Cisco Talos releases new macOS open-source fuzzer tool

Cisco Talos has released a new macOS open-source fuzzer tool, Fuzzer, based on the WhatTheFuzz framework. Fuzzer allows cybersecurity professionals to test macOS software on commodity hardware. The tool is available now on the Talos Github repository, and a complete guide on deploying it is on the Talos blog.

Why macOS Fuzzing is hard: Closed-source

Since macOS is a closed-source and the hardware is proprietary, fuzzing presents several challenges compared to Linux. According to Talos researchers, the closed-source nature of macOS and hardware “means we cannot use our commodity off-the-shelf servers to test macOS code.”

The answer is extensive snapshotting of the entire macOS physical running state, including CPU cache and memory state. The WhatTheFuzz framework requires additional tweaking to adapt it to catch crashes and faulting mechanisms of the macOS platform, which differs significantly from Windows.

How the macOS Fuzzer tool works

Fuzzer operates in multiple steps to support the macOS platform:

1. First, Talos took a snapshot of an actual, physical macOS machine. This provided Talos researchers with the most accurate attack surface vectors with all kernel extensions that require special hardware loading.
2. Second, Talos utilized VMWare Fusion to suspend a VM or clone the clone the exact state you want to revert to. This allowed the researchers to take a snapshot of the machine state paused at precisely the instruction desired.
3. Next, Talos loaded the suspended VM image into the WhatTheFuzz framework. To prevent the system from forcing a restart after a kernel crash or bug, the team put an exception_triage function in the execution path between the fault happening and the restart.
4. Now, Talos had all the necessary requirements in place to fuzz a macOS kernel target.

Why a macOS Fuzzer is valuable to the cybersecurity community

Providing a tool and capability previously unavailable to the macOS platform at this depth is invaluable for future macOS vulnerability research.

One of the standout features of Talos’ macOS Fuzzer is its adaptability and versatility. It is engineered to accommodate various testing scenarios, including fuzzing APIs, file formats, and network protocols. This flexibility ensures comprehensive coverage, enabling security professionals to identify and remediate vulnerabilities across diverse macOS environments.

Apple’s proliferation across the enterprise and public sector has presented new challenges for security operation centers accustomed to supporting Windows and Linux easily.

Gone are the days when Apple devices and macOS were “rare exceptions” in corporate networks, and enterprises need to know how to best support and harden these devices.

Tools like Fuzzer will help ethical hacking and vulnerability bug bounty hunters uncover new threats and attack vectors. This improved transparency and scrutinization of vulnerabilities on macOS will result in better cyber threat detection and prevention that will flow down to enterprise customers and home users.

Learn more about Fuzzing and Fuzz Testing

We’ve barely scratched the surface of the value and importance of this tool and fuzzing/fuzz testing.

The Talos blog offers a complete guide to deploying the Talos macOS Fuzzer tool. We highly encourage you to read it to learn more about the tool and Talos’ approach.