iOS Kernel Exploitation Training (November 2017)
Instructor: Stefan Esser (Antid0te SG)
Dates: 27th November - 1st December 2017 (5 days)
Venue: H4 Hotel Berlin Alexanderplatz, Germany
Availability: 15 Seats
The SektionEins and Antid0te SG iOS Kernel Exploitation Trainings in 2014-2017 have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks up to iOS 10.2.
Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases. However Apple's internal development of the iOS kernel never stands still and they keep adding new security mitigations to defeat previously used attacks.
With the upcoming release of iOS 11 Apple has again made security relevant changes to the kernel and because the final version of iOS 11 is expected around October our training will cover these changes, too. Furthermore it is expected that the new iPhone will be released by then and we might see new ARM64 security features being used in the kernel on these devices. We will cover these new ARM64 security features during the course. Overall the training will have been redesigned until November to discuss the different vulnerability types under the strictest protections available in Apple's latest iOS devices.
The next training is at the end of November 2017. Like our previous training it will be happening in Berlin in the H4 Hotel Berlin - Alexanderplatz (which was previously called RAMADA) between November 27th and 1st December 2017. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.
With the release of iOS 11 Apple will discontinue support for 32 bit iOS devices and therefore all 32 bit specific topics will be removed from the syllabus. However trainees will get access to the 32 bit specific training material from earlier trainings. All training excercises will be performed on 64bit iPod touch 16GB devices that will be running on iOS 10.x. Trainees will take these devices home after the training.
The goal of this training is to enable you to exploit new vulnerabilities in the iOS kernel that you discover on your own.
The following list of topics might change slightly before the course. (Please check every now and then to see an updated list of topics. Please note that this list includes 32 bit specific training material from earlier trainings that will be shared with the trainees, but not discussed in the course.)
- How to set up your Mac and Device for Vuln Research/Exploit Development
- How to load own kernel modules into the iOS kernel
- How to write Code for your iDevice
- Damn Vulnerable iOS Kernel Extension
- Low Level ARM / ARM64
- Differences between ARM and ARM64
- Exception Handling
- Hardware Page Tables
- Special Registers used by iOS
- PAN and Pointer Authentication
- iOS Kernel Source Code
- Structure of the Kernel Source Code
- Where to look for Vulnerabilities
- Implementation of Mitigations
- MAC Policy Hooks, Sandbox, Entitlements, Code Signing
- iOS Kernel Reversing
- Structure of the Kernel Binary
- Finding Important Structures
- Porting Symbols
- Closed Source Kernel Parts and How to analyze them
- iOS Kernel Debugging
- Panic Dumps
- Using the KDP Kernel Debugger (hands on tasks limited to 30 pin devices)
- Extending the Kernel Debugger (KDP++)
- Debugging with own Patches
- Kernel Heap Debugging/Visualization (new software package)
- iOS Kernel Heap
- In-Depth Explanation of How the Kernel Heap works (including all the changes in iOS 10.x)
- Different techniques to control the kernel heap layout (including non-public ones)
- About the heap randomness in iOS >= 9.2
- All the changes to the heap with iOS 10
- iOS Kernel Exploit Mitigations
- Discussion of all the iOS Kernel Exploit Mitigations introduced
- Discussion of various weaknesses in these protections
- iOS Kernel Vulnerabilities and their Exploitation
- Walkthrough through exploitation of multiple prior known iOS memory corruption vulnerabilities
- Overview over different vulnerability types commonly found in iOS kernel and exploit strategies
- Part of the training will be to reimplement bits and pieces of an iOS 10.2 kernel exploit
- iOS Kernel Jailbreaking
- Discussion of the Kernel Patch Protection in 64 bit iOS devices and new iPhone 7 protections
- Discussion of Kernel Patches applied by recent iOS Jailbreaks
- Discussion of differences between 32 bit and 64 bit patches
- Handling of New Devices
- Discussion of necessary steps to port exploits from old to new devices
- All students will take home an iPod Touch 16GB (64 bit) with a retail value of now 229,- EUR
(these iPods are jailbroken on iOS 10.x for the hands-on during the training).
- The whole training material (multiple hundred slides) will be handed to the students in digital form.
- In addition the training material of our previous course will be handed in digital form.
- Trainees will get a license for the Antid0te software and scripts that are used during
the training that allows usage but not redistribution of said software.
- Student Requirements
- This course will not give an introduction to ARM basics. The trainee is
required to understand basic ARM assembly. It is not required to have
previous experience with ARM64 cpus, because their differences are
discussed within the training. There is a short refresher inside the
training. Low level ARM CPU knowledge will be helpful,
but is not required for this course - part of it will be explained within
- This course will not give basic introduction to exploitation or ROP.
Trainees are required to know concepts like ROP or buffer overflows,
integer overflows, etc...
- About 3 weeks before the training trainees will receive a paper that
covers introductory information. Trainees are required to read and
work through this document in order to ensure that all software is
correctly installed and some basics are understood.
- Due to new EU export regulations on so called "Intrusion Software Technology"
all exploitation trainings are subject to export control. This means we can
currently only accept students from EU, Switzerland, USA, Canada, Japan, Norway,
Lichtenstein, New Zealand, Australia.
- Hardware Requirements
- An Apple Mac Notebook is required in order to run Mac OS Sierra and XCode.
- Training hands-on exercises will be performed on devices provided by Antid0te.
It is not required for students to bring their own iOS devices.
- Every student will be handed an iPod Touch 16GB at the beginning
of the training that they will work on and can take home after the training.
- Students can optionally bring their own iOS device for experiments.
But for best results these devices should run an iOS version which has a public
jailbreak for it.
- Students are not required to bring iOS serial cables for older devices to the
training, because these will be provided by Antid0te if required.
- Software Requirements
- Legal IDA Pro 6.x license (ARM64 support required) / Hopper use at own risk not recommended
- Hexrays for ARM helpful, but not required
- BinDiff for IDA helpful, but not required
- Mac OS X 10.12, with latest XCode and iOS 10.x SDK (or newer)
- Additional Software will be made available during the training
The training will be held at the H4 Hotel Berlin Alexanderplatz (Germany). The hotel is located near the Alexanderplatz in Berlin, which is easily reachable with public transportation from many parts of Berlin. The hotel was previously known as RAMADA Hotel.
H4 Hotel Berlin - Alexanderplatz
No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.
We offer the following rates for this training. Attention: Trainees paying for the training themselves or companies within the European Union have to pay VAT on top of the base price.
|Early Bird (before 1st August)
|Regular (before 30th October)
|Late (after 30th October)
The training ticket price include daily lunch, morning and afternoon coffee breaks, free soft drinks in the training room.
If you have further questions or want to register for this training please contact us by e-mail email@example.com. Please notice that signup, billing and execution of the training is performed by Antid0te SG (haftungsbeschränkt).
In-House Training / Conferences / Additional Trainings
If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail firstname.lastname@example.org.