iOS 12 Kernel Exploitation

Abstract

For years the SektionEins and Antid0te iOS Kernel Exploitation Trainings have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks up to iOS 10.2. Even the public iOS 11 jailbreaks use techniques that are also taught in our trainings. Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases or even joined Apple as employees. With the help of Ringzer0 trainings we can finally offer this training in Las Vegas.

Because Apple's internal development of the iOS kernel never stands still and them always adding new security mitigations to defeat previously used attacks. The training is under constant development. For iOS 12 Apple has once again added a number of changes and mitigations that were not covered in our previous courses and have not been documented anywhere in the public, yet. Furthermore we have added a number of new tools to our iOS toolkit that help during kernel research and during kernel exploit development for newer devices.

During the training we will make devices on iOS 12.x available to the trainees to perform the hand on tasks, because they can only be performed on devices having vulnerabilities.

Course Topics

  • Introduction
    • How to set up your Mac and iOS Device for Vuln Research/Exploit Development
    • How to load own kernel modules into the iOS kernel
    • How to write Code for your iDevice
  • Low Level ARM64
    • Low level ARM64 features required for exploitation
    • Hardware Assisted Security Mitigations (e.g. iPhone 7+ PAN, iPhone XS PAC)
  • iOS Kernel Debugging
    • Panic Dumps
    • Working around the lack of KDP Kernel Debugging
    • Kernel Heap Debugging/Visualization
  • iOS Kernel Vulnerability Types
    • Discussion of different kernel vulnerability types
    • Exploitation strategies for different types
  • iOS Kernel Heap Exploitation
    • How the iOS 12 Kernel Heap works
    • Controlling the Kernel Heap on iOS 12
    • Exploitation of Kernel Heap Vulnerabilities on iOS 12
  • iOS Kernel Exploit Mitigations
    • Discussion of Mitigations and how to bypass them in exploits
    • Discussion of Kernel Patch Protection
  • iOS Kernel Vulnerabilities
    • Discussion and exploitation of several Kernel Vulnerabilities from the last years
  • iOS Kernel Jailbreaking
    • What was patched in earlier jailbreaks
    • Data-only workarounds for previous patches

Pre-requisites

Students must have prior knowledge in exploitation (basics will not be taught) and must be capable of understanding/programming exploits in C. Students will get an introduction into low level ARM/ARM64 specific as used by iOS as part of the course.

Hardware Requirements

  • Macbook capable of running latest OS X / MacOS
  • Students can optionally bring their own jailbroken iOS device on 11.x/12.x

Software Requirements

  • IDA Pro (Hopper or alternatives partially usable)
  • Latest MacOS
  • Xcode
Stefan Esser

Stefan Esser

Register Now >>

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer.

In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded.

In 2010 he did his own ASLR implementation for Apple's iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook. In 2013 he founded Antid0te UG a company that focuses on iOS security research and consulting.