For years the SektionEins and Antid0te iOS Kernel Exploitation Trainings have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks up to iOS 10.2. Even the public iOS 11 jailbreaks use techniques that are also taught in our trainings. Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases or even joined Apple as employees. However Apple's internal development of the iOS kernel never stands still and they keep adding new security mitigations to defeat previously used attacks.

With the upcoming release of iOS 12 Apple introduces a huge number of security relevant changes to the iOS kernel, from the binary layout to the implementation of the the kernel heap, the sandbox and code signing. iOS researchers have e.g. called it the biggest modification to the iOS kernel heap in a long time. Our training will discuss all these changes in iOS 12.

This training is at the end of September 2018. It will be happening in Singapore and was redesigned by our Singaporean partner company Antid0te SG Pte. Ltd. to contain new material that builds on top of more public vulnerabilities that were made public in recent years and the correspondign public exploit source code. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS and could not come to our training course in Germany.

The goal of this training is to enable you to exploit new vulnerabilities in the iOS kernel that you discover on your own.

Student Pre-requisite

  • This course will not give an introduction to ARM basics. The trainee is required to understand basic ARM assembly. It is not required to have previous experience with ARM64 cpus, because their differences are discussed within the training. There is a short refresher inside the training. Low level ARM CPU knowledge will be helpful, but is not required for this course - part of it will be explained within the course.
  • This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...
  • This is a new version of the training that incorporates more public examples of vulnerabilites and exploits - export restrictions do not apply for this special version of the training

Software Requirement

  • Legal IDA Pro 6.x license (ARM64 support required) alternatively Hopper/Binary Ninja can be used but script support varies by tool
  • Hexrays for ARM helpful, but not required
  • BinDiff for IDA helpful, but not required
  • Mac OS X 10.13, with latest XCode and iOS 11.x SDK (or newer)
  • Additional Software will be made available during the training

Hardware Requirement

  • An Apple Mac Notebook is required in order to run OS X Yosemite and XCode.
  • Training hands-on exercises will be performed on devices provided by Antid0te. It is not required for students to bring their own iOS devices.
  • Every student will be handed an iPod Touch 16GB at the beginning of the training that they will work on - these devices remain the property of Antid0te SG Pte. Ltd.
  • Students can optionally bring their own iOS device for experiments. But for best results these devices should run an iOS version which has a public jailbreak for it.

Course Outline

The following list of topics shows what is usually covered by the course.

  • How to set up your Mac and Device for Vuln Research/Exploit Development
  • How to load own kernel modules into the iOS kernel
  • How to write Code for your iDevice
  • Damn Vulnerable iOS Kernel Extension
Low Level ARM / ARM64
  • Differences between ARM and ARM64
  • Exception Handling
  • Hardware Page Tables
  • Special Registers used by iOS
  • PAN and Pointer Authentication
  • ...
iOS Kernel Source Code
  • Structure of the Kernel Source Code
  • Where to look for Vulnerabilities
  • Implementation of Mitigations
  • MAC Policy Hooks, Sandbox, Entitlements, Code Signing
  • ...
iOS Kernel Reversing
  • Structure of the Kernel Binary
  • Finding Important Structures
  • Porting Symbols
  • Closed Source Kernel Parts and How to analyze them
  • ...
iOS Kernel Debugging
  • Panic Dumps
  • Using the KDP Kernel Debugger (hands on tasks limited to 30 pin devices)
  • Extending the Kernel Debugger (KDP++)
  • Debugging with own Patches
  • Kernel Heap Debugging/Visualization (new software package)
iOS Kernel Heap
  • In-Depth Explanation of How the Kernel Heap works (including all the changes in iOS 12)
  • Different techniques to control the kernel heap layout (including non-public ones)
  • Discuss weaknesses in current heap implementation
iOS Kernel Exploit Mitigations
  • Discussion of all the iOS Kernel Exploit Mitigations introduced
  • Discussion of various weaknesses in these protections
iOS Kernel Vulnerabilities and their Exploitation
  • Full walkthrough through exploitation of multiple prior known iOS memory corruption vulnerabilities
  • Analysis of public exploits and discussion how to improve them
  • Overview over different vulnerability types commonly found in iOS kernel and exploit strategies
  • Part of the training will be to reimplement bits and pieces of an iOS 11 kernel exploit
iOS Kernel Jailbreaking
  • Discussion of kernel patch protection KTRR / KPP
  • Discussion of how recent iOS jailbreaks deal with kernel patch protection
Handling of New Devices
  • Discussion of necessary steps to port exploits from old to new devices
Training Takeaways
  • The whole training material (multiple hundred slides) will be handed to the students in digital form.
  • Trainees will get a license for our software and scripts that are used during the training that allows usage but not redistribution of said software.

About Instructor

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apples iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook. Since then he focuses on the security of the MacOS and iOS kernel and teaches these topics in trainings all around the world.