iOS 16 and MacOS Userspace Exploitation


Posted: by Stefan Esser   |  More posts about Blog Training iOS Userpace iMessage WebKit XPC Exploitation
Instructor: Stefan Esser (Antid0te SG)
Dates: 24th April - 28th April 2023
Venue: Singapore flagsg, TBA
Availability: 10 Seats
Language: English

With the release of iOS 16 Apple has once again raised the bars in terms of security. New features like lockdown mode were created to safeguard iOS devices even more. This course will give trainees with an already existing background knowledge in exploitation a complete introduction into the specifics of targetting iOS applications or daemons. In particular popular targets like XPC services, WebKit/MobileSafari and iMessage will be covered.

This training is an in-person full five day training in April 2023 in Singapore. 2 weeks before the training trainees will be given some basic introductory material that the need to work through before the course starts. This course is targeted at security researchers that want to learn how to find and exploit userpace vulnerabilities in iOS 16 and MacOS.

The course will require trainees to have an own MacOS ARM64 device on which we will perform most hands on tasks, because this will allow us to deal with latest mitigations on latest hardware. Additionally a jailbroken iOS 16 device could be used if available at the time of the course.

Topics

The following list of topics shows what is usually covered by the course.

  • Introduction
    • How to set up your Mac and Device for Vuln Research/Exploit Development
    • iOS Userspace Memory Layout
    • Dynamic Loading Frameworks, Libraries and ASLR
    • iOS Sandboxing and Inter Process Communication
    • Userspace Exploit Mitigations
    • Userspace Attack Surface
  • Objective-C and SWIFT Target
    • Discuss specific objective-c and swift exploitation strategies
  • ARM v8.3 Pointer Authentication
    • Exploitation despite modern mitigations
  • iOS Userland Debugging
    • Using the iOS Userland Debugger for vulnerability research
    • How to deal with iOS Anti Debugging Tricks
  • iOS Userland Heap
    • Discussion of the iOS Userland Heap implementation
    • Discussion of other heap implementations in our targets
    • Introduction of new iOS userland heap visualization toolset
  • MIG and other forms of IPC
    • Introduction to MIG/IPC
    • Understanding the MIG/IPC architecture and its attach surface
    • Mach messages
    • Fuzzing and Exploitation of MIG services
  • XPC services
    • Introduction to XPC services
    • Understanding the XPC architecture and attack surface
    • Understanding target specific mitigations
    • XPC serialization / deserialization
    • Fuzzing XPC services
    • Exploiting XPC services
  • Mobile Safari
    • Introduction to Mobile Safari and its architecture
    • Understanding the attack surface of WebKit and JavaScript Core
    • Understanding target specific mitigations
    • Understanding the heap implementation
    • Introspection and instrumentation
    • Fuzzing Mobile Safari
    • Exploiting Mobile Safari
  • iMessage Exploitation
    • Introduction to iMessage and its architecture
    • Understanding the attack surface
    • Understanding target specific mitigations
    • Introspection and instrumentation
    • Fuzzing iMessage
    • Exploiting iMessage
  • What is new in iOS 16
    • New mitigations in iOS 16 will be covered

Training Takeaways

  • The whole training material (multiple hundred slides) will be handed to the students in digital form.
  • Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software.

Training Requirements

  • Student Requirements
    • Basic understanding of exploitation
    • C and Python Programming knowledge
    • Knowledge of ARM64 assembly
  • Hardware Requirements
    • ARM64 Apple Mac Notebook
    • (optionally) a jailbroken iOS device on iOS 16 (usually gives access to older features only)
  • Software Requirements
    • IDA Pro 7.x license (ARM64 support required)
    • Ghidra (Fully supported now)
    • Hexrays for ARM64 helpful, but not required
    • BinDiff for IDA helpful, but not required
    • MacOS, with latest XCode and iOS 16.x SDK (or newer)
    • Additional Software will be made available during the training

Venue

The training is held at a yet to determine location in Singapore.

Pricing

We offer the following rates for this training.

EUR 4500,- EUR
SGD 6500,- SGD
USD 5000,- USD

Payment will be possible via international bank transfer or via credit card featured by STRIPE. Please note that we will usually charge EU customers in EUR and the rest of the world in SGD. On request we can charge in USD.

Register

If you have further questions or want to register for this training please contact us by e-mail training@antid0te.com. Please notice that signup, billing and execution of the training is handled by Antid0te SG Pte. Ltd..

In-House Training / Conferences / Additional Trainings

If you are interested in this training, but want us to perform the training for your people, want to feature our training at your online conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@antid0te.com.