KextFuzz: A Practical Fuzzer for macOS Kernel EXTensions on Apple Silicon

macOS drivers, i.e., Kernel EXTensions (kexts), are attractive attack targets for adversaries. However, automatically discovering vulnerabilities in kexts is extremely challenging because kexts are mostly closed-source, and the latest macOS running on customized Apple Silicon has limited tool-chain...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on dependable and secure computing 2024-07, Vol.21 (4), p.3453-3468
Main Authors: Yin, Tingting, Gao, Zicong, Xiao, Zhenghang, Ma, Zheyu, Zheng, Min, Zhang, Chao
Format: Article
Language:English
Subjects:
Codes
Computer bugs
Dynamic tests
Fuzzing
Hardware
Kernel
kernel extension
MacOS
Silicon
Source code
Virtualization
vulerability detection
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:macOS drivers, i.e., Kernel EXTensions (kexts), are attractive attack targets for adversaries. However, automatically discovering vulnerabilities in kexts is extremely challenging because kexts are mostly closed-source, and the latest macOS running on customized Apple Silicon has limited tool-chain support. Most existing static analysis and dynamic testing solutions cannot be applied to the latest macOS. In this paper, we present the first end-to-end fuzzing solution KextFuzz to detect bugs in the latest macOS kexts running on Apple Silicon. Unlike existing driver fuzzing solutions, KextFuzz does not require source code, execution traces, hypervisors, or hardware features (e.g., coverage tracing) and thus is universal and practical. We note that macOS has deployed many mitigations, including pointer authentication, code signature, and userspace kernel layer wrappers, to thwart potential attacks. These mitigations can provide extra knowledge and resources for us to enable kernel fuzzing. KextFuzz exploits these mitigation schemes to instrument the binary for coverage tracking, infer the type and semantic information of kext interfaces, and generate multi-dimension inputs. KextFuzz has found 49 unique kernel bugs in the macOS kexts and got five CVEs. Some bugs could cause severe consequences like running arbitrary code with kernel privilege.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2023.3330852