Skip to content
/ KextFuzz Public

Code of KextFuzz: Fuzzing macOS Kernel EXTensions on Apple Silicon via Exploiting Mitigations (USENIX Security'23)

72 stars 12 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

vul337/KextFuzz

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
rewrite
rewrite
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

KextFuzz

A prototype for the paper KextFuzz: Fuzzing macOS Kernel EXTensions on Apple Silicon via Exploiting Mitigations [USENIX Security 2023]. The code was tested on Apple Silicon macOS 11.5.2. Thanks for your attention.

Prerequirement

  • Apple Silicon Devices / Virtual Machine with macOS 11
  • capstone & keystone

Kext Instrumentation & Entitlement Patching

The ./rewrite directory contains the code to do kext instrumentation and entitlement patch.

Step 1. Get a patched kext.

Note: edit ./rewrite/config.json to specify the patch target and strategy. Instrumentation and Entitlement patching are enabled by default.

$ pip install -r requirements.txt
$ cd rewrite
$ python bin_rewrite.py config.json

The patched kext will be saved in the ./rewrite/output directory by default.

Step 2. Build helper.kext.

Build the ./rewrite/helper in XCode to get helper.kext

Note: The helper kext should implement 1) the fake entitlement checker and 2) the profiling function which will be instrumented into the kext. The helper.kext in the repository is an example of the helper kext. Please customize your own profiling functions with reference to ./rewrite/helper/helper.cpp.

Step 3. Build macOS kernel collection. reference

$ kmutil inspect -V release --no-header | grep -v "SEPHiber" | awk '{print " -b "$1; }' > kext_list
$ echo "kextfuzz.example.helper" >> kext_list

# build kernel collection with patched kext and helper kext
$ mkdir Extensions
$ sudo cp -r ./output/* ./Extensions/
$ kmutil create -a arm64e -z -V release -n boot -B /path/to/your.kc -k /System/Library/kernels -r ./Extensions -r /System/Library/DriverExtensions -x $(cat kext_list)"

Step 4. Install the patched kernel collection.

  1. Boot into recovery mode & open terminal.
  2. Enter csrutil disable to disable System Integrity Protection.
  3. Enter bputil -a to disable boot args restriction.
  4. Reboot to apply above settings.
  5. Boot into recovery mode & open terminal.
  6. Install kernel collection: kmutil configure-boot -v /Volumes/your-volume -c /path/to/your.kc.

Trouble Shooting

  1. View loaded kexts: kextstat
  2. Load a kext: kextload /path/to/kext
  3. View Mach-O binary symbols: nm /path/to/bin
  4. View kernel log: log stream --predicate "sender=='xxx'"

Fuzz for fun

Play the video with sound :)

fuzz-for-fun.mp4

About

Code of KextFuzz: Fuzzing macOS Kernel EXTensions on Apple Silicon via Exploiting Mitigations (USENIX Security'23)

Resources

Readme
Activity
Custom properties

Stars

72 stars

Watchers

11 watching

Forks

12 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages