Dates: 17th February - 20th February 2020 (4 days)
Venue: Berlin Courtyard by Marriott, Germany
Availability: 10 Seats
With the release of MacOS Catalina and iOS 13 Apple has once again raised the bars in terms of kernel level security. This course will introduce you to the low level internals of the MacOS and iOS kernels from the perspective of a security researcher interested in kernel level vulnerability analysis, kernel rootkit/malware analysis/detection or driver development. While this course is concentrating on MacOS Catalina on the x64 cpu architecture the latest security enhancements of iOS 13 will also be discussed. The course material was updated to the latest security features of MacOS Catalina and iOS 13. This is the first course that introduces Apple's new concept of SystemExtensions and introduces you to DriverKit and EndpointSecurity.
This training will be in February 2020 in Berlin. It will be happening between February 17th and February 20th 2020 in a the Marriott Courtyard hotel in Berlin and is therefore timewise and locationwise right next to Offensive Con. It is a full 4-day course and is targeted at security researchers that want to dive into MacOS or iOS kernel security topics.
The course will focus on the MacOS side and therefore all training excercises will be performed on MacOS Catalina. However iOS security specifics will also be covered by the course, if they are different from the MacOS way.
The following list of topics shows what will be covered by the course.
Setting up a development and debugging environment
Developing your own kernel extensions (kext vs. systemextensions)
Low Level x64 / ARM64
Low level cpu details
Physical memory management
Hardware Page Tables
Special Registers used by iOS
PAN and PAC (Pointer Authentication)
Kernel Source Code
Structure of the Kernel Source Code
Where to look for Vulnerabilities
Implementation of Mitigations
DriverKit / SystemExtensions
Driver attack surface
Kernel driver code-signing
Important data structures of the kernel
Mach-o fileformat / encryption
Mach messages and IPC
Security: MAC Policy Hooks, Sandbox, Code Signing, Kauth, socket filter
Filesystems, networking stack
Built-in Kernel Debugging / VMWARE based debugging
Debugging with own kernel extensions
Kernel Heap Debugging/Visualization
In-Depth Explanation of How the Kernel Heap works
Discuss weaknesses in current heap implementation
Kernel Exploit Mitigations
Discussion of all the iOS Kernel Exploit Mitigations introduced
Includes software and hardware based mitigations like (KTRR, KPP, PAC, PAN, APRR)
Including newest mitigations already known in iOS 13
Discussion of various weaknesses in these protections
Discussion of previously hooked / abused data structures in MacOS rootkits
Rootkits and their detection in light on SystemExtensions and EndpointSecurity
The whole training material (multiple hundred slides) will be handed to the students in digital form.
Trainees will get a license for the Antid0te software and scripts that are used during
the training that allows usage but not redistribution of said software.
Basic understanding of exploitation
C and Python Programming knowledge
Knowledge of X64 assembly
Apple Mac Notebook capable of running latest MacOS within VMWARE
Enough hard disk space to run VMs
IDA Pro 6.x/7.x license (ARM64 support required)
alternatively Ghidra/Hopper/Binary Ninja can be used but script support varies by tool
Hexrays for ARM64 helpful, but not required
BinDiff for IDA helpful, but not required
Mac OS X 10.14/15, with latest XCode and iOS 12.x SDK (or newer)
Additional Software will be made available during the training
The training will be held at the Berlin Courtyard by Marriott Hotel (Germany). The hotel is central and located near the Hilton Hotel which is the venue of Offensive Con.
Courtyard by Marriott
No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.
We offer the following rates for this training. All ticket prices include 19% mandatory VAT.
Price (incl. 19% VAT)
Early Bird (before 21st November)
Regular (before 1st February)
Late (after 1st February)
The training ticket price include daily lunch, morning and afternoon coffee breaks, free soft drinks in the training room.
If you have further questions or want to register for this training please contact us by e-mail email@example.com. Please notice that signup, billing and execution of the training is performed by Antid0te UG (haftungsbeschränkt).
In-House Training / Conferences / Additional Trainings
If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail firstname.lastname@example.org.