macOS 15 and iOS 18 Kernel Internals for Security Researchers
Stefan Esser

This course introduces you to the low level internals of the iOS and macOS kernels from the perspective of a security researcher interested in vulnerability analysis, kernel rootkit/malware analysis/detection or kernel exploit development.

macOS 15 and iOS 18 Kernel Internals for Security Researchers // Stefan Esser

Virtual | March 9-15 | 32 Hours

BOOK NOW

ABSTRACT

This course introduces you to the low level internals of the iOS and macOS kernels from the perspective of a security researcher interested in vulnerability analysis, kernel rootkit/malware analysis/detection or kernel exploit development. While this course is concentrating on MacOS 15 on the ARM64 cpu architecture the latest security enhancements of iOS 18 and some differences to the x86_64 architecture will also be discussed. The course material has been updated from the previous runs of the training.

macOS 15 and iOS 18 Kernel Internals for Security Researchers // Stefan Esser

Virtual | March 9-15 | 32 Hours

BOOK NOW

INTENDED AUDIENCE

Cybersecurity professionals who want to learn about the internals of the macOS and iOS kernel to further their knowledge or to get a complete starter package

COURSE DETAILS

Introduction

  • Setting up a development and debugging environment
  • Developing your own kernel extensions
  • Secret of Running Kernel Extensions in Apple VMs

Low Level x64 / ARM / ARM64

  • Low level cpu details
  • Physical memory management
Kernel Source Code
  • Structure of the source code
  • How to find vulnerabilities
  • How security mitigations are implemented

Kernel Drivers/Extensions

  • IOKit / DriverKit
  • Driver attack surface

How does DriverKit work internally?

  • Kernel driver code-signing

Kernel Internals

  • Important data structures of the kernel
  • Mach-o fileformat / encryption
  • Mach messages and IPC
  • Security: MAC Policy Hooks, Sandbox, Code Signing, Kauth, socket filter

macOS System Extensions, EndpointSecurity

  • Filesystems, networking stack

Kernel Debugging

  • Panic Dumps (remote and NEW SECRET local panic dumps)
  • Built-in Kernel Debugging
  • Kernel Debugging via SECRET Apple Virtualization GDB stub
  • Debugging with own kernel extensions
  • Kernel Heap Debugging/Visualization

Kernel Heap and Memory Management

  • In-depth explanation how various memory allocators work

ARM64 Hardware Assisted Security Mitigations

  • KPP, PPL, GXF
  • KTRR/CTRR/XTRR/APRR
  • PAC, PAN
  • TXM, SPTM, etc.
BOOK NOW

Knowledge Prerequisites

  • Basic understanding of exploitation (e.g. to be able to understand purpose of mitigations)
  • Basic Knowledge of ARM64 assembly (e.g. understand simple ARM64 assembler code)

Hardware Requirements

  • ARM64 based Apple Mac computer
  • powerful enough to run MacOS within a VM
  • multiple physical Mac computers also possible but optional

Software Requirements

  • MacOS 15 with Xcode
  • VirtualBuddy for Apple VMs
  • Disassembler capable of opening the MacOS/iOS kernel binaries (Ghidra, Hopper, Binary Ninja, IDA 8.4)
  • ATTENTION: IDA 9.0 is not officially supported by our training course due to the lack of proper perpetual licensing (this means our scripts will not be adjusted to the new API)

YOUR INSTRUCTOR: Stefan Esser

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer.

In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded.

In 2010 he did his own ASLR implementation for Apple's iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook. In 2013 he founded Antid0te UG a company that focuses on iOS security research and consulting.

Ringzer0’s Virtual Training Experience & FAQ
What can I expect from a virtual training delivered by Ringzer0, and answers to frequently asked questions.
Ringzer0Ringzer0
BOOK NOW
See also
Virtual Training

The ARM64 Exploit Laboratory

An ideal introduction to vulnerability exploitation on 64-bit ARM Linux platform, spanning from ARM64 assembly all the way to ARM64 Return Oriented Programming (ROP). An ideal step up from the 32-bit ARM Exploit Laboratory.
4 min read
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated