Breaking the Sound Barrier: Exploiting CoreAudio via Mach Message Fuzzing
Dillon Franke
OffensiveCon 2025 · Day 1 · Main
Dillon Franke of Google developed a coverage-guided fuzzing harness targeting macOS's `coreaudiod` daemon via its Mach IPC interface, introducing a technique called "API call chaining" to guide stateful fuzzing past initialization barriers. The research produced two memory-corruption vulnerabilities — a type confusion and a double-free — in the CoreAudio framework, with the type confusion turned into a working sandbox escape on modern macOS. ---
AI review
Franke's Mach IPC fuzzing methodology is practical, well-reasoned, and delivered a working sandbox escape on modern macOS — the API call chaining technique for breaking through stateful initialization barriers is a concrete contribution that will be reused. Two memory-corruption bugs in coreaudiod, one weaponized to escape a Safari GPU process sandbox despite PAC and CFI, is a legitimate result with strong platform impact.