Fuzzing at Mach Speed: Uncovering IPC Vulnerabilities on MacOS

Download Slides

Video coming soon.

This research presents an in-depth investigation of MacOS Inter-Process Communication (IPC) security, with a focus on Mach message handlers. It explores how Mach message handlers are utilized to execute privileged RPC-like functions and how this introduces vectors for sandbox escapes and privilege escalations. This involves a detailed examination of MacOS internals, particularly the calling and processing of Mach messages, their data formats, and statefulness.

The core of the study is the development and application of a custom fuzzing harness targeting these identified IPC function handlers. The fuzzing process, aimed at inducing crashes indicative of memory corruption vulnerabilities, is discussed in detail. Several generated crashes will be discussed, one of which may be exploitable to obtain remote code execution. The research culminates in the open-sourcing of a bespoke Mach message corpus generation script and custom fuzzing harness, contributing to the broader cybersecurity community and laying groundwork for future exploration in this area.

MacOS Architecture Overview
- MacOS Design
  - Explanation of the various layers of the MacOS operating system and how the XNU kernel is designed
- MacOS Uniqueness
  - Discussion of how MacOS differs from common operating systems used for fuzzing
MacOS IPC Mechanisms
- XPC IPC mechanisms
  - Overview of higher level IPC mechanisms such as XPC and Apple Events
- Mach IPC mechanisms
  - Overview of Mach message-based IPC, including structure of mach messages and native functions used to communicate them
  - Description of Mach message handler subsystems and how they are generated using the Mach Interface Generator (MIG)
  - Overview of identifying Mach message handlers during reverse engineering using IDA Pro
Previous Research
- Prior Work and Vulnerabilities
  - Review of past research and MacOS IPC vulnerabilities
Target Identification
- MacOS Sandboxing Overview
  - An overview of how process sandboxing works on MacOS
  - Several case studies for high profile applications, including Firefox, Safari, and Adobe Acrobat
- Identifying Escape Routes
  - Analysis of sandbox profiles and how I identified mach listeners that could allow for a sandbox escape
- Additional Factors
  - Discussion of other attributes I looked for when choosing a target to research, including the maturity of the code base, attack surface, and previous vulnerabilities
Corpus Generation
- Mach Message Dumping
  - Methodology overview for identifying mach messages sent to processes of interest to create a corpus of mach messages to use for fuzzing
- Corpus Reduction
  - Discussion of the process used for statistically determining unique messages within our corpus
Mutation-Based Fuzzing
- Basic Bit Flipping
  - Explanation of various “dumb” fuzzing methods we used to generate crashes
- Grammar-Based Fuzzing
  - Description of the bespoke mutator I wrote to more intelligently fuzz the format of the Mach message structure
- Coverage-Guided Fuzzing
  - Analysis of more advanced fuzzing methods used to improving the fuzzing corpus and reach new code paths
Stateful vs. Stateless Fuzzing
- Stateless Fuzzing
  - Explanation of initial fuzzing harness that focuses on sending mach messages to a process that are independent of one another
  - Description of strengths of stateless fuzzing, specifically its speed
  - Discussion of weaknesses of stateless fuzzing, specifically it’s inability to traverse possible code paths of a process
- Stateful Fuzzing
  - Description of strengths of stateful fuzzing, specifically how it fills the weakness of stateless fuzzing to gain maximum coverage of code paths
  - Overview of the generation of a Mach message state matrix, which can be used to send mach messages in a meaningful order to trigger new functionality
Crash Analysis
- Initial Crash Triage
  - Description of our process for determining whether a crash might be security relevant and categorizing crashes
- Root Cause Analysis
  - Explanation of our hybrid process of reverse engineering using IDA Pro and LLDB to determine the reason for a crash
- Crash Reproduction
  - Overview of our methodology for reproducing recorded crashes
Exploit Development (Case Study)
- Controlled Memory Corruption
  - Description of the process for reliably corrupting memory in a predictable manner
- Control Flow Hijacking
  - Walkthrough of hijacking the native binary’s execution flow using controlled memory corruption
- DEMO
Tooling
- Open Source Tools Release
  - Links to my tooling used for this research, which includes my Mach message dumper and fuzzing harness

About the Speaker

Dillon Franke

Dillon Franke is a seasoned security researcher with a track record of uncovering high-impact vulnerabilities in complex systems. Throughout his career, Dillon has focused on identifying and exploiting weaknesses in widely used products, working closely with organizations across various industries to improve their security posture and protect against emerging threats. His work has been featured in numerous industry publications and news outlets, and he has spoken at major security conferences around the world, including Black Hat, TROOPERS, CanSecWest, Nullcon, and the Qualcomm Product Security Summit.

In his current role as a Senior Security Consultant at Google/Mandiant, Dillon continues to perform cutting edge application security research and release open source tools. He is passionate about sharing his knowledge with others and inspiring the next generation of security professionals to take up the mantle and continue the fight for a safer, more secure online world.