Fuzzing at Mach Speed: Uncovering IPC Vulnerabilities on MacOS
This research presents an in-depth investigation of MacOS Inter-Process Communication (IPC) security, with a focus on Mach message handlers. It explores how Mach message handlers are utilized to execute privileged RPC-like functions and how this introduces vectors for sandbox escapes and privilege escalations. This involves a detailed examination of MacOS internals, particularly the calling and processing of Mach messages, their data formats, and statefulness.
The core of the study is the development and application of a custom fuzzing harness targeting these identified IPC function handlers. The fuzzing process, aimed at inducing crashes indicative of memory corruption vulnerabilities, is discussed in detail. Several generated crashes will be discussed, one of which may be exploitable to obtain remote code execution. The research culminates in the open-sourcing of a bespoke Mach message corpus generation script and custom fuzzing harness, contributing to the broader cybersecurity community and laying groundwork for future exploration in this area.
- MacOS Architecture Overview
- MacOS Design
- Explanation of the various layers of the MacOS operating system and how the XNU kernel is designed
- MacOS Uniqueness
- Discussion of how MacOS differs from common operating systems used for fuzzing
- MacOS Design
- MacOS IPC Mechanisms
- XPC IPC mechanisms
- Overview of higher level IPC mechanisms such as XPC and Apple Events
- Mach IPC mechanisms
- Overview of Mach message-based IPC, including structure of mach messages and native functions used to communicate them
- Description of Mach message handler subsystems and how they are generated using the Mach Interface Generator (MIG)
- Overview of identifying Mach message handlers during reverse engineering using IDA Pro
- XPC IPC mechanisms
- Previous Research
- Prior Work and Vulnerabilities
- Review of past research and MacOS IPC vulnerabilities
- Prior Work and Vulnerabilities
- Target Identification
- MacOS Sandboxing Overview
- An overview of how process sandboxing works on MacOS
- Several case studies for high profile applications, including Firefox, Safari, and Adobe Acrobat
- Identifying Escape Routes
- Analysis of sandbox profiles and how I identified mach listeners that could allow for a sandbox escape
- Additional Factors
- Discussion of other attributes I looked for when choosing a target to research, including the maturity of the code base, attack surface, and previous vulnerabilities
- MacOS Sandboxing Overview
- Corpus Generation
- Mach Message Dumping
- Methodology overview for identifying mach messages sent to processes of interest to create a corpus of mach messages to use for fuzzing
- Corpus Reduction
- Discussion of the process used for statistically determining unique messages within our corpus
- Mach Message Dumping
- Mutation-Based Fuzzing
- Basic Bit Flipping
- Explanation of various “dumb” fuzzing methods we used to generate crashes
- Grammar-Based Fuzzing
- Description of the bespoke mutator I wrote to more intelligently fuzz the format of the Mach message structure
- Coverage-Guided Fuzzing
- Analysis of more advanced fuzzing methods used to improving the fuzzing corpus and reach new code paths
- Basic Bit Flipping
- Stateful vs. Stateless Fuzzing
- Stateless Fuzzing
- Explanation of initial fuzzing harness that focuses on sending mach messages to a process that are independent of one another
- Description of strengths of stateless fuzzing, specifically its speed
- Discussion of weaknesses of stateless fuzzing, specifically it’s inability to traverse possible code paths of a process
- Stateful Fuzzing
- Description of strengths of stateful fuzzing, specifically how it fills the weakness of stateless fuzzing to gain maximum coverage of code paths
- Overview of the generation of a Mach message state matrix, which can be used to send mach messages in a meaningful order to trigger new functionality
- Stateless Fuzzing
- Crash Analysis
- Initial Crash Triage
- Description of our process for determining whether a crash might be security relevant and categorizing crashes
- Root Cause Analysis
- Explanation of our hybrid process of reverse engineering using IDA Pro and LLDB to determine the reason for a crash
- Crash Reproduction
- Overview of our methodology for reproducing recorded crashes
- Initial Crash Triage
- Exploit Development (Case Study)
- Controlled Memory Corruption
- Description of the process for reliably corrupting memory in a predictable manner
- Control Flow Hijacking
- Walkthrough of hijacking the native binary’s execution flow using controlled memory corruption
- DEMO
- Controlled Memory Corruption
- Tooling
- Open Source Tools Release
- Links to my tooling used for this research, which includes my Mach message dumper and fuzzing harness
- Open Source Tools Release