iOS 10/11 Kernel Security and Exploitation
Stefan Esser

Dates

12-15 February 2018

Capacity

18

Price

4.000,- €

4-days Course

ATTENTION, THIS COURSE IS CURRENTLY ONLY AVAILABLE TO STUDENTS FROM THE FOLLOWING COUNTRIES:

EU, Norway, Switzerland, Canada, USA, New Zealand, Australia or Japan

Description

For the last few years we have taught iOS and OS X/MacOS kernel exploitation to a wide variety of students. Techniques and vulnerabilities discussed in our training have been instrumental in the creation of several public jailbreaks between iOS 7 and iOS 10. Our previous trainees can also be seen reporting vulnerabilities to Apple these days.

The course has been under constant development for years, because Apple keeps adding new security mitigations into the kernel or changes how security relevant implementations like the kernel heap work. For 2018 we will have reworked the material again to cover the latest security changes in iOS 11 and the successor of the iPhone 7. We have also improved the software tools that we use during exploit development.

In comparison to previous years we have more hands on tasks covering real kernel vulnerabilities that were made public during 2017.

During the training, we will make devices availiable on iOS 10 to perform the hands on tasks, because they can only be performed on devices having vulnerabilities. However we will also demonstrate our tools working on iOS 11 devices.

PREREQUISITE WARNING

Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course.

Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Topics

  • Introduction
    • How to set up your Mac and Device for Vuln Research/Exploit Development
    • How to load own kernel modules into the iOS kernel
    • How to write Code for your iDevice
    • Damn Vulnerable iOS Kernel Extension
  • Low Level ARM / ARM64
    • Differences between ARM and ARM64
    • Exception Handling
    • Hardware Page Tables
    • Special Registers used by iOS
    • ...
  • iOS Kernel Source Code
    • Structure of the Kernel Source Code
    • Where to look for Vulnerabilities
    • Implementation of Mitigations
    • MAC Policy Hooks, Sandbox, Entitlements, Code Signing
    • ...
  • iOS Kernel Reversing
    • Structure of the Kernel Binary
    • Finding Important Structures
    • Porting Symbols
    • Closed Source Kernel Parts and How to analyze them
    • ...
  • iOS Kernel Debugging
    • Panic Dumps
    • Working around the lack of KDP debugging
    • Kernel Heap Debugging/Visualization (new software adjusted to iOS
    • 10/Mac OS Sierra)
  • iOS Kernel Heap
    • In-Depth Explanation of How the Kernel Heap works (including all the changes in iOS 10.x)
    • Different techniques to control the kernel heap layout (including non-public ones)
    • About the heap randomness in iOS >= 9.2
    • All the changes to the heap with iOS 10
  • iOS Kernel Exploit Mitigations
    • Discussion of all the iOS Kernel Exploit Mitigations introduced
    • Discussion of various weaknesses in these protections
  • iOS Kernel Vulnerabilities and their Exploitation
    • Look at real iOS 10/11 Kernel vulnerabilities and how they can be exploited
    • Overview over different vulnerability types commonly found in iOS kernel and exploit strategies
    • During the training students will reimplement bits and pieces for real iOS 10.x kernel exploit
  • iOS Kernel Jailbreaking
    • Discussion of Kernel Patch Protection in devices prior to iPhone 7
    • Discussion of all the Kernel Patches applied by recent iOS Jailbreaks
    • Discussion of differences between 32 bit and 64 bit patches

Course Requirements

Wassenaar requirement

Due to Wassenaar export control on technology for development of intrusion software any kind of exploitation training against hardened targets is export controlled. We therefore can only accept students from:

EU, Norway, Switzerland, Canada, USA, New Zealand, Australia or Japan

 

  • Student Requirements
    • Students must have prior knowledge of exploitation (basics will not be taught)
    • Students must be capable of understanding/programming exploits in C
    • Students will get an introduction into ARM64 as part of the course
  • Software Requirements
    • IDA Pro
    • OS X El Capitan/Mac OS Sierra
    • Xcode with iOS 10 SDK
  • Hardware Requirements
    • Macbook capable of running latest OS X/MacOS
    • Students can optionally bring an iOS device jailbroken on latest iOS (iOS 10.x devices will be provided)

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apple’s iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook.

Limited Seats - Remember to reserve your ticket!

register now