XNU Image Tools is a multi-platform image output tool designed to ensure consistency, compatibility, and quality across different devices and platforms. By starting with a baseline image and generating platform-specific outputs, this tool allows for comprehensive testing and optimization.
When these baseline images are subsequently input into fuzzing tools like XNU Image Fuzzer, Jackalope, or AFL, it is possible to identify platform-specific vulnerabilities, bugs, and other unpredictable behaviors.
Fuzzing with pre-processed images that contain fine-grained, user-controllable inputs significantly increases the effective coverage envelope for a fault injection campaign.
XNU Image Tools provides custom image generation and fuzz testing within XNU environments. The Workspace currently comprises two main components:
- XNU Image Generation Apps: This includes iOS and Apple Watch apps for generating and sharing unique images in various formats.
- XNU Image Fuzzer: A proof of concept implementation of an image fuzzer aimed at uncovering potential vulnerabilities in image processing routines.
- VideoToolbox Interposer with Fuzzing: This project focuses on interposing and fuzzing VideoToolbox functionalities on iOS and macOS platforms.
- Jackalope: Jackalope is a customizable, distributed, coverage-guided fuzzer that is able to work with black-box binaries.
| Build OS & Device Info | Build | Install |
|---|---|---|
| macOS 14.5 X86_64 | ✅ | ✅ |
| macOS 14.5 arm | ✅ | ✅ |
| iPadOS 17.5 | ✅ | ✅ |
| iPhoneOS 17.5 | ✅ | ✅ |
| VisionPro 1.2 | ✅ | ✅ |
| watchOS 10.5 | ✅ | ✅ |
- Open an Issue
-
iOS App:
- Generate different images by changing the code.
- Browse and select the generated images.
- Share images through built-in Share Sheet.
-
Apple Watch App:
- View generated images.
- Select and share images directly from your wrist.
- macOS 14.5 or later
- iOS 17.5 or later
- watchOS 10.5 or later
- Xcode 15.0 or later
- Swift 5.10 or later
- Open in Xcode
- Open `XNU Image Tools.xcworkspace` in Xcode.
- Update the Team ID
- Select the appropriate scheme for the iOS or watchOS app.
- Build and run the app on your desired device.
-
iOS App:
- Launch the iOS app.
- Tap the "Generate" button to create new images.
- Browse and share the generated images via AirDrop.
-
Apple Watch App:
- Launch the Watch app.
- Scroll through the list of generated images.
- tap and share images directly from the Watch.
The XNU Image Fuzzer demonstrates basic fuzzing techniques on image data to uncover potential vulnerabilities in image processing routines. It includes Objective-C code implementing 12 `CGCreateBitmap` and `CGColorSpace` functions working with raw data and string injections as user-controllable inputs.
https://srd.cx/xnu-image-fuzzer/
-
Open as Xcode Project
-
Update the Team ID
-
Click Run
-
Share a File
- Copy fuzzed files.
- Open the Files app on the device.
- Tap Share to transfer the new fuzzed images to your desktop.
- Select all files to AirDrop to your desktop.
This project focuses on interposing and fuzzing VideoToolbox functionalities on iOS and macOS platforms. The project includes multiple build targets and tests for iOS and macOS with Interposing dylibs.
The Jackalope Fuzzer is included, and a reminder that TinyInst needs to be installed on the command line to Build.
Open Terminal, execute the following commands:
cd Jackalope
git clone --recurse-submodules https://github.com/googleprojectzero/TinyInst.git
mkdir build
cd build
cmake ..
cmake --build . --config Debug
- No errors are expected, the project will build, happy fuzzing.
cd Jackalope
git clone --recurse-submodules https://github.com/googleprojectzero/TinyInst.git
mkdir xcode_build
cd xcode_build
cmake -G Xcode ..
open fuzzer.xcodeproj
- No errors are expected, the project will build, happy fuzzing.
Embedding fault mechanisms into a generic image and further processing it through fuzzing enhances the effectiveness of testing by uncovering edge cases and potential vulnerabilities in image processing software.
- Insight: Fuzzed images introduce a wide range of potential edge cases.
- Analysis: Helps uncover rare bugs and vulnerabilities that might only occur with specific, unanticipated inputs.
- Insight: Stress-tests the robustness of image processing algorithms.
- Analysis: Ensures the software can handle diverse and unexpected inputs without crashing or producing incorrect results.
- Insight: Targets specific vulnerabilities through fault injections.
- Analysis: Exposes security weaknesses, such as buffer overflows, by providing inputs that cause unexpected behavior.
- Insight: Tests the software's ability to handle different image formats and types.
- Analysis: Reduces the risk of compatibility issues by providing comprehensive testing coverage.
- Insight: Integrates with automated fuzzing frameworks like Jackalope.
- Analysis: Enables continuous and scalable testing, improving software robustness over time.
- Prepare the Image:
- Start with a generic image.
- Apply initial fuzzing to introduce random mutations.
- Embed specific fault mechanisms to target vulnerabilities.
- Submit to Fuzzing Harness:
- Load the processed image into a fuzzing framework like Jackalope.
- Configure the tool to use the image as a seed for further automated fuzzing.
- Monitor and Analyze:
- Monitor for crashes, hangs, and other signs of vulnerabilities.
- Collect and analyze the results to identify and understand the bugs found.