Fuzzing is the most common way of exploiting vulnerabilities, and IOKit is an ideal target in kernel extensions for fuzzing. The interfaces in IOKit use specific structures, such as IOExternalMethod, IOExternalMethodDispatch, to check the input parameters in various ways. Purely random inputs when fuzzing IOKit can hardly pass the interfaces' parameter checking, so that most of fuzzing data cannot reach the kernel IOUserClient subclass at all. Thus, such kind of blindly fuzzing is inefficient. One way to improve it is to use the static information exported by sMethod symbols, which can be dumped by a static analysis tools such as IDA. However, it is not available since iOS 7 because of symbols hiding.
In this presentation, we will introduce an approach to resolve the symbols and parameter information dynamically based on a kernel patch to read and write memories. In this approach we can exploit quite a lot of useful information, including not only the standard parameters of IOKit interfaces, but also other supplementary data. We have also built a fuzzing framework, which uses the resolved information and generates the random inputs, which can pass the basic parameter checking by IOKit interfaces. Therefore, the fuzzing can be done efficiently. Finally, we also present the information of IOKit interfaces exported by our approach, and several typical vulnerabilities found by our fuzzing framework.