maps
lcplcp1
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
Alcides Fonseca
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
Andrea Righi
Deep Learning for Computer Vision: Software Frameworks (UPC 2016)
Deep Learning for Computer Vision: Software Frameworks (UPC 2016)Deep Learning for Computer Vision: Software Frameworks (UPC 2016)
Deep Learning for Computer Vision: Software Frameworks (UPC 2016)
Universitat Polit竪cnica de Catalunya
RAPIDS: 从仂磳仄 Pandas 亳 scikit-learn 仆舒 GPU 舒于亠仍 仍亠仄亠仆从仂于, NVidia
RAPIDS: 从仂磳仄 Pandas 亳 scikit-learn 仆舒 GPU 舒于亠仍 仍亠仄亠仆从仂于, NVidiaRAPIDS: 从仂磳仄 Pandas 亳 scikit-learn 仆舒 GPU 舒于亠仍 仍亠仄亠仆从仂于, NVidia
RAPIDS: 从仂磳仄 Pandas 亳 scikit-learn 仆舒 GPU 舒于亠仍 仍亠仄亠仆从仂于, NVidia
Mail.ru Group
Debug generic process
Debug generic processDebug generic process
Debug generic process
Vipin Varghese
20082501 Leeds Pm
20082501 Leeds Pm20082501 Leeds Pm
20082501 Leeds Pm
AndyA
PySpark in practice slides
PySpark in practice slidesPySpark in practice slides
PySpark in practice slides
Dat Tran
Design and Simulation Triple-DES
Design and Simulation Triple-DESDesign and Simulation Triple-DES
Design and Simulation Triple-DES
chatsiri
Unit_ 5.3 Interprocess communication.pdf
Unit_ 5.3 Interprocess communication.pdfUnit_ 5.3 Interprocess communication.pdf
Unit_ 5.3 Interprocess communication.pdf
AnilkumarBrahmane2
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports Development
Mohammed Farrag
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
DefconRussia
Fatkulin presentation
Fatkulin presentationFatkulin presentation
Fatkulin presentation
Enkitec
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
Deep learning with kafka
Deep learning with kafkaDeep learning with kafka
Deep learning with kafka
Nitin Kumar
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
David Walker
CUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseCUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" course
Shuai Yuan
Gpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaGpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cuda
Ferdinand Jamitzky
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
Andrey Karpov
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
PROIDEA
DTrace Topics: Introduction
DTrace Topics: IntroductionDTrace Topics: Introduction
DTrace Topics: Introduction
Brendan Gregg
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
Jonathan Salwan
Using R on Netezza
Using R on NetezzaUsing R on Netezza
Using R on Netezza
Ajay Ohri
It802 bruning
It802 bruningIt802 bruning
It802 bruning
mrbruning
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
Platonov Sergey
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
Breaking New Frontiers in Robotics and Edge Computing with AI
Breaking New Frontiers in Robotics and Edge Computing with AIBreaking New Frontiers in Robotics and Edge Computing with AI
Breaking New Frontiers in Robotics and Edge Computing with AI
Dustin Franklin
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
Insight Technology, Inc.
AOMEI Backupper Crack 2025 FREE Download
AOMEI Backupper Crack 2025 FREE DownloadAOMEI Backupper Crack 2025 FREE Download
AOMEI Backupper Crack 2025 FREE Download
muhammadwaqaryounus6
Marketo Engage North America Virtual User Group: Adobe Summit 2025 recap
Marketo Engage North America Virtual User Group: Adobe Summit 2025 recapMarketo Engage North America Virtual User Group: Adobe Summit 2025 recap
Marketo Engage North America Virtual User Group: Adobe Summit 2025 recap
BradBedford3

More Related Content

Similar to CodeQL + DTrace = Memory Disclosure Vulnerabilities in XNU (20)

