*OS - Security & Insecurity Workshop - OffensiveCon Edition
Jonathan Levin

Dates

6th-9th of May 2024

Capacity

25

Price

4.250€

Synopsis

This course, modeled after Jonathan Levin's "*OS Internals: Volume III", takes a practical approach to explaining the security of Apple's operating systems, by explaining the various mechanisms employed by Apple to secure the system - and yet demonstrating how they fail, time and time again. Through case studies of jailbreaks and Pegasus (the only weapons-grade malware caught in the wild), the techniques for protecting the OS integrity - as well as measures used to bypass them - are detailed.

Code samples detailing usage of each mechanism are provided as actual examples for discussion in class. Actual jailbreak code, including the latest KFD family of jailbreaks, is presented. Advanced tools - such as Xn00p, our live kernel inspection/debugging tool - allow unprecedented visualization of what happens behind the scenes in every step of the jailbreak process. This course is updated to the latest Darwin 23 releases (iOS17, macOS 10.19)!

Target Audience

Reverse Engineers, Security and/or Malware Researchers - both Mac and iOS - interested in getting to know Apple's Operating Systems and their security measures intimately.

Prerequisites

  • Knowledge of Mac OS X and/or iOS, and user mode programming.
  • Knowledge of *OS kernel concepts: XNU = { Mach + BSD + IOKit }
  • Knowledge of Mach IPC - ports and message format
  • Familiarity with ARM64 is highly recommended
  • Bring your own Mac/jailbroken i-Device (ask us about renting one for class!)
  • Students must bring MacBooks with XCode 14.x + latest XNU Sources (10002+) installed (ask us about renting one!)
  • For iOS examples, it is recommended that students be in possession of a provisioning profile, or use jtool2/ldid to self-sign

 

Objectives

  • Understand the MAC Framework in MacOS and the iOS Variants
  • Understand kernel memory protections
  • Explain the methodology employed by jailbreaks and malware alike to elevate privileges and obtain unrestricted access
  • Understand how jailbreaks repeatedly find flaws and circumventions in Apple's mechanisms
  • Understand the Apple Sandbox, and its profile language
  • Explain common jailbreaking techniques, before and after kernel patch protection
  • Understand attack surfaces in OS X and iOS (and its derivatives), particularly those of the kernel, kexts (I/O Kit) and system daemons.

 

Important: This course is an advanced course, and requires a priori familiarity with MacOS or iOS, as per Jonathan's Levin or Amit Singh's "Mac OS [and iOS] Internals" books. It does not discuss basic internals, but rather builds on them so as to focus on security. Participants are highly encouraged to read the books (see below, "Required Reading") throughly.

We would also suggest participants consider the basic MacOS/iOS Internals course prior to this one. This special edition training takes portions of that training (notably, mach-O and debugging techniques) and includes them here.

Exercises

This course contains quite a few hands-on exercises, and walks through code samples (often in the form of guided instructor demos), as shown below

Suggested Reading

The following books are suggested as additional references for this course:

Day 1

1.Introduction

An overview of the architecture of *OS variants, from a threat assessment perspective. Focus on different abuse cases, and the mitigation techniques devised by Apple to address and prevent them.

  • Quick recap of the *OS Architecture
  • High level presentation of mitigation techniques
  • Attack surface of MacOS and the iOS variants
  • Divergences between MacOS and iOS variants

*.Monitoring

Explaining the reactive mechanisms by means of which system activity can be monitored (though not intercepted) and logged. This includes a detailed discussion of:

  • Auditing (MacOS)
  • KDebug
  • DTrace (MacOS)
  • FSEvents
  • Stackshot
  • Proc info

2.The Boot Sequence

The boot sequence - aside from starting up the system - is responsible for establishing and securing the chain of trust, which ensures component integrity. MacOS boot is (still) fairly lax, but that of the *OS variants is rigorously designed to be as bulletproof as possible.
This module takes a close look at the stages of boot, focusing in particular on iBoot. Focusing on a purely reverse engineering approach, this module takes apart iBoot - from BootROM to kernelcache loading:

  • Boot sequence components: BootROM, iLLB, iBoot and friends
  • SHSH blobs and APTickets
  • Attack surface and potential vulnerability discussion
  • Reversing iBoot (once decrypted)
  • Reversing the Secure Enclave Processor (SEP) image (once decrypted)

Day 2

3.Code Signing

Code Signing in Darwin not only secures code by authenticating and tamper proofing it - but also provides the substrate for all of its security features. Entitlements, Code Signature Requirements, and (more recently) Launch Constraints are all based on this important facility, which we discuss in unprecdented detail.

  • The Security Framework (participants will need the open sources)
  • Refreshing Mach-O principles
  • LC_CODE_SIGNATURE
  • The Code Signature SuperBlob
  • The Code Directory
  • Special Blobs
  • Self-Signing and Ad-Hoc Code Signatures

4.The Mandatory Access Control Framework

The Mandatory Access Control Framework (MACF) is the de-facto standard for all of Apple's security mitigation techniques - from code signing, through sandboxing. A legacy of TrustedBSD, although it is a "private" KPI, it is remarkably simple and, at the same time, powerful.

  • Precursor: KAuth
  • Introducing: MACF
  • The MACF KPIs
  • MAC Policies
  • Creating a simple MACF policy
  • Case study: MacOS Quarantine
  • Case Study: MacOS 10.15 EndpointSecurity

5. AppleMobileFileIntegrity

Sworn nemesis of jailbreakers, AppleMobileFileIntegrity (amfi) has become the linchpin of Darwin security, controlling the kernel-enforcement of code signing and kernel-level entitlements.

