KextFuzz: A Practical Fuzzer for Macos Kernel EXTensions on Apple Silicon

Tingting Yin,Zicong Gao,Zhenghang Xiao,Zheyu Ma,Min Zheng,Chao Zhang
DOI: https://doi.org/10.1109/tdsc.2023.3330852
2024-01-01
IEEE Transactions on Dependable and Secure Computing
Abstract:macOS drivers, i.e., Kernel EXTensions (kexts), are attractive attack targets for adversaries. However, automatically discovering vulnerabilities in kexts is extremely challenging because kexts are mostly closed-source, and the latest macOS running on customized Apple Silicon has limited tool-chain support. Most existing static analysis and dynamic testing solutions cannot be applied to the latest macOS. In this paper, we present the first end-to-end fuzzing solution KextFuzz to detect bugs in the latest macOS kexts running on Apple Silicon. Unlike existing driver fuzzing solutions, KextFuzz does not require source code, execution traces, hypervisors, or hardware features (e.g., coverage tracing) and thus is universal and practical. We note that macOS has deployed many mitigations, including pointer authentication, code signature, and userspace kernel layer wrappers, to thwart potential attacks. These mitigations can provide extra knowledge and resources for us to enable kernel fuzzing. KextFuzz exploits these mitigation schemes to instrument the binary for coverage tracking, infer the type and semantic information of kext interfaces, and generate multi-dimension inputs. KextFuzz has found 49 unique kernel bugs in the macOS kexts and got five CVEs. Some bugs could cause severe consequences like running arbitrary code with kernel privilege.
What problem does this paper attempt to address?