Skip to content

XNU

Apple's Domain Knowledge

Driver Stack

Daemon:             airportd, sharingd
Framework:          Apple80211, CoreWifi, CoreWLAN
---
Family driver:      IO80211Family, IONetworkingFamily
Plug-in driver:     AppleBCMWLANCore replaces AirPort Brcm series drivers
Low-level driver:   AppleBCMWLANBusInterfacePCIe

Possible Parts of XNU

  • Support for ARM architecture
  • Refactored drivers
  • Subsystems such as SkyWalk
  • Protocols such as Apple Wireless Direct Link
  • New syscalls
  • ifioctl()
  • ifioctl_nexus()
  • skoid_create() and sysctl registration

Some Apple Projects

Re-writing Apple Driver Binary

  • Has check
  • Can instrument by disabling ASID

SoC Firmware

T2 has special firmware logic to check input from kernel.

In other words, firmware does not trust kernel.

Attack Surfaces

  1. From remote and local firmware to kernel (most challenging: no symbol, no log)
  2. From user-mode daemon and freamework to kernel
  3. All other handlers and parsers for input parameters

Attack surface identification:

  • Traditional BSD ioctl, 1OKit IOConnectCallMethod series and sysctl interfaces
  • Various packet sending and receiving interfaces
  • Various network setting interfaces
  • Various types of network interfaces

Try fuzzing against both high-level and low-level API interfaces, a good example is Bluetooth HCI

Kernel Debugging

Make full use of LLDB and KDK:

  • panic log information is not helpful in finding root cause
  • variable values sometimes requires dynamic analysis
  • kernel heap corruption requires remote debugging

Vulnerabilities

  • CVE-2020-9834
  • Broadcom's OS Independent Layer
  • CVE-2019-8648: error in llvm for arm port
  • CVE-2022-32874:
  • CVE-2020-10013: boundary checking error / arbitrary memory write
  • CVE-2022-26762: getRxRate forget to sanitize user input
  • CVE-2022-32837 and CVE-2022-32860: lack of effective input verification
  • CVE-2015-0057: 1-bit overflow
  • CVE-2022-26761: type confusion for different architectures

References