I think their claim is the researchers can run a Linux install with KASAN and see the results but they are unable to use an equivalent of that on MacOSX, Windows as Apple, Microsoft do not allow an end-user to perform that kind of instrumentation on their own device.

You and the person I replied to above are essentially correct:

>Fuzzing drivers on [FreeBSD, MacOS, and Windows] is more challenging than the Linux kernel due to the lack of support infrastructure. These OSes support neither KASAN, other sanitizers, nor coverage-based collection of executions. The lack of a memory-based sanitizer means our fuzzer only discovers bugs that trigger exceptions, and misses all bugs that silently corrupt memory. Because we cannot collect coverage information, our fuzzer cannot detect seeds that trigger new inputs.

(https://nebelwelt.net/files/20SEC3.pdf)

The researchers employed a partial workaround for the problem, but it is pretty obvious to me that the partial workaround does not level the playing field:

>To alleviate the second concern, the lack of coverage-guided optimization, we experiment with cross-pollination. To seed our dumb fuzzer, we reuse the inputs generated during our Linux kernel fuzzing campaign.

They are only partially correct about FreeBSD. In FreeBSD 12 there is no coverage sanitizer as it was added to 13 and never merged to 12.

Support for KASAN, and the other sanitizers is in development, however I'm currently too busy working on other things to have time to finish it.

XNU definitely supports kasan on macOS, since quite some years. (however, kasan kernels aren't shipped by default, you can build from source though)

However, no idea if Kernel Debug Kit ships with prebuilt kasan kernel and drivers.

I see a kernel.kasan inside the latest KDK. Doubt this extends to drivers, as all I can find for those are debug symbols.