iOS 12/13 Kernel Exploitation Training (October 2019)


Posted: by Stefan Esser   |  More posts about Blog Training iOS Kernel Exploitation
/images/exploit_training.jpg
Instructor: Stefan Esser (Antid0te SG Pte. Ltd.)
Dates: 21th October - 25th October 2019 (5 days)
Venue: Novotel Clarke Quay, Singapore
Availability: 10 Seats
Language: English

The SektionEins and Antid0te iOS Kernel Exploitation Trainings in 2014-2019 have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks up to iOS 10.2. Even the public iOS 11 and iOS 12 jailbreaks use some techniques that have been part of our training material since before they ever were used publicly. Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases or even joined Apple as employees. However Apple's internal development of the iOS kernel never stands still and they keep adding new security mitigations to defeat previously used attacks.

With the release of iOS 13 Apple will once again raise the bars in the world of iOS exploitation by introducing new software and hardware based mitigation. Because of this the training will shift its focus to these newly introduced mitigations so that trainees learn to deal with these up to date protections.

This training will be in October 2019 in Singapore (if the date is inconvenient for you the same training will be done in Berlin one months later). It will be happening between October 21st and October 25th 2019 in a hotel in Singapore that will be announced soon. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.

The training excercises will be performed on a mixture of devices running on iOS 12.x. Some of these devices will be 64bit iPod touch (6th Gen) 32 GB devices that the trainees will take home after the training. However we will also give the trainees access to more modern devices to test out new hardware based mitigations like the ARM v8.3 pointer authentication.

The goal of this training is to enable you to exploit new vulnerabilities in the iOS kernel that you discover on your own.

Topics

The following list of topics shows what is usually covered by the course.

  • Introduction
    • How to set up your Mac and Device for Vuln Research/Exploit Development
    • How to load own kernel modules into the iOS kernel
    • How to write Code for your iDevice
    • Damn Vulnerable iOS Kernel Extension
  • Low Level ARM / ARM64
    • Differences between ARM and ARM64
    • Exception Handling
    • Hardware Page Tables
    • Special Registers used by iOS
    • PAN and PAC (Pointer Authentication)
    • ...
  • iOS Kernel Source Code
    • Structure of the Kernel Source Code
    • Where to look for Vulnerabilities
    • Implementation of Mitigations
    • MAC Policy Hooks, Sandbox, Entitlements, Code Signing
    • ...
  • iOS Kernel Reversing
    • Structure of the Kernel Binary
    • Finding Important Structures
    • Porting Symbols
    • Closed Source Kernel Parts and How to analyze them
    • ...
  • iOS Kernel Debugging
    • Panic Dumps
    • Debugging with own Patches
    • Kernel Heap Debugging/Visualization (new software package for new devices)
  • iOS Kernel Heap
    • In-Depth Explanation of How the Kernel Heap works (up to date for iOS 13)
    • Different techniques to control the kernel heap layout (including non-public ones)
    • Discuss weaknesses in current heap implementation
  • iOS Kernel Exploit Mitigations
    • Discussion of all the iOS Kernel Exploit Mitigations introduced
    • Includes software and hardware based mitigations like (KTRR, KPP, PAC, PAN, APRR)
    • Including newest mitigations already known in iOS 13
    • Discussion of various weaknesses in these protections
  • iOS Kernel Vulnerabilities and their Exploitation
    • Full walkthrough through exploitation of multiple prior known iOS memory corruption vulnerabilities
    • Analysis of public exploits and discussion how to improve them
    • Overview over different vulnerability types commonly found in iOS kernel and exploit strategies
    • Part of the training will be to reimplement bits and pieces of an iOS 12 kernel exploit
  • iOS Kernel Jailbreaking
    • Discussion of how recent iOS jailbreaks work
  • Handling of New Devices
    • Discussion of necessary steps to port exploits from old to new devices

Training Takeaways

  • All students will take home an iPod Touch 32GB (64 bit) 6th generation that had a retail value of 229,- EUR (these iPods are running iOS 12.x for some of the hands-on during the training).
  • The whole training material (multiple hundred slides) will be handed to the students in digital form.
  • Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software. This software is currently going through a complete cleanup and modernization to ensure compatibility with all new devices

Training Requirements

  • Student Requirements
    • This course will not give an introduction to ARM assembly basics. The trainee is required to understand basic ARM64 assembly. It is not required to have previous lowe level experience with ARM64 cpus, because the necessary information is discussed within the training. Low level ARM64 CPU knowledge will be helpful, but is not required for this course - all necessary parts will be explained within the course.
    • This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...
    • About 3 weeks before the training trainees will receive a booklet that covers introductory information. Trainees are required to read and work through this document in order to ensure that all software is correctly installed and some basics are understood. NOTE: In order to fit more topics and hands on excercises into the training this booklet now contains 4h worth of material that previously was worked through on day 1 of the training.
  • Hardware Requirements
    • An Apple Mac Notebook is required in order to run MacOS and XCode.
    • Training hands-on exercises will be performed on devices provided by Antid0te. It is not required for students to bring their own iOS devices.
    • Every student will be handed an iPod Touch 32GB at the beginning of the training that they will work on and can take home after the training.
    • Further more modern iOS devices will be provided throughout the course for gaining experience with hardware mitigations like PAN or PAC.
    • Students can optionally bring their own iOS device for experiments. But these devices need to be jailbroken on iOS 12.
  • Software Requirements
    • IDA Pro 6.x/7.x license (ARM64 support required)
    • alternatively Ghidra/Hopper/Binary Ninja can be used but script support varies by tool
    • Hexrays for ARM64 helpful, but not required
    • BinDiff for IDA helpful, but not required
    • Mac OS X 10.14/15, with latest XCode and iOS 12.x SDK (or newer)
    • Additional Software will be made available during the training

Venue

The training will be held at Novotel Clarke Quay (Singapore). The Novotel is located near Clarke Quay MRT (purple line) and near Fort Canning (downtown line) in Singapore.

Address:
Novotel Singapore Clarke Quay
177A River Valley Rd
Singapore 179031



No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.

Pricing

We offer the following rates for this training. Please understand that Antid0te SG is not yet required to register for GST in Singapore and therefore attendees do not have to pay GST on top of the base price.

  Price
Early Bird (before 5th August) S$ 5500
Regular (After 5th August) S$ 6000

The training ticket price includes daily lunch, morning and afternoon coffee breaks.

Register

If you have further questions about this training or want to register please contact us by e-mail training@antid0te-sg.com.

In-House Training / Conferences / Additional Trainings

If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@antid0te-sg.com.