iOS 16 and MacOS Kernel Exploitation

Topics

The list of topics covered in the training. Please notice that this list is copied from an earlier version of the course and therefore there might be slight changes.

• Introduction
  • How to set up your Mac and Device for Vuln Research/Exploit Development
  • How to write Code for your iDevice
• Low Level ARM / ARM64
  • Differences between ARM and ARM64
  • Exception Handling
  • Hardware Page Tables
  • Special Registers used by iOS
  • PAN and PAC (Pointer Authentication)
  • ...
• iOS Kernel Source Code
  • Structure of the Kernel Source Code
  • Where to look for Vulnerabilities
  • Implementation of Mitigations
  • MAC Policy Hooks, Sandbox, Entitlements, Code Signing
  • ...
• iOS Kernel Reversing
  • Structure of the Kernel Binary
  • Finding Important Structures
  • Porting Symbols
  • Closed Source Kernel Parts and How to analyze them
  • ...
• iOS Kernel Heap
  • In-Depth Explanation of How the Kernel Heap works (concentration on the new heap)
  • Discussion of Kernel Heap Separation and Anti Heap Feng Shui Mitigations
  • Discuss remaining weaknesses in current implementation
• iOS Kernel Exploit Mitigations
  • Discussion of all the iOS Kernel Exploit Mitigations introduced
  • Includes software and hardware based mitigations like (KTRR, KPP, PPL, PAC, PAN, APRR)
  • Including newest mitigations already known in latest kernels
  • Discussion of various weaknesses in these protections
• iOS Kernel Vulnerabilities and their Exploitation
  • Concentration of recent vulnerabilities and how they can be exploited with current set of mitigations
• iOS Kernel Jailbreaking
  • Discussion of recent challenges for jailbreaking

Training Takeaways

• The whole training material (multiple hundred slides) will be handed to the students in digital form.
• Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software.

Training Requirements

• Student Requirements
  • Basic understanding of exploitation
  • C and Python Programming knowledge
  • Knowledge of ARM64 assembly
• Hardware Requirements
  • ARM64 Apple Mac Notebook
  • iOS device compatible with checkra1n compatible jailbreaks for iOS 16
• Software Requirements
  • IDA Pro 7.x license (ARM64 support required)
  • Ghidra (Fully supported now)
  • Hexrays for ARM64 helpful, but not required
  • BinDiff for IDA helpful, but not required
  • MacOS, with latest XCode and iOS 16.x SDK (or newer)
  • Additional Software will be made available during the training

Venue

The training is held at a yet to determine location in Singapore.

Pricing

Payment will be possible via international bank transfer or via credit card featured by STRIPE. Please note that we will usually charge EU customers in EUR and the rest of the world in SGD. On request we can charge in USD.

Register

If you have further questions or want to register for this training please contact us by e-mail training@antid0te.com. Please notice that signup, billing and execution of the training is handled by Antid0te SG Pte. Ltd..

In-House Training / Conferences / Additional Trainings

If you are interested in this training, but want us to perform the training for your people, want to feature our training at your online conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@antid0te.com.