Instructor: Stefan Esser (Antid0te UG/Antid0te SG)
Dates: 07th December - 11th December 2020 (Singapore Timezone)
Dates: 14th December - 18th December 2020 (EU/North America Timezone)
Venue: Online, Zoom
Availability: 20 Seats
With the release of iOS 14 Apple has once again raised the bars in terms of kernel level security. This course will introduce you to the kernel exploitation on iOS 13 and iOS 14 kernels. This course will concentrate on the latest security enhancements of iOS 14 and will discuss changes since iOS 13.
This training will be held virtually in December 2020 via Zoom Sessions with support via a Discord server. It will be perfomed twice to allow trainees accross different timezones to attend the course. For 5 days there will be daily live training sessions around 5h in length. In addition to that all trainees will receive 1-2 weeks before the course a multi hour set of introduction videos they need to work through before the course. This course is targeted at security researchers that want to learn how to find and exploit kernel vulnerabilities in iOS 14.
The course will require trainees to have an own iOS device that is compatible to the checkra1n iOS 14 jailbreak (or any other iOS 14 jailbreak that might come out until the start of the course).
The list of topics covered in the training. Please notice that this list is copied from an earlier version of the course and therefore there might be slight changes.
How to set up your Mac and Device for Vuln Research/Exploit Development
How to load own kernel modules into the iOS kernel
How to write Code for your iDevice
Damn Vulnerable iOS Kernel Extension
Low Level ARM / ARM64
Differences between ARM and ARM64
Hardware Page Tables
Special Registers used by iOS
PAN and PAC (Pointer Authentication)
iOS Kernel Source Code
Structure of the Kernel Source Code
Where to look for Vulnerabilities
Implementation of Mitigations
MAC Policy Hooks, Sandbox, Entitlements, Code Signing
iOS Kernel Reversing
Structure of the Kernel Binary
Finding Important Structures
Closed Source Kernel Parts and How to analyze them
iOS Kernel Debugging
Debugging with own Patches
Kernel Heap Debugging/Visualization (new software package for new devices)
iOS Kernel Heap
In-Depth Explanation of How the Kernel Heap works (up to date for iOS 14)
Different techniques to control the kernel heap layout (including non-public ones)
Discuss weaknesses in current heap implementation
iOS Kernel Exploit Mitigations
Discussion of all the iOS Kernel Exploit Mitigations introduced
Includes software and hardware based mitigations like (KTRR, KPP, PAC, PAN, APRR)
Including newest mitigations already known in iOS 14
Discussion of various weaknesses in these protections
iOS Kernel Vulnerabilities and their Exploitation
Full walkthrough through exploitation of multiple prior known iOS memory corruption vulnerabilities
Analysis of public exploits and discussion how to improve them
Overview over different vulnerability types commonly found in iOS kernel and exploit strategies
Part of the training will be to reimplement bits and pieces of an iOS 13 kernel exploit
iOS Kernel Jailbreaking
Discussion of how recent iOS jailbreaks work
Handling of New Devices
Discussion of necessary steps to port exploits from old to new devices
The whole training material (multiple hundred slides) will be handed to the students in digital form.
For up to 5 days after the training students can rewatch video recordings of all sessions.
Trainees will get a license for the Antid0te software and scripts that are used during
the training that allows usage but not redistribution of said software.
Basic understanding of exploitation
C and Python Programming knowledge
Knowledge of ARM64 assembly
Apple Mac Notebook
iOS device compatible with checkra1n for iOS 14
IDA Pro 7.x license (ARM64 support required)
alternatively Ghidra/Hopper/Binary Ninja can be used but script support varies by tool
Hexrays for ARM64 helpful, but not required
BinDiff for IDA helpful, but not required
Mac OS X 10.15/16, with latest XCode and iOS 14.x SDK (or newer)
Additional Software will be made available during the training
The training sessions will be held via Zoom video conferencing. Training sessions will be around 5 hours per training day. In addition to that trainees will get access to a few hours worth
of introductory videos.
Furthermore trainees get access to a Discord server that will be used to post information regarding the training and will be used to discuss exercises and their solution, unless those will be covered via Zoom.
All training sessions will be recorded and made available as videos until 5 days after the training. During that time trainees can rewatch sessions as often as they want.
We offer the training in an EU/North America edition and in an Singapore/Asia edition because of timezones. Unlike in person training courses when all attendees are present and share the same timezone the execution of online training courses requires some adjustments to be made to allow attendees accross different timezones to attent.
EU / North America Edition
17:00 - 22:00
16:00 - 21:00
08:00am - 01:00am
Seattle / Vancouver
11:00am - 04:00pm
New York / Montreal
10:00am - 03:00pm
11:00am - 04:00pm
01:00pm - 06:00pm
(-1 day) 06:00pm - 11:00pm
Seattle / Vancouver
(-1 day) 09:00pm - 02:00am
New York / Montreal
We offer the following rates for this training.
EU/North America Edition
3600,- EUR (excl. VAT)
If you have further questions or want to register for this training please contact us by e-mail email@example.com. Please notice that signup, billing and execution of the training is performed by Antid0te UG (haftungsbeschränkt) for the EU/North America Edition and Antid0te SG Pte. Ltd. for the Singapore Edition.
In-House Training / Conferences / Additional Trainings
If you are interested in this training, but want us to perform the training for your people, want to feature our training at your online conference or would just like to know if we provide the training again at a later time please contact us by e-mail firstname.lastname@example.org.