Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages
a year ago
- #MacOS
- #Fuzzing
- #Security
- Guest post by Dillon Franke, Senior Security Engineer, discussing MacOS security research.
- Exploration of Mach IPC messages as an attack vector for sandbox escapes.
- Use of a custom fuzzing harness, dynamic instrumentation, and debugging to identify vulnerabilities.
- Discovery of a high-risk type confusion vulnerability in the coreaudiod system daemon.
- Open-sourcing of fuzzing tools and harness on GitHub.
- Adoption of a knowledge-driven fuzzing approach combining automation and manual analysis.
- Detailed steps in the research cycle: identify attack vector, choose target, create harness, fuzz, analyze, iterate.
- Focus on Mach messages due to their historical security issues and core role in MacOS IPC.
- Selection of coreaudiod daemon as target due to complexity and accessibility from sandboxed processes.
- Creation of a fuzzing harness to directly call Mach message handlers for efficiency.
- Challenges in initializing the target and handling stateful message handlers.
- Use of API Call Chaining to manage interdependent Mach message handlers.
- Mocking out unnecessary functionality to focus fuzzing efforts.
- Improvements in sample structure to pass syntax checks and handle OOL data.
- Discovery of a type confusion vulnerability in multiple Mach message handlers.
- Proof-of-concept demonstrating the vulnerability's exploitability via mach_msg API.
- Apple's patch adding type checks to prevent the vulnerability.
- Recommendations for future prevention of similar vulnerabilities.