  • AMFI components (kext, daemon)
  • Detailed breakdown of AMFI.kext
  • Full reversing of amfid
  • AMFI.kext as an entitlement enforcement
  • The AMFI User Client
  • iOS 16: Developer Mode enforcement
  • iOS 12: CoreTrust and its repeated bypasses..

6.Sandboxing

The Apple Sandbox mechanism has evolved dramatically since its inception in MacOS 10.5 as "SeatBelt". It has also diverged in its implementations outside MacOS.

  • Sandboxing Terminology
  • Implementation in MacOS: The App Sandbox
  • The Sandbox Profile Language (SBPL)
    • Compiling profiles
    • Decompiling profiles
    • Creating custom profiles
    • Debugging the sandbox
  • User mode APIs
  • Implementation in *OS: forcing Containers
  • Sandbox extensions
  • Detailed reversing of the Sandbox kernel extension
  • System Integrity Protection as a manifestation of the Sandbox
  • iOS 10 and the platform profile
  • Darwin 18 and TCC integration

Day 3

7.kobjects

Ports are mere 32-bit identifiers in user space, but kernel space reveals a vast menagerie of complicated objects, of which IPC ports are but one type. This module examines thoese objects in detail, showing live kernel memory using xn00p2 of various objects, including:

  • The BSD objects (proc_t, uuthread, fileproc, fileglob, vnode, ...)
  • The ipc_object_t
  • The ipc_port_t
  • The task_t and thread_t

8.Get in the (kernel) zone

Everything that user mode "sees" and touches is a figment of the kernel's memory. Understanding memory structures and management is paramount - for researchers and exploiters alike. This module discusses in depth the various allocation mechanisms of kernel memory

  • The vm_map abstraction
  • The pmap abstraction
  • The Zone allocator
  • Darwin 18: The Zone Cache
  • Garbage collection, Feng Shui, and other techniques
  • Zone ("kernel heap") hardening

9.Let's Get Physical

Apple is one of the only vendors to adopt proprietary protections for physical memory. Starting with the simple "WatchTower" KPP, Apple moved to introduce KTRR in the A10, followed by APRR (A11), GXF (A12) and applications such as PPL and, most recently (in iOS 17.0), SPTM & TXM. But what do all these acronyms mean? And what is their impact on exploitation?

  • A6-A9, iOS9+: KPP
  • A10+: KTRR
  • A11+: APRR
  • A12+: PPL
  • A12+: GXF
  • A12+ (iOS17+): SPTM/PPL

10.Aie, Aie, IOKit

IOKit is the most advanced and powerful feature of XNU, allowing C++ code in kernel with all its might - Object orientation and inheritance - and all its weaknesses. IOKit objects have become crucial for many an exploit, both as a vector for vulnerabilities, and as a mechanism for kernel code execution.

  • IOKit objects: Services and user clients
  • Enumerating and identifying IOKit objects in *OS kernels
  • Object corruption and fake objects
  • Kernel code execution primitives (and how to survive without them)

Day 4

*.Vulnerabilities and Exploits

We turn our attention to discuss a few practical examples - as many as time permits, with actual code samples showing point proofs of concept on vulnerable (past) versions of MacOS and *OS. Exact samples may change by time of training, but at this point are:

  • BootROM Exploit - Checkra1n
  • KFD
  • Specific CVEs (TBD)

Frequently Asked Questions

  • How is this course different from the standard OS X/iOS Internals course you offer?
    Radically. For one, this is a sequel to the standards internal courses, and does not actually discuss various aspects - like the MachO format, runtime environment, Mach objects, and IOKit - which are deemed to be prerequisites for this course. For two, Jonathan Levin doesn't deliver MOXiI trainings anymore (he's happily evolved past Darwin). But, for this special occasion he's back - so now's your chance to see him and get his unique insights on Darwin for, quite possibly, the last time in the foreseeable future.
  • Do I aboslutely have to know [Intel/ARM32/ARM64/Any] Assembly?
    Not really, but it's recommended, since we will be disassembling Apple binaries
  • Why such strict prerequisites?
    Because. It is already extremely tight to fit all this information - this alone could have taken double that time. But we already have five days in the standard course, so we opted to make this the unofficial "sequel".
  • How is this course different from other iOS exploitation courses?
    Several ways:
    • First, we try and parallel OS X and iOS, in much the same way MOXiI has. In that, we are not focused on one or the other operating system, but take their (rather large) common denominator as a base, and make segues and side discussion for idiosyncratic features of one or the other.
    • Second, we do not demonstrate, sell or otherwise provide any active 0-days. We do, however, explain past vulnerabilities in great detail, as well as the exploitation methodology, which applies to the present day.
    • We present unparalleled views of kernel memory and objects using advanced tools, such as our proprietry Xn00p kernel memory inspector
    • Lastly, other trainings are myopic, focusing only on the exploitation. We believe that true understanding of the internals of a system goes further.
  • When and where is the next course for this scheduled?
    There is no 'next' here. This is a one-time engagement by Jonathan Levin at the specific request of OffensiveCon. The next training will be held in NYC, Dec 9th-11th , and is our last with Jonathan Levin.
  • I don't have a (jailbroken) iOS device. What do I do?
    We strongly suggest bringing your own device. If you can't, talk to us - we can rent you one. No problem.
  • Is it true what I hear about "surprise, mystery guests" attending your courses?
    If we admitted to anything, it wouldn't be a surprise, nor a mystery, now, would it? :-)
  • How much??
    Talk to the Offensive Con people :-)

Bio

Jonathan Levin is an expert on operating system internals, known for his “macOS/iOs internals” and “android internals” books. Jonathan is a cofounder of DataFlow Forensics, a security company specializing in the detection of malware and APT on mobile devices.

Limited Seats - Remember to reserve your ticket!

register now