< NULLCON 2025 - BERLIN />

About the Speaker

CFP Training Registration Sponsors Speakers Venue
GO BACK
img
Koh M. Nakagawa
Security Researcher FFRI Security

< Talk Title />

Why Is Process Isolation Indispensable? Stealing All macOS Sensitive Info with a Single Vulnerability

< Talk Category />

Technical Speakers

< Talk Abstract />

On macOS, System Integrity Protection (SIP) enforces strict isolation between processes, even when they share the same user ID (UID). Typically, even processes running with root privileges cannot read the memory of other processes unless granted special entitlements. Previously known methods of bypassing this isolation have largely relied on vulnerabilities specific to target applications, such as the absence of a hardened runtime or the presence of the disable-library-validation entitlement. Even these application-specific flaws have led to serious privacy issues, including TCC bypasses and credential theft from password managers. But what if an attacker discovered a vulnerability that completely breaks process isolation? How much could be achieved with just a single vulnerability?

 

In this presentation, we introduce a vulnerability that breaks process isolation on macOS. When exploited, it allows reading the memory of any process—even with SIP enabled—enabling the extraction of sensitive information from the Keychain without requiring the user’s plain password. The same vulnerability also bypasses TCC protections, granting unauthorized access to contacts, files, emails, reminders, and more. Remarkably, this vulnerability stems from a fundamental mistake by Apple, resulting in a surprisingly simple exploit code.

 

Furthermore, this vulnerability enables the decryption of FairPlay-encrypted iOS apps on macOS, removing a significant barrier to iOS application analysis. This capability is particularly valuable for iOS application penetration testing, as it eliminates the need for a jailbroken iPhone and allows testing to be performed directly on a macOS laptop.

 

Through this presentation and a live demonstration of the exploit, attendees will gain insight into why process isolation is critical to macOS's security model. We will also discuss methods for detecting such exploits. All PoC code will be published on GitHub after the talk.

< Speaker Bio />

Koh M. Nakagawa is a security researcher at FFRI Security, Inc, mainly working on vulnerability research on Apple products. He gave talks at security conferences such as Black Hat EU, Black Hat Asia, and CODE BLUE.