by Lilang Wu and Moony Li
The bug hunting space has grown significantly smaller now that most mobile operating systems feature built-in threat mitigation tools and techniques. Android 9’s control flow integrity (CFI) or pointer authentication codes (PAC) based on iOS 12 hardware are some examples of such features. Industry-standard fuzzers like Americal fuzzy lop (AFL) and syzkaller are widely used as well.
To help security researchers, we have developed LLDBFuzzer, which is based on the LLVM Project’s next-generation debugger called Low Level Debugger (LLDB). We tested LLDBFuzzer on a MacPro’s AMD graphic drivers. These drivers are used to accelerate and optimize 2D, 3D and video rendering, and they contain many interfaces that the user space can access; these features make them a good target for LLDBFuzzer.
LLDBFuzzer architecture
LLDB is not suitable for debugging low-level kernel components, but it can debug almost all the kernel extensions and XNU codes after the required hardware is operational. Based on these features, this is the novel fuzzing architecture of LLDBFuzzer:
Figure 1. The LLDBFuzzer Architecture
This solution is based on the remote kernel debugger system, so there are two machines: the remote machine, which runs our main fuzzing logic; and the target machine, which is loaded with a custom kernel and deploys our fuzz point. The target machine can be a MacOS VM or a real device.
The following explains each module:
Pro ..
Support the originator by clicking the read the rest link below.
