Optimized Fuzzing IOKit in iOS

Black Hat USA 2015

Presented by: Lei Long, Aimin Pan, Peng Xiao
Date: Wednesday August 05, 2015
Time: 16:20 - 17:10
Location: Mandalay Bay BCD

Fuzzing is the most common way of exploiting vulnerabilities, and IOKit is an ideal target in kernel extensions for fuzzing. The interfaces in IOKit use specific structures, such as IOExternalMethod, IOExternalMethodDispatch, to check the input parameters in various ways. Purely random inputs when fuzzing IOKit can hardly pass the interfaces' parameter checking, so that most of fuzzing data cannot reach the kernel IOUserClient subclass at all. Thus, such kind of blindly fuzzing is inefficient. One way to improve it is to use the static information exported by sMethod symbols, which can be dumped by a static analysis tools such as IDA. However, it is not available since iOS 7 because of symbols hiding.

In this presentation, we will introduce an approach to resolve the symbols and parameter information dynamically based on a kernel patch to read and write memories. In this approach we can exploit quite a lot of useful information, including not only the standard parameters of IOKit interfaces, but also other supplementary data. We have also built a fuzzing framework, which uses the resolved information and generates the random inputs, which can pass the basic parameter checking by IOKit interfaces. Therefore, the fuzzing can be done efficiently. Finally, we also present the information of IOKit interfaces exported by our approach, and several typical vulnerabilities found by our fuzzing framework.

Lei Long

Lei Long is a technical expert in the Mobile Security Division of the Alibaba Group, and focuses on the research of vulnerabilities exploiting and systemsecurity in mobile devices. In recent years, he has discovered several iOS vulnerabilities and reported them to Apple. Lei Long has great experience in iOS app development and security research. He had been the key developer in the FIT (Fun Input Toy) project, which was the first free iOS Chinese input method in jail-broken devices. It supported iPhone/iTouch/iPad, and was the most influential Chinese input method to replace iOS default input method. Before joining Alibaba Group, Lei Long had been the technical manager of QQMobile Domo (iOS version) product in Tencent, Inc., which is one of the most popular apps in BigBoss and has serval millions downloads. Its key features include virus detection, spam filtering, privacy protection, system optimization, software management, and so on.

Peng Xiao

Peng Xiao is a safety engineer at Mobile Security of Alibaba and focuses on exploiting and researching vulnerabilities in mobile platforms. In 2014, he received his PhD from Beijing University of Technology in China, and his research field was focused on wireless network security. While at the university, he published a lot of papers in the subject of wireless security in famous SCI-indexed journals and EI-indexed journals, such as 'An access authentication protocol for trusted handoff in wireless mesh networks' with WOS:000331162800005 published in Computer Standards & Interfaces.

Aimin Pan

Aimin Pan is the chief architect of the mobile security division within the Alibaba Corporation. He has written and translated many books, including "Understanding the Windows Kernel"(Chinese edition, 2010) and "COM Principles and Applications"(Chinese edition, 1999). Before joining Alibaba, he worked at Peking University (Beijing), Microsoft Research Asia, and Shanda Innovations. Aimin has published more than 30 academic papers, filed 10 USA patents. In recent years, his research focuses on mobile operating systems and security.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats