macOS & iOS Kernel Internals for Security Researchers
Low-level macOS/iOS kernel internals for vulnerability analysis, security research, and modern debugging workflows.
What you’ll be able to do
- Understand how XNU is structured (Mach, BSD, IOKit) and how the major subsystems fit together.
- Apply practical workflows for kernel crash triage and root-cause analysis (panic logs, call paths, and common failure modes).
- Reason about kernel attack surface across IOKit and modern driver models, including DriverKit/SystemExtensions and EndpointSecurity.
- Build a usable mental model of VM/page tables/permissions and how these concepts show up in real macOS/iOS security investigations.
- Understand Apple proprietary ARM64 hardware-assisted security mitigations (e.g. CTRR/SPRR/GLx) and how they are used in practice.
- Identify common kernel bug classes (lifetime, validation, memory corruption patterns) and where to look for them in code and interfaces.
Overview
With macOS Tahoe and iOS 26 Apple continues to harden the platform with ARM64-specific security mitigations and additional security boundaries. This training focuses on kernel internals from the perspective of a security researcher interested in vulnerability analysis, rootkit/malware analysis and detection, or general kernel security topics.
The goal is not just to list subsystems, but to build a practical mental model you can use when you debug crashes, audit attack surface, or reason about mitigations. We walk through how the major parts of XNU fit together (Mach, BSD, IOKit) and how data flows across kernel boundaries in real systems. Throughout the course we connect “what the kernel is doing” to the bug classes and failure modes that matter in practice: memory corruption, lifetime issues, validation mistakes, and security boundary assumptions.
The format is lecture-driven with daily hands-on tasks. After each session you work on exercises, and the next day starts with solution discussion and common pitfalls. That structure helps you build repeatable workflows instead of memorizing trivia.
Syllabus (PDF)
Download the syllabus PDF: Syllabus (PDF)
Training format
Live online via Zoom
Around 5 hours of live lecture per day plus breaks
After each day: tasks/exercises to work on
Next session starts with discussion of solutions and pitfalls
Topics
The following list of topics shows what will be covered by the course.
Introduction
Setting up a development and debugging environment
Developing kernel extensions, and how that compares to modern alternatives such as system extensions
Running kernel extensions in Apple virtual machines, including constraints and practical workarounds (details provided during the training)
Low-level x86_64 / ARM64 foundations
CPU details relevant to kernel work
Exception handling and control flow (as needed for debugging and analysis)
Physical memory management concepts
Hardware page tables and memory permissions
Apple and iOS specific system registers and concepts used in practice
PAN, PAC (Pointer Authentication) and MTE, and what they change for analysis and debugging
Drivers and extensions
IOKit fundamentals and attack surface patterns
DriverKit and SystemExtensions, what changed and what it means for security work
EndpointSecurity and common inspection/control points
Code signing and trust decisions for drivers and related components
Kernel internals
Important kernel data structures you will encounter during analysis
Mach-O basics relevant to kernel and system components
Mach messages and IPC at a security-relevant level
Security subsystems overview: sandboxing, MAC policy hooks, code signing, kauth, socket filters
Filesystems and networking stack (security-relevant view)
Kernel debugging
Panic logs and practical crash triage
Built-in kernel debugging facilities and how to use them effectively
VM-based debugging
Debugging via Apple Virtualization framework using a GDB stub (details provided during the training)
A repeatable approach for inspection and root cause analysis
Kernel heap debugging and visualization techniques
Kernel heap
How kernel allocations work in practice
Modern kalloc zones and common bug classes
Typical lifetime issues, validation mistakes, and memory corruption patterns
Apple proprietary ARM64 hardware-assisted mitigations
KTRR / CTRR / XTRR and related concepts
APRR / SPRR style permission models (overview and practical implications)
PPL and GXF, and how they affect kernel behavior and analysis
How these mitigations are used by the kernel in real scenarios
Newer security components overview
High-level overview of SPTM, TXM, SK and Exclaves
How these components relate to the kernel and to platform security boundaries
Training takeaways
Training material (slides) is handed out in digital form.
Recordings are available for a limited time after the training.
Trainees receive a license for Antid0te tooling/scripts used during the training (usage allowed, redistribution not allowed).
Training requirements
Student requirements
Basic understanding of exploitation (note: not an exploitation training)
C and Python programming knowledge
Basic knowledge of x86_64 and/or ARM64 assembly
Hardware requirements
Apple Mac capable of running the latest macOS inside a virtual machine (needs to be able to boot in recovery mode)
Enough disk space to run VMs
Software requirements
Disassembler capable of understanding ARM64/x86_64 macOS/iOS binaries (IDA, Ghidra, Binary Ninja)
macOS Sequoia/Tahoe with Xcode and iOS SDK (or newer)
VirtualBuddy (ARM64) / VM-based tooling as required
Additional software will be provided during the training
Virtual venue
The sessions are held via Zoom. Trainees also get access to a Discord server used for information and exercise discussions. Recordings are made available for a limited time after the training.
Timezones
We offer this training in an EU/North America edition and an APAC edition. Live lecture blocks are followed by hands-on exercises trainees complete before the next day.
| 17:00 – 22:00 | Berlin |
| 16:00 – 21:00 | London |
| 08:00 – 13:00 | Seattle / Vancouver |
| 11:00 – 16:00 | New York / Montreal |
| 23:00 – 04:00 (+1) | Singapore |
| 01:00 – 06:00 (+1) | Sydney |
| 10:00–12:30 / 13:30–16:00 | Singapore (SGT) |
| 09:00–11:30 / 12:30–15:00 | Bangkok / Jakarta |
| 11:00–13:30 / 14:30–17:00 | Tokyo / Seoul |
| 12:00–14:30 / 15:30–18:00 | Sydney / Melbourne |
| 07:30–10:00 / 11:00–13:30 | India |
| 14:00–16:30 / 17:30–20:00 | Auckland / Wellington |
Pricing
We offer the following prices for the training.
| EUR | 4500,- EUR |
| SGD | 6500,- SGD |
| USD | 5000,- USD |
Payment is possible via international bank transfer or via credit card (Stripe). We usually charge in SGD, but can charge in EUR and USD if requested.
Register
If you have questions or want to register for this training, email us. Signup, billing and execution of the training is handled by Antid0te SG Pte. Ltd.
Private / in-house sessions
If none of the scheduled dates fit your timezone, or you want a private company session (remote or on-site), email us with your preferred time window, headcount, and topic focus.