SockFuzzer, originally designed as a networking-focused fuzzer for the XNU kernel (used in macOS and iOS), has evolved into a comprehensive kernel fuzzing framework. While retaining its original name as a nod to its roots, SockFuzzer now covers a wide range of kernel subsystems, including BSD, Mach, virtual memory, and more. The project implements a unique approach by converting the XNU kernel into a library that can be "booted" and fuzzed in userspace, allowing for efficient vulnerability discovery and reproduction across multiple subsystems.
- Comprehensively test the XNU kernel in a controlled environment
- Discover and reproduce vulnerabilities across various XNU subsystems
- Provide a framework for continuous fuzzing and improvement of XNU security
- Demonstrate the value of implementing advanced fuzzing techniques in kernel research
- Enable efficient testing of complex kernel interactions and subsystems
SockFuzzer employs a host/"XNU guest" design, where the XNU kernel is compiled as a library and run within a custom userspace environment. This architecture consists of several key components:
- Host Environment
- XNU Guest Library
- Custom Scheduler (based on Concurrence)
- Fuzzing Engine (Centipede from Google's fuzztest project)
- Test Runner and Harness
The host environment provides the foundation for running the XNU guest library and managing the fuzzing process. It includes:
- Custom implementations of core kernel services
- Hypercall interface for communication between the host and XNU guest
- Test runner and harness for executing fuzz tests
The XNU kernel is compiled as a library (libxnu) with minimal modifications to run in userspace. Key aspects include:
- Symbol prefixing and management to avoid conflicts with host symbols
- Selective exposure of internal XNU functions through a version script
- Support for multiple subsystems: BSD, Mach, virtual memory, threads, processes, etc.
- Null pmap layer for virtual memory support (with plans to support ARM pmap in the future)
Based on the improved Concurrence project, the custom scheduler now supports full threading capabilities:
- Executor: Provides thread creation, deletion, and context switching
- FuzzedScheduler: Manages thread states and scheduling decisions
- Integration with the XNU guest library for proper multithreading support
The test runner and harness manage the execution of fuzz tests and provide:
- Initialization of the XNU guest environment
- Execution of fuzz inputs across various subsystems
- Crash detection and reporting
- Comprehensive XNU Kernel Coverage: Test multiple subsystems including BSD, Mach, virtual memory, threads, and processes
- Userspace XNU Execution: Run XNU kernel components in a controlled userspace environment
- Full Threading Support: Leverage improved Concurrence for proper multithreading capabilities
- Virtual Memory Support: Utilize a null pmap layer with plans for ARM pmap support
- MIG Fuzzing: Support for fuzzing Mach Interface Generator (MIG) interfaces
- Hypercall Interface: Facilitate communication between host and XNU guest components
- BSD
- Mach
- Virtual Memory (with null pmap layer)
- Threads and Processes
- Networking
- Mach Messages
- MIG Interfaces
- The XNU kernel is compiled as a library with necessary modifications
- The host environment initializes the XNU guest library and custom scheduler
- Centipede generates structured inputs using protobuf definitions
- The test harness executes the inputs, invoking syscalls, Mach messages, and other kernel interfaces
- The custom scheduler manages thread execution within the XNU guest
- ASAN monitors for memory corruption issues
- Crashes and coverage information are collected and analyzed
- IOKit Support: The current implementation does not support IOKit subsystems
- Binary-only Fuzzing: The approach currently relies on source code which doesn't include all modules
Future work includes:
- Implementing IOKit support
- Integrating ARM pmap support for virtual memory
- Adapting techniques for binary-only fuzzing scenarios
- Continuing to expand coverage and support for XNU subsystems
In order to keep this repository well-factored, several dependencies will need to be added by users themselves to third_party, such as xnu, bootstrap_cmds, and a few other libraries.