The SektionEins and Antid0te iOS Kernel Exploitation Trainings in 2014-2018 have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks up to iOS 10.2. Even the public iOS 11/12 jailbreaks use some techniques that have been part of our training material for a while. Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases or even joined Apple as employees. However Apple's internal development of the iOS kernel never stands still and they keep adding new security mitigations to defeat previously used attacks.
With the release of iOS 12 Apple has once again raised the bars in the world of iOS exploitation by introducing new software and hardware based mitigation. Because of this the May edition of our training will shift its focus to these newly introduced mitigations so that trainees learn to deal with these up to date protections.
The next training is in May 2019. It will be happening in the Berlin Marriott Hotel near Potsdamer Platz between May 20th and May 24th 2019. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.
All training excercises will be performed on 64bit iPod touch 32GB devices that will be running on iOS 12.x. Trainees will take these devices home after the training.
The goal of this training is to enable you to exploit new vulnerabilities in the iOS kernel that you discover on your own.
Topics
The following list of topics shows what is usually covered by the course.
Introduction
How to set up your Mac and Device for Vuln Research/Exploit Development
How to load own kernel modules into the iOS kernel
How to write Code for your iDevice
Damn Vulnerable iOS Kernel Extension
Low Level ARM / ARM64
Differences between ARM and ARM64
Exception Handling
Hardware Page Tables
Special Registers used by iOS
PAN and PAC (Pointer Authentication)
...
iOS Kernel Source Code
Structure of the Kernel Source Code
Where to look for Vulnerabilities
Implementation of Mitigations
MAC Policy Hooks, Sandbox, Entitlements, Code Signing
...
iOS Kernel Reversing
Structure of the Kernel Binary
Finding Important Structures
Porting Symbols
Closed Source Kernel Parts and How to analyze them
...
iOS Kernel Debugging
Panic Dumps
Using the KDP Kernel Debugger (hands on tasks limited to 30 pin devices)
Extending the Kernel Debugger (KDP++)
Debugging with own Patches
Kernel Heap Debugging/Visualization (new software package)
iOS Kernel Heap
In-Depth Explanation of How the Kernel Heap works (including all the changes in iOS 12)
Different techniques to control the kernel heap layout (including non-public ones)
Discuss weaknesses in current heap implementation
iOS Kernel Exploit Mitigations
Discussion of all the iOS Kernel Exploit Mitigations introduced
Discussion of various weaknesses in these protections
iOS Kernel Vulnerabilities and their Exploitation
Full walkthrough through exploitation of multiple prior known iOS memory corruption vulnerabilities
Analysis of public exploits and discussion how to improve them
Overview over different vulnerability types commonly found in iOS kernel and exploit strategies
Part of the training will be to reimplement bits and pieces of an iOS 12 kernel exploit
iOS Kernel Jailbreaking
Discussion of kernel patch protection KTRR / KPP
Discussion of how recent iOS jailbreaks deal with kernel patch protection
Handling of New Devices
Discussion of necessary steps to port exploits from old to new devices
Training Takeaways
All students will take home an iPod Touch 32GB (64 bit) with a retail value of now 229,- EUR
(these iPods are running iOS 12.x for the hands-on during the training).
The whole training material (multiple hundred slides) will be handed to the students in digital form.
Trainees will get a license for the Antid0te software and scripts that are used during
the training that allows usage but not redistribution of said software.
Training Requirements
Student Requirements
This course will not give an introduction to ARM assembly basics. The
trainee is required to understand basic ARM assembly. It is not required
to have previous experience with ARM64 cpus, because their differences are
discussed within the training. There is a short refresher inside the
training. Low level ARM CPU knowledge will be helpful,
but is not required for this course - part of it will be explained within
the course.
This course will not give basic introduction to exploitation or ROP.
Trainees are required to know concepts like ROP or buffer overflows,
integer overflows, etc...
About 3 weeks before the training trainees will receive a booklet that
covers introductory information. Trainees are required to read and
work through this document in order to ensure that all software is
correctly installed and some basics are understood.
NOTE: In order to fit more topics and hands on excercises into the training
this booklet now contains 4h worth of material that previously was worked
through on day 1 of the training.
Hardware Requirements
An Apple Mac Notebook is required in order to run MacOS and XCode.
Training hands-on exercises will be performed on devices provided by Antid0te.
It is not required for students to bring their own iOS devices.
Every student will be handed an iPod Touch 32GB at the beginning
of the training that they will work on and can take home after the training.
Students can optionally bring their own iOS device for experiments.
But for best results these devices should run an iOS version which has a public
jailbreak for it.
Students are not required to bring iOS serial cables for older devices to the
training, because these will be provided by Antid0te if required.
Software Requirements
IDA Pro 6.x/7.x license (ARM64 support required)
alternatively Hopper/Binary Ninja can be used but script support varies by tool
Hexrays for ARM64 helpful, but not required
BinDiff for IDA helpful, but not required
Mac OS X 10.14, with latest XCode and iOS 12.x SDK (or newer)
Additional Software will be made available during the training
Venue
The training will be held at the Berlin Marriott Hotel (Germany). The hotel is located near the Potsdamer Platz in Berlin, which is easily reachable with public transportation from many parts of Berlin.
Address:
Berlin Marriott Hotel
Inge-Beisheim-Platz 1
10785 Berlin
No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.
Pricing
We offer the following rates for this training. Attention: Trainees paying for the training themselves or companies within the European Union have to pay VAT on top of the base price.
Price
VAT
Early Bird (before 14th March)
4000,- EUR
760,- EUR
Regular (before 25h April)
4500,- EUR
855,- EUR
Late (after 25th April)
5000,- EUR
950,- EUR
The training ticket price include daily lunch, morning and afternoon coffee breaks, free soft drinks in the training room.
Register
If you have further questions or want to register for this training please contact us by e-mail training@antid0te.com. Please notice that signup, billing and execution of the training is performed by Antid0te UG (haftungsbeschränkt).
In-House Training / Conferences / Additional Trainings
If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@antid0te.com.
