Tool: XNU Image Fuzzer (XIF)
Classification: Format-aware mutational fuzzing engine
Target Surface: macOS CoreGraphics stack, IOKit image decoders, kernel rasterization paths
Most importanly, no experience required. follow the instructions and open an Issue if you have questions or get stuck.
XIF builds from this Source using Xcode Cloud.
XIF is a precision image payload generator designed to exercise low-level image parsing, decoding, and rendering paths in macOS environments — particularly where these operations interface with kernel-mode execution, such as:
CoreGraphicsaccelerated raster pipelinesQuartzCoreimage compositing stacksIOKitpixel buffer subsystems- Custom or legacy image decode routines in userland-to-kernel transition zones
Unlike general-purpose fuzzers, XIF emphasizes structure-valid, logic-malformed input — images that pass superficial checks but destabilize deeper logic.
| Capability | Description |
|---|---|
| Endian-aware fuzzing | Crafts Big/Little Endian payloads to detect byte-order decoding flaws |
| Channel depth targeting | Supports 8-bit, 16-bit, and 32-bit float pixel formats |
| Alpha/Blend logic attack vectors | Premultiplied vs. non-premultiplied alpha, layer blending fuzz paths |
| Color inversion & entropy control | Inverts RGB channels, applies high-entropy regions for overflow testing |
| Semantic compliance | Ensures images are syntactically parseable but semantically malformed |
- Exercise image decode paths that cross the user-kernel boundary
- Surface memory corruption in IOKit drivers (
IOGraphicsFamily,IOSurface, etc.) - Bypass sandbox checks via image-based decoding primitives
- Fuzz
CGImageCreate,CIImage, or Quartz rendering entrypoints - Detect unsafe assumptions in pixel format conversion
- Exploit vectorization/SIMD logic in alpha blending or HDR processing
- Test custom decoding libraries for failure modes in:
- Premultiplied alpha assumptions
- Byte-swapped channel mappings
- Color space overflows (e.g., HDR10 or 16-bit channel misreads)
- Integrate XIF with coverage-guided engines like AFL++, libFuzzer:
- Use XIF for corpus seeding
- Pipe outputs into instrumented harnesses (
ImageIO,Preview.app, etc.)
| Target Stack | Harness Strategy | Monitor Tools |
|---|---|---|
CoreGraphics |
CI pipeline runner w/ fuzzed PNG input | LLDB, Instruments |
IOKit (GFX) |
Raw IOSurface or IOAccelerator input |
DTrace, kernel logs |
Userland Decoders |
Inject into ImageIO or QuickLook |
ASAN, XNU watchdog |
Remote Services |
Image-based payload over AirDrop/web | Monitor for panic/corruption |
- Not coverage-aware by default: best used in conjunction with sanitizer-wrapped harnesses
- High crash signal: monitor for subtle visual artifacts, system instability, kernel logs
- Avoid abstraction: operate on raw byte buffers; ensure transparency of pixel layout
XIF is a sharp instrument, not a blunt tool — best suited for surgical fuzzing of image decoders where precision input yields maximal fault exposure.
Leverage it when:
- You need kernel-level bugs via image processing.
- You're fuzzing GPU-assisted logic or sandbox-proximate services.
- You want rapid surfacing of decoder logic faults without brute force.
Output = signal-rich, structure-valid, exploit-oriented image inputs.
Last Updated: TUESDAY 25 MARCH 2025 1000 EDT by David Hoyt
The XNU Image Fuzzer (XIF) Project will integrate IccMAX for Image and Icc Profile Fuzzing.
XIF is being Ported to C++ for Cross Platform & Cross Toolchain Fuzzing.
ETA Wen: End of Q2/2025.
🔁 Last Updated: 24-MAR-2025 by David Hoyt
📍 PR Link: PR119 on GitHub
🧪 CI Status:
The XNU Image Fuzzer Source Code contains a proof of concept implementation of an image fuzzer designed for XNU environments. It aims to demonstrate basic fuzzing techniques on image data to uncover potential vulnerabilities in image processing routines. The Objective-C Code implements 12 CGCreateBitmap & CGColorSpace Functions working with Raw Data and String Injection that are User Controllable Inputs.
- PermaLink https://srd.cx/xnu-image-fuzzer/
| Build OS & Device Info | Build | Install |
|---|---|---|
| macOS 14.5 X86_64 | ✅ | ✅ |
| macOS 14.5 arm | ✅ | ✅ |
| iPadOS 17.5 | ✅ | ✅ |
| iPhoneOS 17.5 | ✅ | ✅ |
| VisionPro 1.2 | ✅ | ✅ |
- Open an Issue
URL https://xss.cx/public/docs/xnuimagefuzzer/
- I am David Hoyt
- Open as Xcode Project or Clone
- Update the Team ID
- Click Run
- Share a File
- Open the Files App on the Device
- Tap Share to Transfer the new Fuzzed Images to your Desktop
- Select All Files to AirDrop to your Desktop
- Tap Share to Transfer the new Fuzzed Images to your Desktop
- Screen Grab on iPhone 14 Pro MAX
- Open Terminal
- Delete the Build Directories from the Project Folder
xnuimagefuzzer % rm -rf CMakeCache.txt CMakeFiles CMakeScripts cmake_install.cmake build
xnuimagefuzzer % mkdir xcode_build
xnuimagefuzzer % cd xcode_build
xnuimagefuzzer/xcode_build % cmake -G Xcode ../XNU\ Image\ Fuzzer/CMakeLists.txt
-- The C compiler identification is AppleClang 15.0.0.15000309
-- The OBJC compiler identification is AppleClang 15.0.0.15000309
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting OBJC compiler ABI info
-- Detecting OBJC compiler ABI info - done
-- Check for working OBJC compiler: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang - skipped
-- Configuring done (8.8s)
-- Generating done (0.0s)
-- Build files have been written to: /Users/xss/Developer/xnuimagefuzzer/xcode_build
xcode_build % open xnuimagefuzzer.xcodeproj/
Embedding fault mechanisms into a generic image and further processing it through fuzzing enhances the effectiveness of testing by uncovering edge cases and potential vulnerabilities in image processing software.
- Insight: Fuzzed images introduce a wide range of potential edge cases.
- Analysis: Helps uncover rare bugs and vulnerabilities that might only occur with specific, unanticipated inputs.
- Insight: Stress-tests the robustness of image processing algorithms.
- Analysis: Ensures the software can handle diverse and unexpected inputs without crashing or producing incorrect results.
- Insight: Targets specific vulnerabilities through fault injections.
- Analysis: Exposes security weaknesses, such as buffer overflows, by providing inputs that cause unexpected behavior.
- Insight: Tests the software's ability to handle different image formats and types.
- Analysis: Reduces the risk of compatibility issues by providing comprehensive testing coverage.
- Insight: Integrates with automated fuzzing frameworks like Jackalope.
- Analysis: Enables continuous and scalable testing, improving software robustness over time.
- Prepare the Image:
- Start with a generic image.
- Apply initial fuzzing to introduce random mutations.
- Embed specific fault mechanisms to target vulnerabilities.
- Submit to Fuzzing Harness:
- Load the processed image into a fuzzing framework like Jackalope.
- Configure the tool to use the image as a seed for further automated fuzzing.
- Monitor and Analyze:
- Monitor for crashes, hangs, and other signs of vulnerabilities.
- Collect and analyze the results to identify and understand the bugs found.
- https://github.com/xsscx/xnuimagetools
- Create random images for fuzzing
See URL https://github.com/xsscx/macos-research/tree/main/code/iOSOnMac