Instructor: Stefan Esser (Antid0te UG/Antid0te SG)
Dates: 13th September - 17th September 2021 (EU/North America Timezone)
Venue: Online, Zoom
Availability: 20 Seats
Language: English
With the release of MacOS Big Sur and iOS 14 Apple has once again raised the bars in terms of kernel level security. This course will introduce you to the low level internals of the MacOS and iOS kernels from the perspective of a security researcher interested in kernel level vulnerability analysis, kernel rootkit/malware analysis/detection or driver development. While this course is concentrating on MacOS Big Sur on the x64 cpu architecture the latest security enhancements of iOS 14 will also be discussed. The course material was updated to the latest security features of MacOS Big Sur and iOS 14.
This training will be held virtually in September 2021 via Zoom Sessions with support via a Discord server. It will be perfomed twice to allow trainees accross different timezones to attend the course. For 5 days there will be daily live training sessions around 5h in length. In addition to that all trainees will receive 1-2 weeks before the course a multi hour set of introduction videos they need to work through before the course. This course is targeted at security researchers that want to dive into MacOS or iOS kernel security topics.
The course will focus on the MacOS side and therefore all training excercises will be performed on MacOS Big Sur. However iOS security specifics will also be covered by the course, if they are different from the MacOS way.
Topics
The following list of topics shows what will be covered by the course.
Introduction
Setting up a development and debugging environment
Developing your own kernel extensions (kext vs. systemextensions)
Low Level x64 / ARM64
Low level cpu details
Physical memory management
Exception Handling
Hardware Page Tables
Special Registers used by iOS
PAN and PAC (Pointer Authentication)
...
Kernel Source Code
Structure of the Kernel Source Code
Where to look for Vulnerabilities
Implementation of Mitigations
...
Kernel Drivers/(System)Extensions
IOKit
DriverKit / SystemExtensions
EndpointSecurity
Driver attack surface
Kernel driver code-signing
...
Kernel Internals
Important data structures of the kernel
Mach-o fileformat / encryption
Mach messages and IPC
Security: MAC Policy Hooks, Sandbox, Code Signing, Kauth, socket filter
Filesystems, networking stack
...
Kernel Debugging
Panic Dumps
Built-in Kernel Debugging / VMWARE based debugging
Debugging with own kernel extensions
Kernel Heap Debugging/Visualization
Kernel Heap
In-Depth Explanation of How the Kernel Heap works
Covers the NEW Big Sur / iOS 14 Kernel Heap
Discuss weaknesses in current heap implementation
Kernel Exploit Mitigations
Discussion of all the iOS Kernel Exploit Mitigations introduced
Includes software and hardware based mitigations like (KTRR, KPP, PAC, PAN, APRR)
Including newest mitigations already known in iOS 14
Discussion of various weaknesses in these protections
Kernel Rootkits
Discussion of previously hooked / abused data structures in MacOS rootkits
Rootkits and their detection in light on SystemExtensions and EndpointSecurity
Training Takeaways
The whole training material (multiple hundred slides) will be handed to the students in digital form.
For up to 5 days after the training students can rewatch video recordings of all sessions.
Trainees will get a license for the Antid0te software and scripts that are used during
the training that allows usage but not redistribution of said software.
Training Requirements
Student Requirements
Basic understanding of exploitation
C and Python Programming knowledge
Knowledge of X64 assembly
Hardware Requirements
Apple Mac Notebook capable of running latest MacOS within VMWARE
Enough hard disk space to run VMs
Software Requirements
IDA Pro 6.x/7.x license (X86_64 and ARM64 support required)
Ghidra (Fully supported now)
Hexrays for X86_64/ARM64 helpful, but not required
BinDiff for IDA helpful, but not required
Mac OS X 10.15/16, with latest XCode and iOS 14.x SDK (or newer)
VMWARE Fusion
Additional Software will be made available during the training
Virtual Venue
The training sessions will be held via Zoom video conferencing. Training sessions will be around 5 hours per training day. In addition to that trainees will get access to a few hours worth
of introductory videos.
Furthermore trainees get access to a Discord server that will be used to post information regarding the training and will be used to discuss exercises and their solution, unless those will be covered via Zoom.
All training sessions will be recorded and made available as videos until 5 days after the training. During that time trainees can rewatch sessions as often as they want.
Timezones
We offer the training in an EU/North America edition. For other timezones please enquire. Unlike in person training courses when all attendees are present and share the same timezone the execution of online training courses requires some adjustments to be made to allow attendees accross different timezones to attent.
EU / North America Edition
17:00 - 22:00
Berlin
16:00 - 21:00
London
08:00am - 01:00am
Seattle / Vancouver
11:00am - 04:00pm
New York / Montreal
Pricing
We offer the following rates for this training.
EUR
3750,- EUR (excl. VAT)
SGD
6000,- SGD
USD
4500,- USD
Register
If you have further questions or want to register for this training please contact us by e-mail training@antid0te.com. Please notice that signup, billing and execution of the training is performed by Antid0te SG Pte. Ltd. .
In-House Training / Conferences / Additional Trainings
If you are interested in this training, but want us to perform the training for your people, want to feature our training at your online conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@antid0te.com.
