iOS 11/12 Kernel Internals for Security Researchers
Stefan Esser

For the last few years we have taught iOS and OS X/MacOS kernel security and exploitation to a wide variety of students. Techniques and vulnerabilities discussed in our training have been instrumental in the creation of several public jailbreaks between iOS 7 and iOS 10. And also several techniques used in the very latest public jailbreaks are covered in our trainings. Our previous trainees can also be seen reporting vulnerabilities to Apple these days and a few of them even work for them these days.

This course has been under constant development for years, because Apple keeps adding new security mitigations into the kernel or changes how security relevant implementations like the kernel heap work. For 2019 we will have reworked the material again to cover the latest security changes in iOS 12 and the successor of the iPhone 9/X.

We have also improved the software tools that we use during kernel security research.

This course is concentrating on introducing trainees to security features of the iOS kernel and internals like how the new iOS kernel heap works. We will enable trainees to understand up to date iOS kernel security topics and understand public exploits. However this version of the course will not teach exploitation itself.

During the training, we will make devices availiable on iOS 11 to perform the hands on tasks, because they can only be performed on devices with jailbreaks available.

• Introduction
• How to set up your Mac and Device for Vuln Research/Exploit Development
• How to load own kernel modules into the iOS kernel
• How to write Code for your iDevice
• Damn Vulnerable iOS Kernel Extension
• Low Level ARM / ARM64
• Differences between ARM and ARM64
• Exception Handling
• Hardware Page Tables
• Special Registers used by iOS
• ...
• iOS Kernel Source Code
• Structure of the Kernel Source Code
• Where to look for Vulnerabilities
• Implementation of Mitigations
• MAC Policy Hooks, Sandbox, Entitlements, Code Signing
• ...
• iOS Kernel Reversing
• Structure of the Kernel Binary
• Finding Important Structures
• Porting Symbols
• Closed Source Kernel Parts and How to analyze them
• ...

• iOS Kernel Debugging
• Panic Dumps
• Working around the lack of KDP debugging
• Kernel Heap Debugging/Visualization (new software adjusted to iOS 11-12)
• iOS Kernel Heap
• In-Depth Explanation of How the Kernel Heap works (including all the changes in iOS 12.x)
• Different techniques to control the kernel heap layout (including non-public ones)
• iOS Kernel Exploit Mitigations
• Discussion of all the iOS Kernel Exploit Mitigations introduced
• Discussion of various weaknesses in these protections
• iOS Kernel Vulnerabilities and their Exploitation
• Walkthrough of previously publicly exploited vulnerabilities

• Student Requirements
• Students should have prior knowledge of exploitation to understand walk throughs
• Students must be capable of understanding/programming in C
• Students will get an introduction into ARM64 as part of the course

• Software Requirements
• IDA Pro / Hopper / Binary Ninja
• OS X High Sierra or newer
• Xcode with iOS 11/12 SDK

• Hardware Requirements
• Macbook capable of running latest OS X/MacOS
• Students can optionally bring an iOS device jailbroken on latest iOS (iOS 11.x devices will be provided)