As we know for security researchers, almost every operation system vendor has highly raised the bar of security vulnerability credit or bonus criteria and lots of security mitigations such CFI on Android 9 or PAC based on hardware on iOS 12 have been integrated to vendor system.
What is more, industrial standard fuzzers (typical as AFL, syzkaller based on code coverage feedback) have been deployed on large scale. The survival space of bug hunting left for security researchers seems to be much smaller. Code reviewing based on threat expert knowledge seems to be the only way but which is obvious time consuming and dummy effort.
Any idea on how to break the deadlock now? As security researchers, maybe you could try our debug fuzzer for bug hunt. This method we pledged has been verified to be effective to find and expand new attack interface but also flexible, scalable and scriptable for vulnerability research utilities.
Based on our fuzzing methodology, we found dozens of vulnerabilities, including double free, oob read/write etc. which we will provide a detailed analysis of. However, these 10 vulnerabilities is the only part of we found, others will be analyzed later and submitted to Apple.
具体文章内容可以在线阅读: