iOS Sandbox Escape Vulnerabilities and Exploitations


Team Pangu

Team Pangu consists of several senior security researchers and focuses on mobile security research. Team Pangu is known for the multiple releases of jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu actively shares knowledge with the community and presents the latest research at well known security conferences including BlackHat, CanSecWest, SysCan, POC, and Ruxcon.

Training Dates

25 - 27 March 2019


In this training we will begin with introducing some basic knowledges about iOS architecture, ARM64 basics and how to setup testing environment. Then we will talk about Mach-O format details and how to analyze dyld_shared_cache file. We also need to write some IDA scripts to help us. After that we go through the objective-C internals to get a better understanding about how to do reverse engineering. The next chapter is very important, we will discuss how Apple designs its IPC mechanisms for iOS. We have to understand how port/mach msg/XPC work. We will cover the heap management in the user space for later exploitation exercise.

Now it's time to take a look at real world vulnerabilities. We will introduce typical bug types as well as some known bugs in history and analyze details of them. Then let's see what mitigations Apple add to stop exploits. In this part, we will talk how to find ROP and JOP gadgets. In the last part of the training, we pick up three different types of bugs to develop fully functional exploits. Through all the exercises, we can see how a real exploit is developed.


Day 1

  • Introduction
  • Basic Knowledges
    • iOS Architecture
      • Sandbox
      • Launchd
    • Attack Surface
    • ARM64 Basics
    • Environment Prepare
      • Develop
      • Debug
  • Mach-O & Caches
    • Mach-O Format
    • dyld_shared_cache
      • Format
      • IDA Scripts
  • Runtime
    • Objective-C
    • Reverse Engineering
      • objc_msgSend
      • Block
  • IPC
    • Port
    • Mach Message
    • XPC
    • Daemon Analysis
    • Exercise
  • Heap Management
    • Nano/Tiny/Small/Large
    • CF*/NS*/xpc*/OOL Objects
    • Exercise

Day 2

  • Vulnerability
    • Bug Types
    • Known Bugs
  • Exploitation
    • Mitigations
    • ROP & JOP
    • Post Exploitation
  • Assetsd Logical Bug
    • Bug Analysis
    • Exploit Exercise
  • Blackboardd Arbitrary Memory Free Bug
    • Bug Analysis
    • Exploit Exercise

Day 3

  • Backboardd Double Free Bug
    • Bug Analysis
    • Exploit Exercise
  • XPC OOB Bug
    • Bug Analysis
    • Exploit Exercise
  • Q&A

Course Requirements

Student Requirements

  • Obj-C/C language programming ability
  • Familiar with ARM64 reverse engineering
  • Knowledge of typical vulnerabilities and exploits

Software Requirements

  • Xcode
  • IDA Pro
  • Apple account

Hardware Requirements

  • Mac laptop