iOS 16 and MacOS Ventura Userspace Exploitation

August 2023

## Abstract The iOS 16 and MacOS Ventura Userspace Exploitation Training course is a new version of our previous userspace exploitation training. It uses the tight relation between iOS and ARM64 MacOS to allow for better hands-on training experience by using ARM64 MacOS devices instead of iOS devices for easier handling and debugging. In this course we will learn how to attack not only applications and daemons but also more complex targets like Apple's iMessage and Safari. In this four day training participants will take a deep dive into topics related to iOS 16 and MacOS Ventura userpace level exploitation. This starts with an introduction into the specifics of the iOS platform so that trainees with or without deep knowledge of iOS are on the same track. The following days will then concentrate on real world vulnerabilities in applications, daemons, services, and WebKit and Apple's iMessage. This all new 4 day course is targeted at intermediate to advanced exploit developers that want to switch over to iOS or learn how to deal with modern iOS user space targets. For each topic we have selected a number of previously disclosed real world vulnerabilities so that students can learn from real examples and not only via mockup bugs. The training excercises will be performed on a mixture of devices. We recommend ARM64 MacOS devices because they are very similar to iOS target devices but allow for way better handling and debugging. Additionally older devices with jailbreaks for current iOS versions can be used. The goal of this training is to enable trainees to find and exploit new vulnerabilities in iOS userpace programs despite newest mitigations. ## Key Learning Objectives * The Specifics of exploiting iOS applications * How much MacOS ARM64 and iOS are related and what are the differences from an exploitation point of view * How to attack iOS applications on most recent hardware ## Detailed Agenda #### Introduction * How to set up your Mac and Device for Vuln Research/Exploit Development * iOS Userspace Memory Layout * Dynamic Loading Frameworks, Libraries and ASLR * iOS Sandboxing and Inter Process Communication * Userspace Exploit Mitigations * Userspace Attack Surface #### Objective-C and SWIFT * Exploitation strategies for Objective-C targets * Exploitation strategies for Swift targets #### iOS Userland Debugging * Using the iOS Userland Debugger for vulnerability research * How to deal with iOS Anti Debugging Tricks #### iOS Userland Heap * Discussion of the iOS Userland Heap implementation * Discussion of other heap implementations in our targets * Introduction of new iOS userland heap visualization toolset #### MIG and other forms of IPC * Introduction to MIG/IPC * Understanding the MIG/IPC architecture and its attach surface * Mach messages * Fuzzing and Exploitation of MIG services #### XPC services * Introduction to XPC services * Understanding the XPC architecture and attack surface * Understanding target specific mitigations * XPC serialization / deserialization * Fuzzing XPC services * Exploiting XPC services #### WebKit Exploitation * Introduction to WebKit and its architecture * Understanding the attack surface * Understanding target specific mitigations * Introspection and instrumentation * Fuzzing WebKit * Exploiting WebKit #### iMessage Exploitation * Introduction to iMessage and its architecture * Understanding the attack surface * Understanding target specific mitigations * Introspection and instrumentation * Fuzzing iMessage * Exploiting iMessage ## Who Should Attend Intermediate to Advanced Exploit Developers that want to learn about iOS and MacOS ## Knowledge Prerequisites * The course will start with an introduction to the specialities of the iOS platform and is therefore suited for trainees with and without iOS userspace exploitation basics * This course is an advanced exploitation course it is therefore assumed that all students are familiar with ARM64 exploitation or reverse engineering. - Basic understanding of exploitation - C and Python Programming Knowledge - Basic Knowledge of ARM64 assembly ## Hardware Requirements * An Apple Silicon Mac ARM64 Notebook/Desktop is required * It must be powerful enough to run ARM64 VMs * Devices running iOS can be used if they are jailbroken and are at least running iOS 15 ## Software Requirements * MacOS Ventura with latest Xcode and iOS SDK * Disassembler that supports up to date iOS and MacOS binaries (e.g. IDA, Ghidra) * Use what you are most comfortable with but ensure it supports iOS 16 and MacOS Ventura binaries * MacOS ARM64 virtualisation e.g. via VirtualBuddy
Stefan Esser

Stefan Esser
Antid0te UG

Register Now

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apple's iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook. In 2013 he founded Antid0te UG a company that focuses on iOS security research and consulting.