macOS Kernel & OS Security Fuzzer — Targeting vulnerabilities from Mac OS X Lion (10.7) through macOS Tahoe (26.x)
Written in Objective-C + ARM64 Assembly. Apple Silicon native, x86_64 compatible.
- 8 mutation strategies: bitflip, byteflip, arithmetic, interesting, dictionary, havoc, splice, structural
- AFL-style coverage-guided fuzzing with corpus management (SanCov + kcov)
- Fork-based fuzzing with alarm timeout for stability
- Kernel heap feng shui: port spray, OOL spray, kalloc zone targeting
- Distributed multi-worker fuzzing with session management
- SHA256 stack-hash-based crash deduplication (O(1) lookup)
- MSEC-style exploitability tagging:
EXPLOITABLE,PROBABLY_EXPLOITABLE,PROBABLY_NOT_EXPLOITABLE,UNKNOWN - CVSS v3.1 base score calculation with full sub-score breakdown
- ASan / TSan / UBSan crash log parsing and classification
- Advanced pattern detection: controlled PC, write-what-where, heap corruption, stack overflow, NULL deref, use-after-free, buffer overflow, data races
- Full assessment report with executive summary and detailed findings
- CVSS v3.1 scoring summary table per finding
- Exploitation potential assessment with attack narratives
- Per-vulnerability-type recommended mitigations
- Output formats: Markdown, HTML (dark theme), JSON
- Reports generated in
reports/directory
- Generates standalone Objective-C reproducer files per crash type
- Target-specific reproduction templates (IOKit, memory corruption, illegal instruction, NULL deref, stack overflow)
- Delta-debugging based input minimization
- Symbolicated crash analysis with exploitability assessment
- Load saved crash inputs from
crashes/directory - Re-execute against original target to verify reproducibility
- Batch replay all crashes with pass/fail reporting
- Signal-level matching for precise regression testing
- CLI:
--replay <crash-dir>or--replay-dir <dir>
- Real-time fuzzing statistics dashboard
- Crash detail panel with hex dump viewer
- Built with AppKit — no external dependencies
- Raw syscall / Mach trap wrappers
- PAC strip/sign/auth primitives
- Kernel r/w helpers, heap spray patterns
- Spectre probes, MTE bypass, cache flush
| # | Category | Target Surface | CVEs |
|---|---|---|---|
| 1 | IOKit | Driver external methods, IOUserClient | 6 |
| 2 | Mach IPC | Ports, messages, vouchers | 4 |
| 3 | XPC | Service discovery, serialization | 4 |
| 4 | Syscall | ioctl, fcntl, file operations | 6 |
| 5 | Network | TCP/UDP/ICMP/IPv6/BPF/raw sockets | 5 |
| 6 | Filesystem | APFS/HFS+, symlinks, xattr, TOCTOU | 4 |
| 7 | Sandbox | SBPL, escape, entitlements | 5 |
| 8 | TCC | Database, tccd XPC, privacy APIs | 4 |
| 9 | dyld | Mach-O, shared cache, AMFI | 3 |
| 10 | KEXT | Enumeration, sysctl, info leaks | — |
| 11 | VM | vm_*, IOSurface, COW races | 4 |
| 12 | Side-Channel | Spectre v1/v2/BHB, KASLR, MDS, SLS | — |
| 13 | PrivEsc | SUID, Authorization, launchd, ES | — |
| 14 | Keychain | Items, ACL, certs, securityd | 3 |
| 15 | Media | AppleAVD, ImageIO (9 formats), audio | 3 |
| 16 | WindowServer | CGS, events, CoreGraphics, fonts | 2 |
| 17 | Bluetooth | HCI/L2CAP/RFCOMM protocols | 2 |
| 18 | USB/Thunderbolt | IOUSBFamily, Thunderbolt drivers | — |
| 19 | Process | fork/exec/threads/signals/audit | 2 |
| 20 | ANE/CoreML | Neural Engine, model parsing, BNNS | — |
| 21 | APFS | Snapshots, clones, FileVault, fsevents | 2 |
| 22 | GPU/Metal | AGX, Metal API, DCP, framebuffers | 2 |
| 23 | WebKit/JSC | JSC type confusion, JIT, regex, Proxy | 3 |
| 24 | System Extensions | DriverKit, EndpointSecurity, NetworkExtension | — |
| 25 | launchd | Launch constraints, plist parsing, LaunchServices | — |
| 26 | Code Signing | Mach-O sigs, AMFI, Gatekeeper, notarization | 3 |
| 27 | DriverKit Deep | IOUserClient methods, IOMemoryDescriptor, races | — |
| 28 | Apple Silicon | PAC oracle, MTE bypass, AMX, Metal compute, DCP | — |
245 unique CVE references across 76+ reproduction modules covering Lion (10.7) through Tahoe (26.x).
