For the last few years we have taught iOS and OS X kernel exploitation to a wide variety of students. As Apple keeps adding new security mitigations into the kernel or changes how security relevant implementations like how the kernel heap works, we have continued to update our course curriculum. For 2018 we went a step further, and for the first time in the history of our courses, we are offering an advanced version of our kernel exploitation course that builds on top of our previous courses.
In this advanced course, we will focus less on what security features were added by what iOS version, and more on questions and topics that arise during the development of kernel exploits for real kernel vulnerabilities that were made public in 2017.
During the training we will make available devices on iOS 11.0 to perform the hand on tasks, because they can only be performed on devices having vulnerabilities.
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
Topics
Introduction:
- How to set up your Mac and iOS Device for Vuln Research/Exploit Development
- How to load own kernel modules into the iOS kernel
- How to write Code for your iDevice
Low Level ARM64:
- Low level ARM64 features required for exploitation
- Hardware Assisted Security Mitigations (iPhone 7+)
iOS Kernel Debugging:
- Panic Dumps
- Working around the lack of KDP Kernel Debugging
- Kernel Heap Debugging/Visualization
iOS Kernel Vulnerability Types
- Discussion of different kernel vulnerability types
- Exploitation strategies for different types
iOS Kernel Heap Exploitation:
- How the iOS 11 Kernel Heap works
- Controlling the Kernel Heap on iOS 11
- Exploitation of Kernel Heap Vulnerabilities on iOS 11
iOS Kernel Exploit Mitigations
- Discussion of Mitigations and how to bypass them in exploits
- Discussion of Kernel Patch Protection
iOS Kernel Vulnerabilities
- Discussion and exploitation of several Kernel Vulnerabilities from (end) 2016 - (beginning) 2018
iOS Kernel Jailbreaking
- What was patched in earlier jailbreaks
- Data-only workarounds for previous patches
Pre-requisites
Students must have prior knowledge in exploitation (basics will not be taught) and must be capable of understanding/programming exploits in C. Students will get an introduction into low level ARM/ARM64 as part of the course.