You’ve popped a renderer on OS X. Now what? I’ve spent a good chunk of the past six months finding out. The sandbox escape and local privilege escalation attack surface on OS X has provided an interesting mix of old school bugs (kernel NULL pointer dereferences are dead you say?) and more novel bug classes like type-confusions in objective-c. This talk aims to explain to the audience the fundamentals of the OS X security model, what makes it unique and then to dive into as many varied VR and exploitation examples of real bugs as I can fit into the timeslot.