Magenta is a new kernel developed by Google as part of the mysterious Fuchsia operating system. The development is open source and public with a rapidly evolving codebase, however no product announcement has been made as of writing these lines. We’ll investigate the microkernel design of Magenta along with its capability-based security model. Apart from well-known hardening features such as ASLR and guard pages, the operating system supports LLVM's SafeStack instrumentation and other modern tricks that will be covered as well. We could not help ourselves from drawing some comparisons against Linux either.
We were attracted by the high code quality and the promise of some nice kernel mode hacking fun to set out to fuzz the subsystems of Magenta, and port certain testing tools to it such as the KASAN memory error detector and syzkaller (an advanced coverage-guided system call fuzzer) which have proven to be successful in finding vulnerabilities. Fuchsia related commits have begun to surface the upstream syzkaller implementation while we were working on our clone, so we will overview the relevant concepts of efficient sancov based fuzzing loops and potential alternatives for syscall testing without losing much generality.
Finally, we will present our port of the address sanitizer in detail which we call MXKASAN. In particular, the virtual memory management system will be dissected to show how the sanitizer runtime could be fit into the kernel without breaking too many things. Some of the trickier hacks will be showcased along with demonstrating the tool in action.