Build the XNU kernel
Apple provides a pre-built XNU kernel with sanitizers in Kernel Debug Kits1. However, these builds enable sanitizers only and do not provide KCOV instrumentation. Fuzzing without KCOV is *technically* possible, but performance is severely limited. To address this, XNU must be rebuilt with KCOV enabled.
⚠️ In order to build a kernel, three versions should match: macOS version == xnu source code version == KDK version. Apple may not release the corresponding XNU source or KDK for the latest macOS release. In that case, the build will fail. At the time of writing, the latest macOS version is 26.3, but the matching XNU source and KDK are not yet available. Therefore, building XNU for the latest macOS is currently not feasible.
In this demo, the target environment is macOS 15.3 (24D60), Darwin kernel 24.3.0, and xnu-11215.81.4~3.
Run OSX-KVM
First, follow https://github.com/kholia/OSX-KVM to provision a macOS VM. After installation completes (this can take a few hours), shut down the VM and update boot arguments.
- Mount the qcow2 backend.
sudo modprobe nbd max_part=8- Mount the qcow2 image.
sudo qemu-nbd -c /dev/nbd0 OpenCore/OpenCore.qcow2
udisksctl mount -b /dev/nbd0p1- Modify config.plist.
Open /media/<username>/EFI/EFI/OC/config.plist. Set boot-args to keepsyms=1 slide=255 serial=0x05 debug=0x0a -v. Set csr-active-config to 7w8AAA==.
udisksctl unmount -b /dev/nbd0p1
sudo qemu-nbd --disconnect /dev/nbd0- Disable authenticated root in Recovery Mode.
csrutil authenticated-root disableBuild an XNU kernel
Inside the VM:
- Enable SSH (via GUI), then install Xcode and KDK1 (KDK_15.3_24D60.kdk).
- Clone https://github.com/blacktop/darwin-xnu-build
- Modify
build.sh. AppendKSANCOV=1to allmakecommands. - Build the kernel
MACOS_VERSION='15.3' KERNEL_CONFIG=KASAN ARCH_CONFIG=X86_64 MACHINE_CONFIG=NONE ./build.sh --kcThe first build fails due to missing clang 16 compatibility. Add UNUSED_ABI(__asan_version_mismatch_check_apple_clang_1600, void); to xnu/san/memory/kasan-helper.c. Then rebuild with the same command.
The output artifact is build/xnu.obj/KASAN_X86_64/kernel.kasan. Verify that KCOV instrumentation is present:
objdump -d build/xnu.obj/KASAN_X86_64/kernel.kasan |grep ___sanitizer_cov_trace_pc_guard |head
ffffff8000202849: e8 32 aa df 01 callq 0xffffff8001ffd280 <___sanitizer_cov_trace_pc_guard>
ffffff8000202a15: e8 66 a8 df 01 callq 0xffffff8001ffd280 <___sanitizer_cov_trace_pc_guard>
[snip]If ___sanitizer_cov_trace_pc_guard() is not present, KCOV instrumentation failed. Confirm that KSANCOV=1 is correctly applied.
Install the XNU kernel
I referred to this blogpost: https://kernelshaman.blogspot.com/2021/02/building-xnu-for-macos-112-intel-apple.html
Mount the boot disk.
cd ~
mkdir mnt
sudo mount -o nobrowse -t apfs /dev/disk3s4 ./mntCopy the KDK
sudo ditto /Library/Developer/KDKs/KDK_15.3_24D60.kdk/System ./mnt/SystemIf this step fails, verify that csr-active-config is set to 7w8AAA==.
Install the kernel.
sudo cp darwin-xnu-build/build/xnu.obj/KASAN_X86_64/kernel.kasan ./mnt/System/Library/Kernels/kernel.kasan
sudo cp -a darwin-xnu-build/build/xnu.obj/KASAN_X86_64/kernel.kasan.dSYM ./mnt/System/Library/Kernels/
sudo kmutil install --volume-root ./mnt --update-all
sudo bless --folder mnt/System/Library/CoreServices --bootefi --create-snapshotShut down the machine and update boot-args to: keepsyms=1 slide=254 serial=0x05 debug=0x0a -v kcsuffix=kasan.
Reboot and verify the kernel version.
a@as-iMac ~ % sysctl kern.version
kern.version: Darwin Kernel Version 24.3.0: Sun Mar 22 00:20:30 EDT 2026; a:xnu.obj/KASAN_X86_64Confirm if KCOV is working
Apple provides a KCOV demo tool.
cd darwin-xnu-build/xnu/san/tools
clang ksancov.c
./a.out --trace
opened ksancov on fd 3
nedges (edgemap) = 295387
mapped to 0x10dcce000 + 524304
maxpcs = 65536
ppid = 469
head = 150
0xffffff80004e9b08
0xffffff80005dc4a4
0xffffff8000969c49
0xffffff80009fad0f
0xffffff80009fad2f
0xffffff8000969c8b
[snip]The kernel is now ready for fuzzing.