Drill Apple Core: Up and Down - Fuzz Apple Core Component in Kernel and User Mode for Fun and Profit

Presented at Black Hat Europe 2018, Dec. 5, 2018, 10:30 a.m. (50 minutes)

Apple operation system has gained much popularity both in the personal computer (MacOS) and in the mobile devices (iOS) in the current world (including hackers). The system core module is becoming a hot attacking interface in both kernel mode (e.g. XNU) and user mode (e.g. XPC) because they share almost the same code logic among different Apple systems (MachOS and iOS) so as to gain the most attack with the least effort.

As for the kernel mode part, smart fuzzers must have the code-coverage support to know how to fuzz deeply, but we haven't seen anyone do XNU fuzzing based on code-coverage, especially in the static way. In this talk, we will show you how to develop the kernel sanitizers to get code-coverage support and memory issues detection support. We also developed very detailed (about 530) patterns based on grammar for XNU syscall api. Then we will give a live demo of latest macOS (10.13.6) root by using 3 0days discovered by our fuzzer. At the end, we will show you another powerful technique to obtain code-coverage without source code in a static way. This can help you develop your own smart fuzzer against any close-source target.

As for the user mode part, we would like to introduce a new fuzzing method which is designed based on python script. We also have implemented the fuzzing project towards XPC service which could allow you gain dozens of reproducible XPC services daemon crashes in minutes or seconds.


  • Juwei Lin - Sr. Staff Engineer, Trend Micro
    Juwei Lin is senior staff engineer in TrendMicro who has more than 6 years experience in Windows and Mac/iOS security solution development. He is the author of TrendMicro Bootkit detection and clean tool and one of the major authors of TrendMicro ransomware decryption tool. He also has experience in MacOS/iOS kernel vulnerability discovery, more than 20 MacOS/iOS kernel vulnerabilities are discovered by him so far.
  • Yuefeng Li - Staff Engineer, Trend Micro
    Moony Li is a staff engineer in TrendMicro who has 8 years of knowledge and experience in security product development and research. Additionally, he helped to design and develop SandCastle security Sandbox for Deep Security production for both Windows and Mac system alongside the iOS Sandbox system. Currently, he focuses his research on Windows, Mac, Android and iOS kernel vulnerability hunting and exploiting. He has also participated at various global top security conferences: 1. HITCON 2016 - (P)FACE Into the Apple Core and Exploit to Root; 2. Code Blue 2016 - (P)FACE into the Apple core and exploit to root; 3. Pacsec 2016 - Active fuzzing as complementary for passive fuzzing; 4. BlackHat Europe 2016 - WHEN VIRTUALIZATION ENCOUNTER AFL: A PORTABLE VIRTUAL DEVICE FUZZING FRAMEWORK WITH AFL; 5. Code Blue 2017 - Fun and Practice for exercising your ARM(64); 6. Black Hat Asia 2018 - DEATH PROFILE; 7. Black Hat USA 2018 Arsenal - Art of Dancing with Shackles: Best Practice of App Store Malware Automatic Hunting System
  • Dongyang Wu - Senior Engineer, Trend Micro
    Lilang Wu is a Senior Engineer from TrendMicro and has three years security experience. He has published many academic papers during his postgraduate. The tool "Best Practice of App Store Malware Automatic Hunting System" was also selected by Blackhat USA 2018 Arsenal. Now, he devotes himself to discovering vulnerabilities on iOS and MacOS system. Up until now, he has found many vulnerabilities and threats.


Similar Presentations: