After running his fuzzer program on the applications for 3 weeks each, Miller found nearly a thousand unique ways to make the programs crash, and combed through those data to find which of those bugs allowed him to take control of the program.
FORBES: Researcher Will Expose 20 Hackable Apple Security Flaws