XNU
Apple's Domain Knowledge
Driver Stack
Daemon: airportd, sharingd
Framework: Apple80211, CoreWifi, CoreWLAN
---
Family driver: IO80211Family, IONetworkingFamily
Plug-in driver: AppleBCMWLANCore replaces AirPort Brcm series drivers
Low-level driver: AppleBCMWLANBusInterfacePCIe
Possible Parts of XNU
- Support for ARM architecture
- Refactored drivers
- Subsystems such as SkyWalk
- Protocols such as Apple Wireless Direct Link
- New syscalls
ifioctl()
ifioctl_nexus()
skoid_create()
and sysctl registration
Some Apple Projects
- PoCs provided by Apple
- Intel Wifi for MacOS
- itlwm
- Voodoo80211
- Kemon: An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring
- Practice of kernel inline hooking
Re-writing Apple Driver Binary
- Has check
- Can instrument by disabling ASID
SoC Firmware
T2 has special firmware logic to check input from kernel.
In other words, firmware does not trust kernel.
Attack Surfaces
- From remote and local firmware to kernel (most challenging: no symbol, no log)
- From user-mode daemon and freamework to kernel
- All other handlers and parsers for input parameters
Attack surface identification:
- Traditional BSD ioctl, 1OKit IOConnectCallMethod series and sysctl interfaces
- Various packet sending and receiving interfaces
- Various network setting interfaces
- Various types of network interfaces
Try fuzzing against both high-level and low-level API interfaces, a good example is Bluetooth HCI
Kernel Debugging
Make full use of LLDB and KDK:
- panic log information is not helpful in finding root cause
- variable values sometimes requires dynamic analysis
- kernel heap corruption requires remote debugging
Vulnerabilities
- CVE-2020-9834
- Broadcom's OS Independent Layer
- CVE-2019-8648: error in llvm for arm port
- CVE-2022-32874:
- CVE-2020-10013: boundary checking error / arbitrary memory write
- CVE-2022-26762:
getRxRate
forget to sanitize user input - CVE-2022-32837 and CVE-2022-32860: lack of effective input verification
- CVE-2015-0057: 1-bit overflow
- CVE-2022-26761: type confusion for different architectures