iOS 7 Kernel Exploitation Training (2014)

SektionEins organises an iOS Kernel Exploitation Training in Frankfurt at the end of April 2014.

Instructor: Stefan Esser
Dates: 28th April - 2nd May 2014 (5 days)
Venue: Le Méridien Parkhotel Frankfurt, Germany
Availability: SOLD OUT but we do another training in July
Language: English

After our successfull iOS 6 Kernel Exploitation training in September, we have decided to give another iOS Security and Exploitation Workshop in Frankfurt again. However we have adjusted the training material to changes made in iOS 7 and are still improving the material for this new designed course on the iOS kernel and its exploitation. It will take place in Frankfurt (Germany) at the end of April 2014, is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.

We will cover the latest iOS 7 kernel security features, discuss their weaknesses and you will learn how to circumvent them. Every part of the course will start with a lecture introducing you to the topic and end with hands-on exercises, where you use your newly gained knowledge to implement an attack against a real device.

We will start the training with work on some old A4 iOS devices that allow for easier debugging and then learn how to port our attacks to new devices. For this we have acquired brand new 64bit iPad mini 32GB (retina+WiFi+Cell) devices for each trainee to take home after the course. These devices also allow us to go into the changes between the 32 bit and the 64 bit ARM architecture.

At the end of the training you should be able to exploit new vulnerabilities in iOS 7 that you discover in kernel land on your own.

Topics

  • Introduction (starting with old devices)

    • How to handle a new Firmware

    • How to set up your Mac and Device for Vuln Research/Exploit Development

    • How to boot own Kernels

    • How to patch own Code into the Kernel

    • How to write Code for your iDevice

  • Low Level ARM / ARM64

    • Differences between ARM and ARM64

    • Exception Handling

    • Hardware Page Tables

    • Special Registers used by iOS

    • ...

  • iOS Kernel Source Code

    • Structure of the Kernel Source Code

    • Where to look for Vulnerabilities

    • Implementation of Mitigations

    • MAC Policy Hooks, Sandbox, Entitlements, Code Signing

    • ...

  • iOS Kernel Reversing

    • Structure of the Kernel Binary

    • Finding Important Structures

    • Porting Symbols

    • Closed Source Kernel Parts and How to analyze them

    • ...

  • iOS Kernel Debugging

    • Panic Dumps

    • Using the KDP Kernel Debugger

    • Extending the Kernel Debugger (KDP++)

    • Debugging with own Patches

    • Kernel Heap Debugging/Visualization

  • iOS Kernel Heap

    • In-Depth Explanation of How the Kernel Heap works (including recent changes in iOS 7)

    • Different techniques to control the kernel heap layout

  • iOS Kernel Exploit Mitigations

    • Discussion of all the iOS Kernel Exploit Mitigations introduced

    • Discussion of various weaknesses in these protections

  • iOS Kernel Vulnerabilities and their Exploitation

    • Discussion of previous kernel vulnerabilities used in public jailbreaks

    • Introduction to kernel exploitation with a DEMO vulnerability

    • Exploitation of a real kernel vulnerability at iOS 7.0.4

  • iOS Kernel Jailbreaking

    • Discussion of all the Kernel Patches applied by iOS Jailbreaks

  • Handling of New Devices

    • Discussion of necessary steps to port exploits from old to new devices

  • iOS 7.1?

    • Because the release date of iOS 7.1 is unknown at the moment it is not possible to predict what changes there might be in the kernel. However we will incorporate all the information known about the iOS 7.1 kernel until the training into the material.

  • Persistence

    • The topic of persistence or untethering will be discussed although the kernel land is only partially involved.

Training Takeaways

  • all students will take home an iPad mini 32GB (retina+WiFi+Cell) with a retail value of 599,- EUR (these iPads were just unpacked and tested to ensure they are working correctly, otherwise they are new)

  • the whole training material (multiple hundred slides) will be handed to the students in digital and printed form

  • all the SektionEins software and scripts used during the training will be given to the trainees free of charge

Training Requirements

  • Student Requirements

    • This course will not give an introduction to ARM basics. The trainee is required to understand basic ARM assembly. It is not required to have previous experience with ARM64 cpus, because their differences are discussed within the training. Low level ARM CPU knowledge will be helpful, but is not required for this course - part of it will be explained within the course.

    • This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...

    • Trainees will receive about 2 weeks before the training a paper that covers introductionary information. Trainees are required to read and work through this document in order to ensure that all software is correctly installed and some basics are understood.

  • Hardware Requirements

    • An Apple Mac Notebook is required in order to run Mountain Lion and XCode.

    • Training hands-on exercises will be performed on devices provides by SektionEins. It is not required for students to bring their own iOS devices.

    • Every student will be handed an iPad mini 32GB (Retina+Wifi+Cell) at the beginning of the training that they will work on and can take home after the training.

    • Students can optionally bring their own iOS device for experiments. But for best results these devices should run an iOS version which has a public jailbreak for it.

    • Students are not required to bring iOS serial cables for older devices to the training, because these will be provided by SektionEins.

  • Software Requirements - Legal IDA Pro 6.x license (IDA Pro 6.5 or newer recommended for ARM64 support)

    • Hexrays for ARM helpful, but not required

    • BinDiff for IDA helpful, but not required

    • Mac OS X Mountain Lion 10.8 (or newer), with XCode 5 and iOS 7.0 SDK (or newer)

    • Additional Software will be made available during the training

Venue

The training will be held at the Le Méridien Parkhotel Frankfurt (Germany). The hotel is located near the main train station of Frankfurt, which is an ICE train ride of about 20 minutes away from the airport of Frankfurt (FRA).

Address:
Le Méridien Parkhotel Frankfurt
Wiesenhüttenplatz 28-38
60329 Frankfurt am Main


View Larger Map

Attention: Please contact us before booking a room, because the hotel offers a special rate to attendes of the training.

Pricing

We offer the following rates for this training. Attention: Trainees paying for the training themselves or companies inside the European Union have to pay VAT on top of the base price.

Price

VAT

Early Bird (before 1st February)

4000,- EUR

760,- EUR

Regular (after 1st February)

4500,- EUR

855,- EUR

Late (after 16h March)

5000,- EUR

950,- EUR


Please note that the Le Méridien Parkhotel Frankfurt offers a special rate for the first 15 attendes of the training booking their rooms before 16th of March. In order to get the required CODE for booking this rate please contact us by e-mail training@sektioneins.de.

Register

If you have further questions or want to register for this training please contact us by e-mail training@sektioneins.de.

In-House Training / Conferences / Additional Trainings

If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@sektioneins.de.