LLDBagility: practical macOS kernel debugging

The effectiveness of debugging software issues depends largely on the capabilities of the tools available to aid in such task. To debug the macOS kernel there is at present no real alternative other than the basic debugger integrated in the kernel itself, intended to be used remotely from another machine through a full-fledged debugger like LLDB. Due to design constraints and implementative choices, this approach has however several drawbacks, such as the necessity of modifying the system configuration, or the impossibility to set hardware breakpoints or to pause the execution of kernel from the debugger. The aim of this work was improving the overall debugging experience for the macOS kernel. To this end we developed LLDBagility, a tool to enable kernel debugging via virtual machine introspection. LLDBagility connects LLDB to any unmodified macOS virtual machine running on a patched version of the VirtualBox hypervisor, allowing the debugger to fully control the machine without the system being aware of the process. This solution have made possible to overcome all limitations of the classic kernel debugging approach, and also to implement new useful features like the ability to save and eventually restore the state of the machine directly from the debugger.