Compromising a kernel through a browser is the ultimate goal for offensive security researchers. Because of continuous efforts to eliminate vulnerabilities and introduce various mitigations, a remote kernel exploit from a browser becomes extremely difficult, seemingly impossible.
In this talk, we will share our Safari exploit submitted to Pwn2Own 2020. Combining SIX different vulnerabilities, our exploit successfully compromises the macOS kernel starting from the Safari browser. It breaks every mitigation in macOS including ASLR, DEP, sandbox, and even System Integrity Protection (SIP). Inspecting every vulnerability used in this exploit, we will show not only state-of-the-art hacking techniques but also challenges in protecting complicated systems (i.e., browsers and operating systems) and in introducing their mitigations. Moreover, we will introduce a new technique that reliably exploits a TOCTOU vulnerability in macOS.