Design and Simulation Triple-DES
Design and Simulation Triple-DESDesign and Simulation Triple-DES
Design and Simulation Triple-DES
chatsiri
Unit_ 5.3 Interprocess communication.pdf
Unit_ 5.3 Interprocess communication.pdfUnit_ 5.3 Interprocess communication.pdf
Unit_ 5.3 Interprocess communication.pdf
AnilkumarBrahmane2
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports Development
Mohammed Farrag
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
DefconRussia
Fatkulin presentation
Fatkulin presentationFatkulin presentation
Fatkulin presentation
Enkitec
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
Deep learning with kafka
Deep learning with kafkaDeep learning with kafka
Deep learning with kafka
Nitin Kumar
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
David Walker
CUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseCUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" course
Shuai Yuan
Gpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaGpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cuda
Ferdinand Jamitzky
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
Andrey Karpov
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
PROIDEA
DTrace Topics: Introduction
DTrace Topics: IntroductionDTrace Topics: Introduction
DTrace Topics: Introduction
Brendan Gregg
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
Jonathan Salwan
Using R on Netezza
Using R on NetezzaUsing R on Netezza
Using R on Netezza
Ajay Ohri
It802 bruning
It802 bruningIt802 bruning
It802 bruning
mrbruning
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
Platonov Sergey
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
Breaking New Frontiers in Robotics and Edge Computing with AI
Breaking New Frontiers in Robotics and Edge Computing with AIBreaking New Frontiers in Robotics and Edge Computing with AI
Breaking New Frontiers in Robotics and Edge Computing with AI
Dustin Franklin
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
Insight Technology, Inc.
Design and Simulation Triple-DES
Design and Simulation Triple-DESDesign and Simulation Triple-DES
Design and Simulation Triple-DES
chatsiri
Unit_ 5.3 Interprocess communication.pdf
Unit_ 5.3 Interprocess communication.pdfUnit_ 5.3 Interprocess communication.pdf
Unit_ 5.3 Interprocess communication.pdf
AnilkumarBrahmane2
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports Development
Mohammed Farrag
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
DefconRussia
Fatkulin presentation
Fatkulin presentationFatkulin presentation
Fatkulin presentation
Enkitec
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
Deep learning with kafka
Deep learning with kafkaDeep learning with kafka
Deep learning with kafka
Nitin Kumar
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
David Walker
CUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseCUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" course
Shuai Yuan
Gpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaGpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cuda
Ferdinand Jamitzky
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
Andrey Karpov
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
PROIDEA
DTrace Topics: Introduction
DTrace Topics: IntroductionDTrace Topics: Introduction
DTrace Topics: Introduction
Brendan Gregg
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
Jonathan Salwan
Using R on Netezza
Using R on NetezzaUsing R on Netezza
Using R on Netezza
Ajay Ohri
It802 bruning
It802 bruningIt802 bruning
It802 bruning
mrbruning
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
Platonov Sergey
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
Breaking New Frontiers in Robotics and Edge Computing with AI
Breaking New Frontiers in Robotics and Edge Computing with AIBreaking New Frontiers in Robotics and Edge Computing with AI
Breaking New Frontiers in Robotics and Edge Computing with AI
Dustin Franklin
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
Insight Technology, Inc.

Recently uploaded (20)

