Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst

Google Project Zero presents a lightweight userspace fuzzing workflow for Apple kernel extensions (demonstrated against the AppleAVD AV1 parser). The method uses IDA to rebase and export kext segments, a custom loader to map and patch kernel code into userspace, a TinyInst module to handle breakpoints, replacements and coverage instrumentation, and Jackalope for fuzzing delivery; the approach found three non-critical AV1 parsing bugs that reproduced on M3 hardware and were responsibly reported to Apple.