For years we have taught iOS Kernel Exploitation to a large crowd of students. However more and more students have been asking for a similar course targetted at iOS Userspace Exploitation. Therefore for 2019 we have finally added this course to our syllabus. After having successfully run an introductory 3 day userspace exploitation training during the HITB conference in Amsterdam we have decided to offer an advanced course that discusses targetting not only applications and daemons but also Apple's iMessage.
In this four day training participants will take a deep dive into topics related to iOS 12/13 userpace level exploitation. This starts with an introduction into the specifics of the iOS platform so that trainees with or without deep knowledge of iOS are on the same track. The following days will then concentrate on real world vulnerabilities in applications, daemons, services, and Apple's iMessage.
It is a full 4-day course and is targeted at intermediate to advanced exploit developers that want to switch over to iOS or learn how to deal with modern iOS user space targets. For each topic we have selected a number of previously disclosed real world vulnerabilities so that trainees can learn from real examples and not only via mockup bugs.
The training excercises will be performed on a mixture of devices running on iOS 12.x. Some of these devices will be 64bit iPod touch (6th Gen) 32 GB devices that the trainees will use during the training. However we will also give the trainees access to more modern devices to test out new hardware based mitigations like the ARM v8.3 pointer authentication.
The goal of this training is to enable trainees to find and exploit new vulnerabilities in iOS userpace programs despite newest mitigations.
Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apple’s iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook.