IOS 12 KERNEL EXPLOITATION

3-6 August 2019, Excalibur, Las Vegas

Stefan Esser

Abstract

For years the SektionEins and Antid0te iOS Kernel Exploitation Trainings have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks up to iOS 10.2. Even the public iOS 11 jailbreaks use techniques that are also taught in our trainings. Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases or even joined Apple as employees. With the help of Ringzer0 trainings we can finally offer this training in Las Vegas.

Because Apple's internal development of the iOS kernel never stands still and them always adding new security mitigations to defeat previously used attacks. The training is under constant development. For iOS 12 Apple has once again added a number of changes and mitigations that were not covered in our previous courses and have not been documented anywhere in the public, yet. Furthermore we have added a number of new tools to our iOS toolkit that help during kernel research and during kernel exploit development for newer devices.

During the training we will make devices on iOS 12.x available to the trainees to perform the hand on tasks, because they can only be performed on devices having vulnerabilities.

Course Topics

  • Introduction
    • How to set up your Mac and iOS Device for Vuln Research/Exploit Development
    • How to load own kernel modules into the iOS kernel
    • How to write Code for your iDevice
  • Low Level ARM64
    • Low level ARM64 features required for exploitation
    • Hardware Assisted Security Mitigations (e.g. iPhone 7+ PAN, iPhone XS PAC)
  • iOS Kernel Debugging
    • Panic Dumps
    • Working around the lack of KDP Kernel Debugging
    • Kernel Heap Debugging/Visualization
  • iOS Kernel Vulnerability Types
    • Discussion of different kernel vulnerability types
    • Exploitation strategies for different types
  • iOS Kernel Heap Exploitation
    • How the iOS 12 Kernel Heap works
    • Controlling the Kernel Heap on iOS 12
    • Exploitation of Kernel Heap Vulnerabilities on iOS 12
  • iOS Kernel Exploit Mitigations
    • Discussion of Mitigations and how to bypass them in exploits
    • Discussion of Kernel Patch Protection
  • iOS Kernel Vulnerabilities
    • Discussion and exploitation of several Kernel Vulnerabilities from the last years
  • iOS Kernel Jailbreaking
    • What was patched in earlier jailbreaks
    • Data-only workarounds for previous patches

Pre-requisites

Students must have prior knowledge in exploitation (basics will not be taught) and must be capable of understanding/programming exploits in C. Students will get an introduction into low level ARM/ARM64 specific as used by iOS as part of the course.

Hardware Requirements

  • Macbook capable of running latest OS X / MacOS
  • Students can optionally bring their own jailbroken iOS device on 11.x/12.x

Software Requirements

  • IDA Pro (Hopper or alternatives partially usable)
  • Latest MacOS
  • Xcode