See No Eval: Runtime Dynamic Code Execution in Objective-C
There is a turing-complete querying language embeded in Objective-C hidden in plain sight.
X Site eScape (Part II): Look Up a Shell in the Dictionary
A funny bug chain turing inter-process XSS to native code execution for sandbox escape.
X Site eScape (Part III): CVE-2020-9860, A Copycat
Copycat.
X Site eScape (Part I): Exploitation of An Old CoreFoundation Sandbox Bug
Triggering inter-process XSS for fun and profit.
Revisiting An Old MediaRemote Bug (CVE-2018-4340)
Useless bugs are just being given up too early.
Two macOS Persistence Tricks Abusing Plugins
Similar to DLL sideloading, legit plugins on macOS could be abused to load executable code on startup.