AOMEI Backupper Crack 2025 FREE Download
AOMEI Backupper Crack 2025 FREE DownloadAOMEI Backupper Crack 2025 FREE Download
AOMEI Backupper Crack 2025 FREE Download
muhammadwaqaryounus6
Marketo Engage North America Virtual User Group: Adobe Summit 2025 recap
Marketo Engage North America Virtual User Group: Adobe Summit 2025 recapMarketo Engage North America Virtual User Group: Adobe Summit 2025 recap
Marketo Engage North America Virtual User Group: Adobe Summit 2025 recap
BradBedford3
Adobe Illustrator Crack Download (Latest 2025)
Adobe Illustrator Crack Download (Latest 2025)Adobe Illustrator Crack Download (Latest 2025)
Adobe Illustrator Crack Download (Latest 2025)
blouch36kp
Sublime Text Crack 2025 LATEST Version FREE
Sublime Text Crack 2025 LATEST Version FREESublime Text Crack 2025 LATEST Version FREE
Sublime Text Crack 2025 LATEST Version FREE
muhammadwaqaryounus6
The Missing Voices: Unearthing the Impact of Survivorship Bias on Women in Cl...
The Missing Voices: Unearthing the Impact of Survivorship Bias on Women in Cl...The Missing Voices: Unearthing the Impact of Survivorship Bias on Women in Cl...
The Missing Voices: Unearthing the Impact of Survivorship Bias on Women in Cl...
Imma Valls Bernaus
Hands-On AWS: Java SDK + CLI for Cloud Developers
Hands-On AWS: Java SDK + CLI for Cloud DevelopersHands-On AWS: Java SDK + CLI for Cloud Developers
Hands-On AWS: Java SDK + CLI for Cloud Developers
Meetu Maltiar
Adobe Illustrator Crack Download (Latest 2025)
Adobe Illustrator Crack Download (Latest 2025)Adobe Illustrator Crack Download (Latest 2025)
Adobe Illustrator Crack Download (Latest 2025)
basitayoubi007
Microsoft Office Crack 2019 Free Download
Microsoft Office Crack 2019 Free DownloadMicrosoft Office Crack 2019 Free Download
Microsoft Office Crack 2019 Free Download
tayab01kp
Internet Download Manager (IDM) Crack + Lisence key Latest version 2025
Internet Download Manager (IDM) Crack + Lisence key Latest version 2025Internet Download Manager (IDM) Crack + Lisence key Latest version 2025
Internet Download Manager (IDM) Crack + Lisence key Latest version 2025
shahzad011kp
wAIred_VoxxedDaysAmsterdam_03042025.pptx
wAIred_VoxxedDaysAmsterdam_03042025.pptxwAIred_VoxxedDaysAmsterdam_03042025.pptx
wAIred_VoxxedDaysAmsterdam_03042025.pptx
SimonedeGijt
Internet Download Manager Crack Latest version 2025
Internet Download Manager Crack Latest version 2025Internet Download Manager Crack Latest version 2025
Internet Download Manager Crack Latest version 2025
mohsinrazakpa26
IObit Driver Booster Pro Serial Key v11.2.0.46 Full Crack 2025
IObit Driver Booster Pro Serial Key v11.2.0.46 Full Crack 2025IObit Driver Booster Pro Serial Key v11.2.0.46 Full Crack 2025
IObit Driver Booster Pro Serial Key v11.2.0.46 Full Crack 2025
alibajava70
Top Online Food Ordering Script Company - Become Vendor
Top Online Food Ordering Script Company - Become VendorTop Online Food Ordering Script Company - Become Vendor
Top Online Food Ordering Script Company - Become Vendor
Kevin Miller
Distributed systems: design, principles and experiencies
Distributed systems: design, principles and experienciesDistributed systems: design, principles and experiencies
Distributed systems: design, principles and experiencies
Andr辿s P辿rez Gil
ESET NOD32 Antivirus Crack with License Key 2025
ESET NOD32 Antivirus Crack with License Key 2025ESET NOD32 Antivirus Crack with License Key 2025
ESET NOD32 Antivirus Crack with License Key 2025
umeerbinfaizan
6 Best AI Tools for Contract Management.pdf
6 Best AI Tools for Contract Management.pdf6 Best AI Tools for Contract Management.pdf
6 Best AI Tools for Contract Management.pdf
Anadea
E-commerce App Development cost in 2025.pdf
E-commerce App Development cost in 2025.pdfE-commerce App Development cost in 2025.pdf
E-commerce App Development cost in 2025.pdf
sandeepjangidimg
Website Facebook Snippet in odoo, Website Facebook Feed in odoo
Website Facebook Snippet in odoo, Website Facebook Feed in odooWebsite Facebook Snippet in odoo, Website Facebook Feed in odoo
Website Facebook Snippet in odoo, Website Facebook Feed in odoo
AxisTechnolabs
The Evolution of Microsoft Project Portfolio Management
The Evolution of Microsoft Project Portfolio ManagementThe Evolution of Microsoft Project Portfolio Management
The Evolution of Microsoft Project Portfolio Management
OnePlan Solutions
Adobe XD Crack Version 2025 Free Download
Adobe XD Crack Version 2025 Free DownloadAdobe XD Crack Version 2025 Free Download
Adobe XD Crack Version 2025 Free Download
basitayoubi105
AOMEI Backupper Crack 2025 FREE Download