Notable modules include:
- BLASTPASS (CVE-2023-41064) — ImageIO heap overflow
- Triangulation (CVE-2023-32434, CVE-2023-38606) — kernel memory corruption
- voucher_swap (CVE-2019-6225) — Mach voucher exploitation
- WebKit type confusion (CVE-2023-41993, CVE-2024-23222)
- WebKit memory corruption (CVE-2023-42917)
- Achilles Gatekeeper bypass (CVE-2022-42821)
- AMFI logic flaw (CVE-2023-41078)
- Code signing bypass (CVE-2024-44243)
- macOS 15.3–15.5 / Tahoe kernel CVEs (2025 Q1–Q2)
- And 230+ more...
| macOS Version | Name | Kernel | Status |
|---|---|---|---|
| 10.7 | Lion | xnu-1699 | CVE modules |
| 10.8 | Mountain Lion | xnu-2050 | CVE modules |
| 10.9 | Mavericks | xnu-2422 | CVE modules |
| 10.10 | Yosemite | xnu-2782 | CVE modules |
| 10.11 | El Capitan | xnu-3248 | CVE modules |
| 10.12 | Sierra | xnu-3789 | CVE modules |
| 10.13 | High Sierra | xnu-4570 | CVE modules + build target |
| 10.14 | Mojave | xnu-4903 | CVE modules |
| 10.15 | Catalina | xnu-6153 | CVE modules |
| 11.x | Big Sur | xnu-7195 | CVE modules |
| 12.x | Monterey | xnu-8020 | CVE modules |
| 13.x | Ventura | xnu-8796 | CVE modules |
| 14.x | Sonoma | xnu-10063 | CVE modules |
| 15.x | Sequoia | xnu-11215 | CVE modules + active fuzzing |
| 26.x / 16.x | Tahoe | xnu-TBD | CVE modules + active fuzzing |
Deployment target: macOS 10.13+ (High Sierra) Architecture: arm64 (Apple Silicon) + x86_64 (Intel)
- macOS 10.13 or later
- Xcode Command Line Tools (
xcode-select --install)
# Debug build (with symbols, -O2)
make clean && make all
# Release build (optimized, -O3, stripped)
make release
# Install to /usr/local/bin
sudo make install| Target | Binary | Flags |
|---|---|---|
make / make all |
build/ordinal_fuzzer |
-O2 -g |
make release |
build/ordinal_fuzzer_release |
-O3 -DNDEBUG, stripped |
make install |
/usr/local/bin/ordinal_fuzzer |
copies debug build |
# Fuzz a specific target
./build/ordinal_fuzzer --target iokit --iterations 10000
# Fuzz all targets with timeout
./build/ordinal_fuzzer --target all --timeout 3600
# Fuzz with specific mutation strategy
./build/ordinal_fuzzer --target mach --strategy havoc --iterations 50000
# Enable kernel fuzzing (requires root)
sudo ./build/ordinal_fuzzer --target iokit --kernel --iterations 5000
# CVE reproduction mode
./build/ordinal_fuzzer --cve CVE-2023-41064# Launch native macOS GUI
./build/ordinal_fuzzer --gui# Run built-in self-tests
./build/ordinal_fuzzer --self-test
# Or via make
make test# Generate all reports (full, executive, technical, JSON)
./build/ordinal_fuzzer --report
# Reports are saved to reports/ directory:
# reports/full_report.md
# reports/executive_summary.md
# reports/technical_report.md
# reports/findings.json
# reports/crashes/<id>.md
# reports/crashes/<id>.html# Replay a single crash
./build/ordinal_fuzzer --replay crashes/SIGSEGV_2025-01-15_abc12345/
# Replay all crashes
./build/ordinal_fuzzer --replay-dir crashes/Lines of Code: ~37,200 (Objective-C + ARM64 ASM + headers)
Source Files: 58 (.m + .s)
Header Files: 51
CVE References: 245 unique
CVE Modules: 76+
Fuzzing Targets: 28 categories
ARM64 ASM Files: 4
Vuln Modules: 37
Frameworks: Foundation, IOKit, Security, CoreFoundation,
ImageIO, CoreGraphics, CoreML, Accelerate, Metal,
JavaScriptCore, AppKit, AVFoundation, IOSurface
Libraries: sqlite3, bsm, z, compression
This tool is for authorized security research and testing only. Running kernel fuzzers may cause system instability, kernel panics, or data loss. Always run in a VM or on a dedicated test machine. The authors are not responsible for any damage caused by this tool.
Private research tool. All rights reserved.