KextFuzz: fuzzing macOS Kernel EXTensions on apple silicon via exploiting mitigations
AUTHORs: 
Tingting Yin, Zicong Gao, Zhenghang Xiao, Zheyu Ma, Min Zheng, Chao ZhangAuthors Info & Claims
Tingting Yin, Zicong Gao, Zhenghang Xiao, Zheyu Ma, Min Zheng, Chao ZhangAuthors Info & ClaimsArticle No.: 282, Pages 5039 - 5054
Abstract
macOS drivers, i.e., Kernel EXTensions (kext), are attractive attack targets for adversaries. However, automatically discovering vulnerabilities in kexts is extremely challenging because kexts are mostly closed-source, and the latest macOS running on customized Apple Silicon has limited tool-chain support. Most existing static analysis and dynamic testing solutions cannot be applied to the latest macOS. In this paper, we present the first smart fuzzing solution KextFuzz to detect bugs in the latest macOS kexts running on Apple Silicon. Unlike existing driver fuzzing solutions, KextFuzz does not require source code, execution traces, hypervisors, or hardware features (e.g., coverage tracing) and thus is universal and practical. We note that macOS has deployed many mitigations, including pointer authentication, code signature, and userspace kernel layer wrappers, to thwart potential attacks. These mitigations can provide extra knowledge and resources for us to enable kernel fuzzing. KextFuzz exploits these mitigation schemes to instrument the binary for coverage tracking, test privileged kext code that is guarded and infrequently accessed, and infer the type and semantic information of the kext interfaces. KextFuzz has found 48 unique kernel bugs in the macOS kexts and got five CVEs. Some bugs could cause severe consequences like non-recoverable denial-of-service or damages.
References
[1]
Apple document. entitlements. https://developer.apple.com/documentation/bundleresources/entitlements. Accessed: 2022-05-11.
[2]
Cve-2022-22675. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22675. Accessed: 2022-06-02.
[3]
Dynamorio: Dynamic instrumentation tool platform. https://github.com/DynamoRIO/dynamorio. Accessed: 2022-05- 22.
[4]
Dyninstapi: Tools for binary instrumentation, analysis, and modification. https://github.com/dyninst/dyninst. Accessed: 2022-05-22.
[5]
High-performance binary-only instrumentation for afl-fuzz. https://github.com/mirrorer/afl/blob/master/qemu_mode/README.qemu. Accessed: 2022-05-12.
[6]
Intel® 64 and ia-32 architectures software developer manuals. https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html. Accessed: 2022-11-06.
[7]
The i/o registry | apple documentation archive. https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/TheRegistry/TheRegistry.html. Accessed: 2022-06-07.
[8]
kcov: code coverage for fuzzing. https://www.kernel.org/doc/html/latest/dev-tools/kcov.html. Accessed: 2022-05-14.
[9]
The kernel address sanitizer (kasan). https://www.kernel.org/doc/html/v4.14/dev-tools/kasan.html. Accessed: 2022-05-14.
[10]
Kernel debug kit 12.5 build 21g5027d. https://developer.apple.com/download/all/. Accessed: 2022-05-20.
[11]
Lldbfuzzer: Debugging and fuzzing the apple kernel. https://www.trendmicro.com/en_us/research/19/h/lldbfuzzer-debugging-and-fuzzing-the-apple-kernel-with-lldb-script.html. Accessed: 2022-05-12.
[12]
Operating system integrity | apple developer documentation. https://support.apple.com/zh-cn/guide/security/sec8b776536b/web. Accessed: 2022-06-06.
[13]
p-joker: ios/macos kernelcache/kexts analysis tool. https://github.com/lilang-wu/p-joker. Accessed: 2022-05- 20.
[14]
Preparing your app to work with pointer authentication | apple developer documentation. https://developer.apple.com/documentation/security/preparing_your_app_to_work_with_pointer_authentication. Accessed: 2022-06-06.
[15]
Process injection: Breaking all macos security layers with a single vulnerability. https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability/. Accessed: 2022-12-06.
