CrossFire: Fuzzing macOS Cross-XPU Memory on Apple Silicon

Modern computing systems increasingly utilize XPUs, such as GPUs and NPUs, for specialized computation tasks.While these XPUs provide critical functionalities, their security protections are generally weaker than those of CPUs, making them attractive attack targets.In particular, Apple silicon optimizes memory usage by adopting a unified memory architecture (UMA), which employs shared memory regions (termed cross-XPU memory) to facilitate communication between CPUs and XPUs.Although the cross-XPU memory enhances performance, it also introduces a new attack surface.Unfortunately, the difficulty in identifying effective shared memory regions and generating valid payloads makes fuzzing cross-XPU memory a challenging problem that cannot be resolved effectively by existing fuzzing techniques.Therefore, we propose CrossFire, the first fuzzer targeting Apple silicon XPU by fuzzing cross-XPU memory, to evaluate this new attack surface.Initially, we conduct an in-depth cross-XPU memory analysis to investigate the challenges of fuzzing XPU.To address these challenges, CrossFire introduces two novel techniques to pinpoint effective fuzzing regions in cross-XPU memory and trace kernel execution information to extract data constraints.Leveraging these techniques, we develop CrossFire based on the m1n1 hypervisor to monitor cross-XPU memory accesses and perform grey-box hooking-based fuzzing.We further evaluate CrossFire on macOS Ventura, where it has identified 15 new zero-day bugs, 8 of which have been confirmed by Apple.