Snapshot Fuzzing macOS Kernel Via Emulation

Presented at Objective by the Sea version 6.0 (2023), Oct. 12, 2023, 3:05 p.m. (25 minutes).

Effectively fuzzing macOS components and applications has always presented a number of challenges including hardware requirements, lack of source access, and limitations of dynamic binary instrumentation platforms. While we’ve been able to work around all of these individually when targeting user-space applications, the same issues are even more pronounced when trying to attack macOS kernel and its components. \n\n The requirement to perform fuzz testing on Apple hardware limits scalability because we cannot reuse our existing resources. Basic-block level tracing - a requirement for coverage-guided fuzzing - couldn’t utilize any of the existing Dynamic Binary Instrumentation frameworks and would require custom solutions with large performance penalties. Limited control over the environment would negatively impact reproducibility and analysis of potential findings. \n\n Snapshot fuzzing, where a complete state of a running virtual/physical machine is recorded and used for fuzzing, has the potential of alleviating these issues. Snapshot execution can be performed on a compatible but not hardware dependent environment. Execution environment can be instrumented, which provides code coverage and coverage analysis. And, provided that snapshot restoration is fast enough, testing speed can be greatly improved. \n\n The first steps towards achieving this capability were tested and prototyped internally on top of Barbervisor project, a hypervisor based snapshot fuzzer that ran on physical hardware for maximum performance. While this demonstrated the utility of the snapshot fuzzing approach, bare hardware requirement precluded the use of our existing resources, and lack comprehensive instrumentation framework posed additional challenges. \n\n A third-party project, WhatTheFuzz by Axel Souchet, took a different approach and relied on emulation for snapshot execution which can be executed inside a regular operating system, even on virtualized platforms. While WTF provides a complete snapshot fuzzing solution, it currently only supports fuzzing Windows snapshots. \n\n We have extended WTF by developing a custom snapshotting, snapshot loading, instrumentation hooking, fuzzing, and coverage analysis extension to facilitate macOS kernel and user-space fuzzing. This enabled us to precisely target, snapshot, and deterministically fuzz macOS kernel components utilizing our existing resources and tooling. We will present practical considerations, development obstacles, results, and targets that we’ve explored so far.

Presenters:

  • Aleksandar Nikolic - Security Researcher at Cisco
    Aleksandar is a security researcher with a primary focus on finding memory corruption vulnerabilities in widely used server-side and client-side software. As a member of Cisco Talos vulnerability research team, Aleksandar has performed reverse engineering, fuzzing, and code auditing on dozens of projects written in C and C++. These include popular proprietary and open-source client-side applications, server-side applications, third-party libraries, and operating system components. \n\n Aleksandar's previous published research topics have included fuzzer augmentation techniques, mitigation bypass techniques, and Internet-wide vulnerability scans. In his spare time, he likes to take photos and reverse engineer random devices..

Links:

Similar Presentations: