Project Zero: Fuzzing iOS code on macOS at native speed

submited by
Style Pass
2021-05-20 20:00:10

With the introduction of Apple Silicon Macs , Apple also made it possible to run iOS apps natively on these Macs. This is fundamentally possible due to (1) iPhones and Apple Silicon Macs both using the arm64 instruction set architecture (ISA) and (2) macOS using a mostly compatible set of runtime libraries and frameworks while also providing /System/iOSSupport which contains the parts of the iOS runtime that do not exist on macOS. Due to this, it should be possible to run not just complete apps but also standalone iOS binaries or libraries on Mac. This might be interesting for a number of reasons, including:

This post explains how this can be achieved in practice. The corresponding code can be found here  and allows executing arbitrary iOS binaries and library code natively on macOS. The tool assumes that SIP has been disabled  and has been tested on macOS 11.2 and 11.3 . With SIP enabled, certain steps will probably fail.

We originally developed this tool for fuzzing a 3rd-party iOS messaging app. While that particular project didn’t yield any interesting results, we are making the tool public as it could help lower the barrier of entry for iOS security research.

Leave a Comment