[16]
Retrowrite. https://github.com/HexHive/retrowrite. Accessed: 2022-11-06.
[17]
Strong arming with macos: Adventures in cross-platform emulation. https://blogs.blackberry.com/en/2021/05/strong-arming-with-macos-adventures-in-cross-platform-emulation. Accessed: 2022-06-06.
[18]
syzkaller: an unsupervised coverage-guided kernel fuzzer. https://github.com/google/syzkaller. Accessed: 2022- 05-14.
[19]
Triton: a dynamic binary analysis library. https://github.com/JonathanSalwan/Triton. Accessed: 2022-11-06.
[20]
Xiaolong Bai, Luyi Xing, Min Zheng, and Fuping Qu. idea: Static analysis on the security of apple kernel drivers. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1185-1202, 2020.
[21]
Weiteng Chen, YuWang, Zheng Zhang, and Zhiyun Qian. Syzgen: Automated generation of syscall specification of closed-source macos drivers. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 749-763, 2021.
[22]
Jaeseung Choi, Kangsu Kim, Daejin Lee, and Sang Kil Cha. Ntfuzz: Enabling type-aware kernel fuzzing on windows with static binary analysis. In 2021 IEEE Symposium on Security and Privacy (SP), pages 677-693. IEEE, 2021.
[23]
Jake Corina, Aravind Machiry, Christopher Salls, Yan Shoshitaishvili, Shuang Hao, Christopher Kruegel, and Giovanni Vigna. Difuze: Interface aware fuzzing for kernel drivers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2123-2138, 2017.
[24]
Luke Deshotels, Costin Carabas, Jordan Beichler, Razvan Deaconescu, and William Enck. Kobold: Evaluating decentralized access control for remote nsxpc methods on ios. In 2020 IEEE Symposium on Security and Privacy (SP), pages 1056-1070. IEEE, 2020.
[25]
Sushant Dinesh, Nathan Burow, Dongyan Xu, and Mathias Payer. Retrowrite: Statically instrumenting cots binaries for fuzzing and sanitization. In 2020 IEEE Symposium on Security and Privacy (SP), pages 1497-1511. IEEE, 2020.
[26]
Gregory J Duck, Xiang Gao, and Abhik Roychoudhury. Binary rewriting without control flow recovery. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 151-163, 2020.
[27]
Antonio Flores-Montoya and Eric Schulte. Datalog disassembly. In 29th USENIX Security Symposium (USENIX Security 20), pages 1075-1092, 2020.
[28]
HyungSeok Han and Sang Kil Cha. Imf: Inferred model-based fuzzer. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2345-2358, 2017.
[29]
Kyungtae Kim, Dae R Jeong, Chung Hwan Kim, Yeongjin Jang, Insik Shin, and Byoungyoung Lee. Hfl: Hybrid fuzzing on the linux kernel. In NDSS, 2020.
[30]
George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. Evaluating fuzz testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 2123-2138, 2018.
[31]
Hans Liljestrand, Thomas Nyman, Kui Wang, Carlos Chinea Perez, Jan-Erik Ekberg, and N Asokan. PAC it up: Towards pointer integrity using ARM pointer authentication. In 28th USENIX Security Symposium (USENIX Security 19), pages 177-194, 2019.
[32]
Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. Acm sigplan notices, 40(6):190-200, 2005.
[33]
Stefan Nagy, Anh Nguyen-Tuong, Jason D Hiser, Jack W Davidson, and Matthew Hicks. Breaking through binaries: Compiler-quality instrumentation for better binary-only fuzzing. In 30th USENIX Security Symposium (USENIX Security 21), pages 1683-1700, 2021.
[34]
Nicholas Nethercote and Julian Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. ACM Sigplan notices, 42(6):89-100, 2007.
[35]
Pádraig O'sullivan, Kapil Anand, Aparna Kotha, Matthew Smithson, Rajeev Barua, and Angelos D Keromytis. Retrofitting security in cots software with binary rewriting. In IFIP International Information Security Conference, pages 154-172. Springer, 2011.
