iOS 16 and MacOS Kernel Exploitation


Posted: by Stefan Esser   |  More posts about Blog Training iOS Kernel Exploitation
/images/exploit_training.jpg
Instructor: Stefan Esser (Antid0te SG)
Dates: 15th May - 19th May 2023
Venue: Singapore flagsg, TBA
Availability: 10 Seats
Language: English

With the release of iOS 16 Apple has once again raised the bars in terms of kernel level security. This course will introduce you to the kernel exploitation on iOS 16 kernels. This course will concentrate on the latest security enhancements of iOS 16 while performing exploitation tasks on MacOS ARM64 devices.

This training is an in-person full five day training in April 2023 in Singapore. 2 weeks before the training trainees will be given some basic introductory material that the need to work through before the course starts. This course is targeted at security researchers that want to learn how to find and exploit kernel vulnerabilities in iOS 16.

The course will require trainees to have an own MacOS ARM64 device on which we will perform most hands on tasks, because this will allow us to deal with latest mitigations on latest hardware. Additionally a jailbroken iOS 16 device can be used if available at the time of the course.

Topics

The list of topics covered in the training. Please notice that this list is copied from an earlier version of the course and therefore there might be slight changes.

  • Introduction
    • How to set up your Mac and Device for Vuln Research/Exploit Development
    • How to write Code for your iDevice
  • Low Level ARM / ARM64
    • Differences between ARM and ARM64
    • Exception Handling
    • Hardware Page Tables
    • Special Registers used by iOS
    • PAN and PAC (Pointer Authentication)
    • ...
  • iOS Kernel Source Code
    • Structure of the Kernel Source Code
    • Where to look for Vulnerabilities
    • Implementation of Mitigations
    • MAC Policy Hooks, Sandbox, Entitlements, Code Signing
    • ...
  • iOS Kernel Reversing
    • Structure of the Kernel Binary
    • Finding Important Structures
    • Porting Symbols
    • Closed Source Kernel Parts and How to analyze them
    • ...
  • iOS Kernel Heap
    • In-Depth Explanation of How the Kernel Heap works (concentration on the new heap)
    • Discussion of Kernel Heap Separation and Anti Heap Feng Shui Mitigations
    • Discuss remaining weaknesses in current implementation
  • iOS Kernel Exploit Mitigations
    • Discussion of all the iOS Kernel Exploit Mitigations introduced
    • Includes software and hardware based mitigations like (KTRR, KPP, PPL, PAC, PAN, APRR)
    • Including newest mitigations already known in latest kernels
    • Discussion of various weaknesses in these protections
  • iOS Kernel Vulnerabilities and their Exploitation
    • Concentration of recent vulnerabilities and how they can be exploited with current set of mitigations
  • iOS Kernel Jailbreaking
    • Discussion of recent challenges for jailbreaking

Training Takeaways

  • The whole training material (multiple hundred slides) will be handed to the students in digital form.
  • Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software.

Training Requirements

  • Student Requirements
    • Basic understanding of exploitation
    • C and Python Programming knowledge
    • Knowledge of ARM64 assembly
  • Hardware Requirements
    • ARM64 Apple Mac Notebook
    • iOS device compatible with checkra1n compatible jailbreaks for iOS 16
  • Software Requirements
    • IDA Pro 7.x license (ARM64 support required)
    • Ghidra (Fully supported now)
    • Hexrays for ARM64 helpful, but not required
    • BinDiff for IDA helpful, but not required
    • MacOS, with latest XCode and iOS 16.x SDK (or newer)
    • Additional Software will be made available during the training

Venue

The training is held at a yet to determine location in Singapore.

Pricing

We offer the following rates for this training.

EUR 4500,- EUR
SGD 6500,- SGD
USD 5000,- USD

Payment will be possible via international bank transfer or via credit card featured by STRIPE. Please note that we will usually charge EU customers in EUR and the rest of the world in SGD. On request we can charge in USD.

Register

If you have further questions or want to register for this training please contact us by e-mail training@antid0te.com. Please notice that signup, billing and execution of the training is handled by Antid0te SG Pte. Ltd..

In-House Training / Conferences / Additional Trainings

If you are interested in this training, but want us to perform the training for your people, want to feature our training at your online conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@antid0te.com.