macOS Kernel Fuzzer

macOS 10.13 kernel fuzzer using multiple different methods.

System Call Fuzzing

Both the BSD (SYSCALLS) and Mach (MACH_TRAPS) system dispatch tables are defined within the bughunt_syscalls.h file. A sample selection of both system calls and library calls have been provided to demonstrate how to implement additional calls. It is necessary to implement these additional system calls and library calls above the sample calls provided to increase coverage.

macOS Host Configuration

1. Run host_setup/configure_panic_server.sh to set up the panic server on the host machine.
2. Create a JSON config file to be used for the vm_manager.py script. An example default config can be found in host_setup/config.json.
3. Follow the instructions for starting the VM Manager.

macOS Guest Configuration

0. Deploy the latest macOS to a VM.
1. Install the latest VMWare tools from https://my.vmware.com/web/vmware/details?downloadGroup=VMTOOLS1010&productId=491. At the time of writing, this is VMware-Tools-10.1.0-other-4449150.
2. Copy worker_setup/worker_setup.py to the initial VM and execute as follows:
   python worker_setup.py -p <panic_server_host_address>

This step requires multiple reboots, to disable SIP and ensure nvram boot flags are set correctly.

3. Clone the VM when its in its prepared state to scale up. A script is provided to do this and an example is as follows:
   python clone_vmx.py –base_vmx “/Users/mwr/Documents/Virtual Machines.localized/macOS 10.12.vmwarevm/macOS 10.12.vmx” –clones 1

   Where –base-vmx is the VMX file to use as a template for the clone and –clones is the number of clones to make. Note: the VM needs to be in a powered off state and prepd.

This script will produce a list of VMX files which can then be taken and entered into the config file.

5. Ensure there is a snapshot of each VM available called the same name as prepd_snapshot_name in the config file to revert back to. This will be automated at a future stage.
6. Ensure vmx_files path is updated to list all VMX files to be used by the fuzz run.

Usage

Running standalone

There are two methods for running the binary standalone. The first method is using remote network logging, which can be performed as follows:

./OSXFuzz -s 1 -l “192.168.0.1” -p 1337 -b 1,2

Where -s is the seed value. If this is set to 1 then PRNG will generate a new random seed, otherwise, the seed value will be used.

-l is the remote logger IP address. -p is the remote logger port. -b is the syscall numbers to blacklist.

It is also possible to run the fuzzer with disk-based logging. This can be performed as follows:

./OSXFuzz -s 1 -d – -b 1,2

-d is the directory in which the fuzzer log files will be stored in. If – is passed then the current working directory is used to create these log files.

-D can be used to enable debug mode which will print all log statements to standard out.

Download & Tutorial