[36]
David Paaßen, Sebastian Surminski, Michael Rodler, and Lucas Davi. My fuzzer beats them all! developing a framework for fair evaluation and comparison of fuzzers. In European Symposium on Research in Computer Security, pages 173-193. Springer, 2021.
[37]
Shankara Pailoor, Andrew Aday, and Suman Jana. MoonShine: Optimizing OS fuzzer seed selection with trace distillation. In 27th USENIX Security Symposium (USENIX Security 18), pages 729-743, 2018.
[38]
Jianfeng Pan, Guanglu Yan, and Xiaocao Fan. Digtool: A Virtualization-Based framework for detecting kernel vulnerabilities. In 26th USENIX Security Symposium (USENIX Security 17), pages 149-165, 2017.
[39]
Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wör-ner, and Thorsten Holz. Nyx: Greybox hypervisor fuzzing using fast snapshots and affine types. In 30th USENIX Security Symposium (USENIX Security 21), 2021.
[40]
Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner, and Thorsten Holz. HYPER-CUBE: High-Dimensional Hypervisor Fuzzing. 2020.
[41]
Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel, and Thorsten Holz. kAFL:hardware-assisted feedback fuzzing for OS kernels. In 26th USENIX Security Symposium (USENIX Security 17), pages 167-182, 2017.
[42]
Sergej Schumilo, Cornelius Aschermann, Andrea Jemmett, Ali Abbasi, and Thorsten Holz. Nyx-net: Network fuzzing with incremental snapshots, 2021.
[43]
Dokyung Song, Felicitas Hetzelt, Dipanjan Das, Chad Spensky, Yeoul Na, Stijn Volckaert, Giovanni Vigna, Christopher Kruegel, Jean-Pierre Seifert, and Michael Franz. Periscope: An effective probing and fuzzing framework for the hardware-os boundary. In 2019 Network and Distributed Systems Security Symposium (NDSS), pages 1-15. Internet Society, 2019.
[44]
Hao Sun, Yuheng Shen, Jianzhong Liu, Yiru Xu, and Yu Jiang. KSG: Augmenting kernel fuzzing with system call specification generation. In 2022 USENIX Annual Technical Conference (USENIX ATC 22), pages 351-366, 2022.
[45]
Yizhuo Wang, Yikun Hu, Xuangan Xiao, and Dawu Gu. iservice: Detecting and evaluating the impact of confused deputy problem in appleos. In Proceedings of the 38th Annual Computer Security Applications Conference, pages 964-977, 2022.
[46]
Kun Yang, Hanqing Zhao, Chao Zhang, Jianwei Zhuge, and Haixin Duan. Fuzzing ipc with knowledge inference. In 2019 38th Symposium on Reliable Distributed Systems (SRDS), pages 11-1109. IEEE, 2019.
[47]
Zhuo Zhang, Wei You, Guanhong Tao, Yousra Aafer, Xuwei Liu, and Xiangyu Zhang. Stochfuzz: Sound and cost-effective fuzzing of stripped binaries by incremental and stochastic rewriting. In 2021 IEEE Symposium on Security and Privacy (SP), pages 659-676. IEEE, 2021.
Recommendations
KextFuzz: A Practical Fuzzer for macOS Kernel EXTensions on Apple Silicon
macOS drivers, i.e., Kernel EXTensions (kexts), are attractive attack targets for adversaries. However, automatically discovering vulnerabilities in kexts is extremely challenging because kexts are mostly closed-source, and the latest macOS running on ...
Comments
Information & Contributors
Information
Published In
Copyright © 2023 The USENIX Association.
Sponsors
- Meta
- Google Inc.
- NSF
- IBM
- Futurewei Technologies
Publisher
USENIX Association
United States
Publication History
Published: 09 August 2023
Qualifiers
- Research-article
- Research
- Refereed limited
Acceptance Rates
Overall Acceptance Rate 40 of 100 submissions, 40%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 01 Sep 2024