Drill Apple Core: Up and Down - Fuzz Apple Core Component in Kernel and User Mode for Fun and Profit

Conference:  BlackHat EU 2018



The presentation discusses the development of a tool called Smart Fuzzing for Mac OS X using the XNU kernel. The tool is designed to enable code coverage-driven fuzzing and includes features such as kernel sanitizers and memory sanitizers.
  • The Smart Fuzzing tool was developed to support Mac OS X on the XNU kernel
  • The tool includes features such as code coverage-driven fuzzing, kernel sanitizers, and memory sanitizers
  • The syntax engine and corpus were taken from the 6 Color tool and modified to generate programs based on API patterns
  • The tool includes a new module for code coverage and requires modifications to enable kernel sanitizers and memory sanitizers
  • The tool uses shadow memory to detect buffer overflows and other memory issues
When using the Smart Fuzzing tool to allocate kernel memory, the shadow memory is initialized as value zero and becomes a negative value when the memory is freed. This allows the tool to detect buffer overflows and other memory issues.


Apple operation system has gained much popularity both in the personal computer (MacOS) and in the mobile devices (iOS) in the current world (including hackers). The system core module is becoming a hot attacking interface in both kernel mode (e.g. XNU) and user mode (e.g. XPC) because they share almost the same code logic among different Apple systems (MachOS and iOS) so as to gain the most attack with the least effort.As for the kernel mode part, smart fuzzers must have the code-coverage support to know how to fuzz deeply, but we haven't seen anyone do XNU fuzzing based on code-coverage, especially in the static way. In this talk, we will show you how to develop the kernel sanitizers to get code-coverage support and memory issues detection support. We also developed very detailed (about 530) patterns based on grammar for XNU syscall api. Then we will give a live demo of latest macOS (10.13.6) root by using 3 0days discovered by our fuzzer. At the end, we will show you another powerful technique to obtain code-coverage without source code in a static way. This can help you develop your own smart fuzzer against any close-source target.As for the user mode part, we would like to introduce a new fuzzing method which is designed based on python script. We also have implemented the fuzzing project towards XPC service which could allow you gain dozens of reproducible XPC services daemon crashes in minutes or seconds.