iOS 12/13 Advanced Userspace Exploitation Training (November 2019)


Posted: by Stefan Esser   |  More posts about Blog Training iOS Advanced Userpace iMessage WebKit XPC Exploitation
/images/ipadpro11.jpg
Instructor: Stefan Esser (Antid0te SG Pte. Ltd.)
Dates: 4th November - 8th November 2019 (5 days)
Venue: TBA, Singapore
Availability: 10 Seats
Language: English

For years we have taught iOS Kernel Exploitation to a large crowd of students. However more and more students have been asking for a similar course targetted at iOS Userspace Exploitation. Therefore for 2019 we have finally added this course to our syllabus. After having successfully run an introductory 3 day userspace exploitation training during the HITB conference in Amsterdam we have decided to offer an advanced course that discusses targetting not only applications and daemons but also browsers and Apple's iMessage.

In this five day training participants will take a deep dive into topics related to iOS 12/13 userpace level exploitation. This starts with an introduction into the specifics of the iOS platform so that trainees with or without deep knowledge of iOS are on the same track. The following days will then concentrate on real world vulnerabilities in applications, daemons, services, mobile safari and Apple's iMessage.

This training will be held in November 2019 in Singapore. It will be happening between November 4th and November 8th 2019 in a hotel in Singapore that will be announced soon. It is a full 5-day course and is targeted at intermediate to advanced exploit developers that want to switch over to iOS or learn how to deal with modern iOS user space targets. For each topic we have selected a number of previously disclosed real world vulnerabilities so that trainees can learn from real examples and not only via mockup bugs.

The training excercises will be performed on a mixture of devices running on iOS 12.x. Some of these devices will be 64bit iPod touch (6th Gen) 32 GB devices that the trainees will take home after the training. However we will also give the trainees access to more modern devices to test out new hardware based mitigations like the ARM v8.3 pointer authentication.

The goal of this training is to enable trainees to find and exploit new vulnerabilities in iOS userpace programs despite newest mitigations.

Topics

The following list of topics shows what is usually covered by the course.

  • Introduction
    • How to set up your Mac and Device for Vuln Research/Exploit Development
    • iOS Userspace Memory Layout
    • Dynamic Loading Frameworks, Libraries and ASLR
    • iOS Sandboxing and Inter Process Communication
    • Userspace Exploit Mitigations
    • Userspace Attack Surface
  • Objective-C and SWIFT Target
    • Discuss specific objective-c and swift exploitation strategies
  • ARM v8.3 Pointer Authentication
    • Exploitation despite modern mitigations
  • iOS Userland Debugging
    • Using the iOS Userland Debugger for vulnerability research
    • How to deal with iOS Anti Debugging Tricks
  • iOS Userland Heap
    • Discussion of the iOS Userland Heap implementation
    • Discussion of other heap implementations in our targets
    • Introduction of new iOS userland heap visualization toolset
  • MIG and other forms of IPC
    • Introduction to MIG/IPC
    • Understanding the MIG/IPC architecture and its attach surface
    • Mach messages
    • Fuzzing and Exploitation of MIG services
  • XPC services
    • Introduction to XPC services
    • Understanding the XPC architecture and attack surface
    • Understanding target specific mitigations
    • XPC serialization / deserialization
    • Fuzzing XPC services
    • Exploiting XPC services
  • Mobile Safari
    • Introduction to Mobile Safari and its architecture
    • Understanding the attack surface of WebKit and JavaScript Core
    • Understanding target specific mitigations
    • Understanding the heap implementation
    • Introspection and instrumentation
    • Fuzzing Mobile Safari
    • Exploiting Mobile Safari
  • iMessage Exploitation
    • Introduction to iMessage and its architecture
    • Understanding the attack surface
    • Understanding target specific mitigations
    • Introspection and instrumentation
    • Fuzzing iMessage
    • Exploiting iMessage
  • What is new in iOS 13
    • New mitigations in iOS 13 will be covered

Training Takeaways

  • All students will take home an iPod Touch 32GB (64 bit) 6th generation that had a retail value of 229,- EUR (these iPods are running iOS 12.x for some of the hands-on during the training).
  • The whole training material (multiple hundred slides) will be handed to the students in digital form.
  • Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software. This software is currently going through a complete cleanup and modernization to ensure compatibility with all new devices

Training Requirements

  • Student Requirements
    • This course is an advanced exploitation course it is therefore assumed that all trainees have written exploits on the ARM64 platform before (for a good introduction to ARM64 exploitation see our course ARM64 Reverse Engineering and Android/Linux Exploitation)
    • The course will start with an introduction to the specialities of the iOS platform and is therefore suited for trainees with and without iOS userspace exploitation basics
  • Hardware Requirements
    • An Apple Mac Notebook is required in order to run MacOS and XCode.
    • Training hands-on exercises will be performed on devices provided by Antid0te. It is not required for students to bring their own iOS devices.
    • Every student will be handed an iPod Touch 32GB at the beginning of the training that they will work on and can take home after the training.
    • Further more modern iOS devices will be provided throughout the course for gaining experience with hardware mitigations like PAC.
    • Students can optionally bring their own iOS device for experiments. But these devices need to be jailbroken on iOS 12.
  • Software Requirements
    • IDA Pro 6.x/7.x license (ARM64 support required)
    • alternatively Ghidra/Hopper/Binary Ninja can be used but script support varies by tool
    • Hexrays for ARM64 helpful, but not required
    • BinDiff for IDA helpful, but not required
    • Mac OS X 10.14/15, with latest XCode and iOS 12.x SDK (or newer)
    • Additional Software will be made available during the training

Venue

The training will be held at TBA (Singapore). ...

Address:
...
TBA
Singapore ...



No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.

Pricing

We offer the following rates for this training. Please understand that Antid0te SG is not yet required to register for GST in Singapore and therefore attendees do not have to pay GST on top of the base price.

  Price
Early Bird (before 19th August) S$ 5500
Regular (After 19th August) S$ 6000

The training ticket price includes daily lunch, morning and afternoon coffee breaks.

Register

If you have further questions about this training or want to register please contact us by e-mail training@antid0te-sg.com.

In-House Training / Conferences / Additional Trainings

If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@antid0te-sg.com.