AOMEI Backupper Crack 2025 FREE DownloadAOMEI Backupper Crack 2025 FREE Download
AOMEI Backupper Crack 2025 FREE Download
muhammadwaqaryounus6
Marketo Engage North America Virtual User Group: Adobe Summit 2025 recap
Marketo Engage North America Virtual User Group: Adobe Summit 2025 recapMarketo Engage North America Virtual User Group: Adobe Summit 2025 recap
Marketo Engage North America Virtual User Group: Adobe Summit 2025 recap
BradBedford3
Adobe Illustrator Crack Download (Latest 2025)
Adobe Illustrator Crack Download (Latest 2025)Adobe Illustrator Crack Download (Latest 2025)
Adobe Illustrator Crack Download (Latest 2025)
blouch36kp
Sublime Text Crack 2025 LATEST Version FREE
Sublime Text Crack 2025 LATEST Version FREESublime Text Crack 2025 LATEST Version FREE
Sublime Text Crack 2025 LATEST Version FREE
muhammadwaqaryounus6
The Missing Voices: Unearthing the Impact of Survivorship Bias on Women in Cl...
The Missing Voices: Unearthing the Impact of Survivorship Bias on Women in Cl...The Missing Voices: Unearthing the Impact of Survivorship Bias on Women in Cl...
The Missing Voices: Unearthing the Impact of Survivorship Bias on Women in Cl...
Imma Valls Bernaus
Hands-On AWS: Java SDK + CLI for Cloud Developers
Hands-On AWS: Java SDK + CLI for Cloud DevelopersHands-On AWS: Java SDK + CLI for Cloud Developers
Hands-On AWS: Java SDK + CLI for Cloud Developers
Meetu Maltiar
Adobe Illustrator Crack Download (Latest 2025)
Adobe Illustrator Crack Download (Latest 2025)Adobe Illustrator Crack Download (Latest 2025)
Adobe Illustrator Crack Download (Latest 2025)
basitayoubi007
Microsoft Office Crack 2019 Free Download
Microsoft Office Crack 2019 Free DownloadMicrosoft Office Crack 2019 Free Download
Microsoft Office Crack 2019 Free Download
tayab01kp
Internet Download Manager (IDM) Crack + Lisence key Latest version 2025
Internet Download Manager (IDM) Crack + Lisence key Latest version 2025Internet Download Manager (IDM) Crack + Lisence key Latest version 2025
Internet Download Manager (IDM) Crack + Lisence key Latest version 2025
shahzad011kp
wAIred_VoxxedDaysAmsterdam_03042025.pptx
wAIred_VoxxedDaysAmsterdam_03042025.pptxwAIred_VoxxedDaysAmsterdam_03042025.pptx
wAIred_VoxxedDaysAmsterdam_03042025.pptx
SimonedeGijt
Internet Download Manager Crack Latest version 2025
Internet Download Manager Crack Latest version 2025Internet Download Manager Crack Latest version 2025
Internet Download Manager Crack Latest version 2025
mohsinrazakpa26
IObit Driver Booster Pro Serial Key v11.2.0.46 Full Crack 2025
IObit Driver Booster Pro Serial Key v11.2.0.46 Full Crack 2025IObit Driver Booster Pro Serial Key v11.2.0.46 Full Crack 2025
IObit Driver Booster Pro Serial Key v11.2.0.46 Full Crack 2025
alibajava70
Top Online Food Ordering Script Company - Become Vendor
Top Online Food Ordering Script Company - Become VendorTop Online Food Ordering Script Company - Become Vendor
Top Online Food Ordering Script Company - Become Vendor
Kevin Miller
Distributed systems: design, principles and experiencies
Distributed systems: design, principles and experienciesDistributed systems: design, principles and experiencies
Distributed systems: design, principles and experiencies
Andr辿s P辿rez Gil
ESET NOD32 Antivirus Crack with License Key 2025
ESET NOD32 Antivirus Crack with License Key 2025ESET NOD32 Antivirus Crack with License Key 2025
ESET NOD32 Antivirus Crack with License Key 2025
umeerbinfaizan
6 Best AI Tools for Contract Management.pdf
6 Best AI Tools for Contract Management.pdf6 Best AI Tools for Contract Management.pdf
6 Best AI Tools for Contract Management.pdf
Anadea
E-commerce App Development cost in 2025.pdf
E-commerce App Development cost in 2025.pdfE-commerce App Development cost in 2025.pdf
E-commerce App Development cost in 2025.pdf
sandeepjangidimg
Website Facebook Snippet in odoo, Website Facebook Feed in odoo
Website Facebook Snippet in odoo, Website Facebook Feed in odooWebsite Facebook Snippet in odoo, Website Facebook Feed in odoo
Website Facebook Snippet in odoo, Website Facebook Feed in odoo
AxisTechnolabs
The Evolution of Microsoft Project Portfolio Management
The Evolution of Microsoft Project Portfolio ManagementThe Evolution of Microsoft Project Portfolio Management
The Evolution of Microsoft Project Portfolio Management
OnePlan Solutions
Adobe XD Crack Version 2025 Free Download
Adobe XD Crack Version 2025 Free DownloadAdobe XD Crack Version 2025 Free Download
Adobe XD Crack Version 2025 Free Download
basitayoubi105

CodeQL + DTrace = Memory Disclosure Vulnerabilities in XNU

AboutCopyright
息 2025 際際滷