iOS 14/15 Kernel Exploitation
Stefan Esser
Dates
7th - 10th February 2022Capacity
20Price
4.000€Description
With the release of iOS 15 Apple has once again raised the bars in terms of kernel level security. This course will introduce you to these new security enhancements and discuss them in the light of kernel exploitation of iOS 14 and iOS 15.
For 4 full days the course will teach you how to find and exploit kernel vulnerabilities for iOS 14 and iOS 15. The course is meant for trainees with prior knowledge in exploitation that want to learn how to apply their skillset against iOS.
The course will require trainees to have an own iOS device that is compatible to the checkra1n iOS 14 jailbreak (or any other iOS 14 jailbreak that might come out until the start of the course).
Topics
- Introduction
- How to set up your Mac and Device for Vuln Research/Exploit Development
- How to load own kernel modules into the iOS kernel
- How to write Code for your iDevice
- Damn Vulnerable iOS Kernel Extension
- Low Level ARM / ARM64
- Differences between ARM and ARM64
- Exception Handling
- Hardware Page Tables
- Special Registers used by iOS
- PAN and PAC (Pointer Authentication)
- ...
- iOS Kernel Source Code
- Structure of the Kernel Source Code
- Where to look for Vulnerabilities
- Implementation of Mitigations
- MAC Policy Hooks, Sandbox, Entitlements, Code Signing
- ...
- iOS Kernel Reversing
- Structure of the Kernel Binary
- Finding Important Structures
- Porting Symbols
- Closed Source Kernel Parts and How to analyze them
- ...
- iOS Kernel Debugging
- Panic Dumps
- Debugging with own Patches
- Kernel Heap Debugging/Visualization (new software package for new devices)
- iOS Kernel Heap
- In-Depth Explanation of How the Kernel Heap works (up to date for iOS 15.0)
- Different techniques to control the kernel heap layout (including non-public ones)
- Discuss weaknesses in current heap implementation
- iOS Kernel Exploit Mitigations
- Discussion of all the iOS Kernel Exploit Mitigations introduced
- Includes software and hardware based mitigations like (KTRR, KPP, PAC, PAN, APRR)
- Including newest mitigations already known in iOS 14
- Discussion of various weaknesses in these protections
- iOS Kernel Vulnerabilities and their Exploitation
- Full walkthrough through exploitation of multiple prior known iOS memory corruption vulnerabilities
- Analysis of public exploits and discussion how to improve them
- Overview over different vulnerability types commonly found in iOS kernel and exploit strategies
- Part of the training will be to reimplement bits and pieces of iOS 13/14 kernel exploits
- iOS Kernel Jailbreaking
- Discussion of how recent iOS jailbreaks work
- Handling of New Devices
- Discussion of necessary steps to port exploits from old to new devices
Training Takeaways
- The whole training material (multiple hundred slides) will be handed to the students in digital form.
- Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software.
Training Requirements
- Student Requirements
- Basic understanding of exploitation
- C and Python Programming knowledge
- Knowledge of ARM64 assembly
- Hardware Requirements
- Apple Mac Notebook
- iOS device compatible with checkra1n for iOS 14
- Software Requirements
- IDA Pro 7.x license (ARM64 support required)
- Ghidra (Fully supported now)
- Hexrays for ARM64 helpful, but not required
- BinDiff for IDA helpful, but not required
- Mac OS X 11, with latest XCode and iOS 14.x SDK (or newer)
- Additional Software will be made available during the training
Bio
Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apple’s iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook.
Stefan Esser
