Explore an advanced approach to optimizing IOKit fuzzing in iOS through a Black Hat conference talk. Delve into techniques for dynamically resolving symbols and parameter information using a kernel patch, overcoming the challenges posed by symbol hiding since iOS 7. Learn how to build an efficient fuzzing framework that generates inputs capable of passing basic parameter checks in IOKit interfaces. Discover methods for extracting valuable information from IOKit, including standard parameters and supplementary data. Examine the talk's coverage of vtable characteristics, metaclass layout, and KEXT functionality. Gain insights into client name retrieval, IOExternal Method Dispatch extraction, and complemental mechanisms. Study the architecture of a carrier fuzzing application and its key elements. Conclude with a real-world vulnerability case study, demonstrating the effectiveness of this optimized fuzzing approach for uncovering IOKit vulnerabilities in iOS.
Overview
Syllabus
Intro
Previous Research
Motivation Of Basic Information Extraction
Vtable Characteristic
MetaClass Layout
Functionality Provided by KEXT
Overwritten virtual methods symbolization
Example
Detail Steps
Retrieve Client Name
Extracting IOExternal Method Dispatch
Complemental Mechanism
Carrier
Fuzzing Application's Architecture
Fuzzing Elements
Unavailable interfaces Identification
Setup
Vulnerability Case #1
Taught by
Black Hat
