In-Depth Analysis of Apple UserFS Architecture, Control Flow, and Vulnerabilities

The piece begins by noting the recent Black Hat USA 2023 conference where Ant Group’s security lab presented research on Apple UserFS, followed by an outline of the article’s structure.

Apple UserFS Architecture – Starting with iOS 11’s “Files” app, the article explains that external storage devices are accessed via a user‑space file system called UserFS. UserFS consists of multiple components (service processes, XPC services, plugins, frameworks, and a kernel extension) that run primarily in user space.

Mounting Flow (2.1) – When a USB storage device is attached, the system emits a usb.device.attached event. launchd forwards this to the userfsd daemon, which registers IOKit notifications, obtains the block‑device path, and calls the Objective‑C method LiveMountAddDisk:reply: . This method delegates the actual mount to the UVFSService XPC service, which later hands off to livefileproviderd . The latter invokes the standard /sbin/mount (lifs) command to complete the mount, after which the USB contents appear under /var/mobile/Library/LiveFiles/com.apple.filesystems.userfsd .

File‑Access Flow (2.2) – A typical C call such as int fd = open("/USB-hello/abc.txt", O_RDONLY); is intercepted by the lifs.kext driver. The driver creates a Mach message (ID 0x2A5) and sends it to the lifs_port registered by livefileproviderd . The message is processed by a MIG server, which forwards the request to the XPC service UVFSService . The service ultimately calls the appropriate plugin (e.g., exfat ) to perform the actual file operation, and the result is returned to the kernel via IOConnectCallStructMethod .

Vulnerabilities

CVE‑2022‑42861 – An out‑of‑bounds write in the handling of extended attributes (xattr) in the kernel is mirrored in UserFS’s LiveFS‑[LiveFSAppleDoubleloadAttrHeader] method, allowing arbitrary read/write.

CVE‑2022‑42842 – Another xattr bug caused by missing offset checks in LiveFS‑[LiveFSAppleDoubleloadADHeader] , also present in UserFS, can be leveraged for kernel privilege escalation.

Kernel UAF (redacted) – A use‑after‑free in the lifs.kext module remains unpatched, though exploitation is limited by iOS sandboxing.

Security Model Changes – With UserFS, file‑system syscalls are no longer handled directly by kernel drivers but are forwarded to a regular user‑space service process. This demotes the attack surface from kernel to user‑level privileges, reducing the impact of exploits. However, the service can still act as a bridge to kernel code, meaning a compromised UserFS process could eventually trigger kernel‑level bugs.

Conclusion – UserFS introduces a valuable mitigation by sandboxing file‑system handling, but it also adds a new attack vector. The article argues that Apple’s approach represents a successful security improvement while acknowledging the continued relevance of traditional kernel‑based file‑system attacks.