MacOS and iOS Kernel Internals For Security Researchers

Posted: by Stefan Esser   |  More posts about Blog Training iOS Kernel Security Internals MacOS
Instructor: Stefan Esser (Antid0te UG/Antid0te SG)
Dates: 26th June - 30th June 2023 (EU/North America Timezone)
Venue: Online, Zoom
Availability: 20 Seats
Language: English

With the release of MacOS Ventura and iOS 16 Apple has once again raised the bars in terms of kernel level security. This course will introduce you to the low level internals of the MacOS and iOS kernels from the perspective of a security researcher interested in kernel level vulnerability analysis, kernel rootkit/malware analysis/detection or general kernel security topics. This course will cover MacOS Ventura on x86_64 and ARM64 architecture and iOS 16. Because many Apple security enhancements are ARM64 specific we concentrate on the ARM64 platform.

This training will be held virtually in June 2023 via Zoom Sessions with support via a Discord server. For 5 days there will be daily live training sessions around 5h in length (with a 30min break in the middle). In addition to that all trainees will receive 1-2 weeks before the course a multi hour set of introduction videos they need to work through before the course. This course is targeted at security researchers that want to dive into MacOS or iOS kernel security topics.

The course will focus on ARM64 MacOS and therefore we recommend to perform all training excercises on an ARM64 MacOS device. However x86_64 MacOS topics will also be discussed and can be used as backup system. Furthermore iOS security specifics will also be covered by the course, if they are different from the MacOS way.


The following list of topics shows what will be covered by the course.

  • Introduction
    • Setting up a development and debugging environment
    • Developing your own kernel extensions (kext vs. systemextensions)
  • Low Level x64 / ARM64
    • Low level cpu details
    • Physical memory management
    • Exception Handling
    • Hardware Page Tables
    • Special Registers used by iOS
    • PAN and PAC (Pointer Authentication)
    • ...
  • Kernel Source Code
    • Structure of the Kernel Source Code
    • Where to look for Vulnerabilities
    • Implementation of Mitigations
    • ...
  • Kernel Drivers/(System)Extensions
    • IOKit
    • DriverKit / SystemExtensions
    • EndpointSecurity
    • Driver attack surface
    • Kernel driver code-signing
    • ...
  • Kernel Internals
    • Important data structures of the kernel
    • Mach-o fileformat / encryption
    • Mach messages and IPC
    • Security: MAC Policy Hooks, Sandbox, Code Signing, Kauth, socket filter
    • Filesystems, networking stack
    • ...
  • Kernel Debugging
    • Panic Dumps
    • Built-in Kernel Debugging / VMWARE based debugging
    • Debugging with own kernel extensions
    • Kernel Heap Debugging/Visualization
  • Kernel Heap
    • In-Depth Explanation of How the Kernel Heap works
    • Covers the NEW MacOS Ventura (Kalloc) Heaps
    • Covers the Read Only Allocaotr
  • Kernel Exploit Mitigations
    • Discussion of all the iOS Kernel Exploit Mitigations introduced
    • Includes software and hardware based mitigations like (KTRR, KPP, PAC, PAN, APRR, PPL, ...)
    • Including newest mitigations in recent kernels
    • Discussion of various weaknesses in these protections

Training Takeaways

  • The whole training material (multiple hundred slides) will be handed to the students in digital form.
  • For up to 5 days after the training students can rewatch video recordings of all sessions.
  • Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software.

Training Requirements

  • Student Requirements
    • Basic understanding of exploitation
    • C and Python Programming knowledge
    • Basic Knowledge of X64 (and or) ARM64 assembly (just to be able to understand)
  • Hardware Requirements
    • Apple Mac Notebook capable of running latest MacOS within a virtual machine (need to be able to boot in recovery mode)
    • Enough hard disk space to run VMs
  • Software Requirements
    • Disassembler capable of understanding ARM64/x86_64 MacOS/iOS binaries
    • e.g. IDA Pro 7.x license (X86_64 and ARM64 support required)
    • e.g. Ghidra (Fully supported now)
    • MacOS Ventura, with latest XCode and iOS 16.x SDK (or newer)
    • VirtualBuddy (ARM64) / VMWARE Fusion (x86)
    • Additional Software will be made available during the training

Virtual Venue

The training sessions will be held via Zoom video conferencing. Training sessions will be around 5 hours per training day. In addition to that trainees will get access to a few hours worth of introductory videos.

Furthermore trainees get access to a Discord server that will be used to post information regarding the training and will be used to discuss exercises and their solution, unless those will be covered via Zoom.

All training sessions will be recorded and made available as videos until 5 days after the training. During that time trainees can rewatch sessions as often as they want.


We offer this training in an EU/North America edition. For other timezones please enquire. Unlike in person training courses when all attendees are present and share the same timezone the execution of online training courses requires some adjustments to be made to allow attendees accross different timezones to attent.

The following are the timings of the live lectures. In addition to that trainees need to have extra time to perfom hands on training exercises after the live lectures on their own.

EU / North America Edition

17:00 - 22:00 Berlin
16:00 - 21:00 London
08:00am - 01:00pm Seattle / Vancouver
11:00am - 04:00pm New York / Montreal


We offer the following rates for this training.

EUR 4500,- EUR
SGD 6500,- SGD
USD 5000,- USD

Payment will be possible via international bank transfer or via credit card featured by STRIPE. Please note that we will usually charge EU customers in EUR and the rest of the world in SGD. On request we can charge in USD.


If you have further questions or want to register for this training please contact us by e-mail Please notice that signup, billing and execution of the training is handled by Antid0te SG Pte. Ltd..

In-House Training / Conferences / Additional Trainings

If you are interested in this training, but want us to perform the training for your people, want to feature our training at your online conference or would just like to know if we provide the training again at a later time please contact us by e-mail