AV1 Decoding Fuzz Testing Project on Apple Platforms
/ 4 min read
Quick take - A project focused on implementing and fuzz testing AV1 decoding on Apple platforms has been developed, utilizing hardware acceleration on A17 iOS and M3 macOS devices, and employing various methodologies for fuzzing the AppleAVD kernel extension to identify vulnerabilities in kernel code.
Fast Facts
- A project focused on implementing and fuzz testing AV1 decoding on Apple platforms, utilizing hardware acceleration on A17 iOS and M3 macOS devices.
- The AppleAVD kernel extension handles a significant portion of AV1 format parsing, with fuzzing methods developed by Ivan Fratric building on previous kernel extension fuzzing efforts.
- Key methodologies include loading the AppleAVD extension into IDA, exporting raw memory, and using a custom TinyInst module for hooking and instrumentation during the fuzzing process.
- The fuzzing process, facilitated by Jackalope, aims to identify bugs such as out-of-bounds reads and integer underflows, with issues reproducible on M3-equipped MacBooks.
- The project demonstrates the effectiveness of userspace kernel extension fuzzing for uncovering vulnerabilities, with potential applications beyond AV1 parsing.
Comprehensive Project on AV1 Decoding Fuzz Testing
A comprehensive project has been undertaken to focus on video decoding, specifically the implementation and fuzz testing of AV1 decoding on Apple platforms. The project highlights the use of hardware acceleration for AV1 decoding on devices equipped with the A17 iOS or M3 macOS.
Fuzzing Methodology and Previous Efforts
A significant portion of the AV1 format parsing is conducted through software within the AppleAVD kernel extension. Ivan Fratric authored the piece, delving into various methods for fuzzing the AppleAVD kernel extension. The research builds upon previous efforts in kernel extension fuzzing. Noteworthy prior projects include the Fairplay project, which utilized a custom loader to execute kernel extensions in userspace. Another methodology was presented by Andrey Labunets and Nikita Tarakanov at Hexacon 2022, involving decompiling and rebuilding kernel extension code. The KextFuzz project focused on static instrumentation for coverage collection, while the Pishi project also emphasized static instrumentation of kernel extension code.
Fratric’s approach prioritizes simplicity over complexity in the fuzzing method. Key steps in the methodology include loading the AppleAVD extension or the complete kernel cache into IDA (Interactive DisAssembler). The module is then rebased to a mappable address in userspace. Raw memory is exported using an IDA Python script, and the exported bytes are loaded with a custom loader. A custom TinyInst module is employed for hooking and instrumentation, with Jackalope used for the fuzzing process.
Challenges and Findings
Kernel extensions on macOS are organized into “kernel collections,” which are subsequently repackaged into a “kernel cache” during boot. Existing tools face challenges in generating individual .dylib files from kernel caches. IDA Pro’s effective loader for Apple kernel caches is highlighted as a crucial tool in the process. The article provides a method for exporting memory segments and symbol names from IDA efficiently. An important aspect of executing the exported data involves memory mapping and copying. Functions that do not function correctly in userspace, such as kernel allocator functions, must be replaced.
The author successfully replaced specific functions within the AV1 parsing code to ensure compatibility with userspace execution. The developed TinyInst module plays a vital role in facilitating code coverage extraction and manages function replacements and instrumentation in conjunction with the loader. The fuzzing process aims to uncover bugs in both the target and the harness. Several issues were identified, such as out-of-bounds reads and integer underflows.
These reported issues were verified to be reproducible on a MacBook featuring an M3 chip that supports AV1 hardware decoding. This project illustrates the potential for userspace kernel extension fuzzing to unveil vulnerabilities within kernel code. The approach is adaptable and can be applied to other kernel code beyond just AV1 parsing.
Original Source: Read the Full Article Here
