How Kemon Reinvents macOS Kernel Monitoring and Bypasses Built‑in Limitations

Background

In 2022 the author submitted two papers to Black Hat USA Arsenal and DEF CON 26: “Kemon: An Open‑Source Pre and Post Callback‑Based Framework for macOS Kernel Monitoring” and “Attacking the macOS Kernel Graphics Driver”. Both rely on the Kemon framework developed the previous year.

Limitations of macOS Kernel Monitoring Subsystems

macOS provides two built‑in monitoring subsystems:

Kernel Authorization Subsystem (KAUTH) introduced in OS X 10.4 (2005). It has not been maintained since introduction.

Only seven built‑in events are available for KAUTH_SCOPE_FILEOP, insufficient for real‑world monitoring.

Events are notification‑only; listeners cannot block the operation, limiting enforcement.

Event parameters omit critical context (e.g., process command line for exec events, distinction between opening existing file vs. creating a new file).

VNODE callbacks are subject to caching, causing some operations to bypass the hook.

Problems with the MAC Policy Subsystem

The Mandatory Access Control (MAC) Policy subsystem was added in OS X 10.5 (2007) but Apple prohibited third‑party calls in January 2008, making it a private interface. Using it risks legal issues and breakage when Apple changes or removes the APIs.

Typical Compatibility Issues When Using Private macOS Interfaces

Interfaces are deleted or replaced outright.

Interface parameters are arbitrarily modified or extended.

New entries are inserted into dispatch tables, breaking existing callers.

Interfaces are changed without updating the policy version, creating ambiguity.

These changes can cause driver crashes or kernel panics.

Kemon Framework Design

Kemon is an open‑source macOS kernel monitoring framework that replaces the built‑in subsystems with an inline‑hook engine. Because macOS lacks a PatchGuard‑like self‑protection mechanism, Kemon uses the Distorm3 disassembler to locate function prologues and patch them at runtime. The engine provides pre‑callback and post‑callback hooks for any kernel function, enabling third‑party code to:

Inspect and modify input parameters before the original function executes.

Inspect and modify return values after execution.

Using these hooks Kemon implements:

A driver firewall that can block or allow driver operations.

A MAC policy monitor that logs usage of private MAC interfaces by system components such as AMFI and Seatbelt.

A kernel fuzzer that generates random inputs to kernel APIs for vulnerability discovery.

Conference Demonstrations

At Black Hat USA Arsenal the author demonstrated the Kemon driver firewall. At DEF CON 26 the MAC policy monitor was shown, revealing extensive use of private MAC interfaces by Apple’s AMFI and Seatbelt sandbox modules. A kernel fuzzer built on Kemon discovered multiple macOS graphics driver vulnerabilities (e.g., CVE‑2017‑7155, CVE‑2017‑7163, CVE‑2017‑13883), which were acknowledged by Apple.

Zero‑Day Disclosure

During DEF CON 26 the author disclosed a macOS kernel zero‑day vulnerability that had not yet been patched. The issue was reported to Apple’s security team prior to the conference.

Source Code

The full Kemon source code is available at:

https://github.com/didi/kemon