The disk arbitration daemon (diskarbitrationd) has and is a great target for attackers because it runs unsandboxed, has root level privileges and has full disk access permissions, moreover it's reachable from any sandboxed application. As an added benefit it's also open source, thus easier to audit.

In this talk I will give a walk through of DA internals, how it works, how a process can communicate with it, and what kind of defenses it has to mitigate attacks. Then I will walk through all the publicly known vulnerabilities and how Apple fixed each of them. We will see sandbox escapes, privilege escalations and also full TCC bypasses. We will review how Apple fixed each of them, where one of them is probably the most genius fixes of all time.