Dates: 17th November - 21st November 2014 (5 days)
Venue: Le Méridien Parkhotel Frankfurt, Germany
Availability: 15 Seats
Our iOS 7 Kernel Exploitation Trainings in April and July were a success and well received by our trainees. However the release
of iOS 8 and of new 64bit ARM iOS devices like the iPhone 6 is around the corner.
We are therefore redesigning our iOS Kernel Exploitation Course to cover security of the iOS 8 final release, we are rewriting our internal tools that we share with the attendees and upon request of the trainees we add a lot more ARM64 specific hands-on.
The training in November will take place in the Le Meridien hotel in Frankfurt (Germany) between 17th November and 21st November. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.
We will cover the iOS 7 and 8 kernel security features, discuss their weaknesses and you will learn how to circumvent them. Every part of the course will start with a lecture introducing you to the topic and end with hands-on exercises, where you use your newly gained knowledge to implement an attack against a real device.
Because it is unlikely that there will be a public jailbreak for iOS 8 released at the time of the training, our hands-on sessions will be executed on devices running iOS 7 (until further notice).
We will start the training with work on some old A4 iOS devices that allow for easier debugging and then
learn how to port our attacks to new devices. For this we have acquired brand new 64bit iPad mini 16GB
(retina+WiFi) devices for each trainee to take home after the course. These devices also allow us to
go into the changes between the 32 bit and the 64 bit ARM architecture.
At the end of the training you should be able to exploit new vulnerabilities
in the iOS 7/8 kernel that you discover on your own.
We are currently redesigning the course material and are working on some things that allow us to better cover iOS 8 during the training. So the following list of topics might change slightly in the final course.
Introduction (starting with old devices)
How to handle a new Firmware
How to set up your Mac and Device for Vuln Research/Exploit Development
How to boot own Kernels
How to patch own Code into the Kernel
How to write Code for your iDevice
Low Level ARM / ARM64
Differences between ARM and ARM64
Hardware Page Tables
Special Registers used by iOS
iOS Kernel Source Code
Structure of the Kernel Source Code
Where to look for Vulnerabilities
Implementation of Mitigations
MAC Policy Hooks, Sandbox, Entitlements, Code Signing
iOS Kernel Reversing
Structure of the Kernel Binary
Finding Important Structures
Closed Source Kernel Parts and How to analyze them
iOS Kernel Debugging
Using the KDP Kernel Debugger
Extending the Kernel Debugger (KDP++)
Debugging with own Patches
Kernel Heap Debugging/Visualization
iOS Kernel Heap
In-Depth Explanation of How the Kernel Heap works (including recent changes in iOS 7/7.1)
Different techniques to control the kernel heap layout
iOS Kernel Exploit Mitigations
Discussion of all the iOS Kernel Exploit Mitigations introduced
Discussion of various weaknesses in these protections
iOS Kernel Vulnerabilities and their Exploitation
Discussion of previous kernel vulnerabilities used in public jailbreaks
Introduction to kernel exploitation with a DEMO vulnerability
Exploitation of a real kernel vulnerability at iOS 7.1.2
iOS Kernel Jailbreaking
Discussion of all the Kernel Patches applied by iOS Jailbreaks
Handling of New Devices
Discussion of necessary steps to port exploits from old to new devices
We are covering the security of iOS 8 during this course, but we are in
the process of redesigning the course and do not expect that there will
be a public iOS 8 jailbreak around at the time of the course. We are working
on a solution for this, but until further notice iOS 8 will be covered,
but hands-on will be performed on devices running iOS 7.
The topic of persistence or untethering will be discussed although
the kernel land is only partially involved.
all students will take home an iPad mini 16GB (retina+WiFi) with a retail value of 389,- EUR
(these iPads were just unpacked, jailbroken and tested to ensure they are working correctly,
otherwise they are new)
the whole training material (multiple hundred slides) will be handed to the students in digital and printed form
trainees will get a free license for the SektionEins software and scripts that are used during
the training - we plan to elaborate on this in our blog during September
This course will not give an introduction to ARM basics. The trainee is
required to understand basic ARM assembly. It is not required to have
previous experience with ARM64 cpus, because their differences are
discussed within the training. Low level ARM CPU knowledge will
be helpful, but is not required for this course - part of it will
be explained within the course.
This course will not give basic introduction to exploitation or ROP.
Trainees are required to know concepts like ROP or buffer overflows,
integer overflows, etc...
Trainees will receive about 2 weeks before the training a paper that
covers introductory information. Trainees are required to read and
work through this document in order to ensure that all software is
correctly installed and some basics are understood.
An Apple Mac Notebook is required in order to run Mountain Lion and XCode.
Training hands-on exercises will be performed on devices provided by SektionEins.
It is not required for students to bring their own iOS devices.
Every student will be handed an iPad mini 16GB (Retina+Wifi) at the beginning
of the training that they will work on and can take home after the training.
Students can optionally bring their own iOS device for experiments.
But for best results these devices should run an iOS version which has a public
jailbreak for it.
Students are not required to bring iOS serial cables for older devices to the
training, because these will be provided by SektionEins as well.
Legal IDA Pro 6.x license (IDA Pro 6.5 or newer recommended for ARM64 support)
Hexrays for ARM helpful, but not required
BinDiff for IDA helpful, but not required
Mac OS X Mountain Lion 10.8 (or newer), with XCode 5 and iOS 7.0 SDK (or newer)
Additional Software will be made available during the training
The training will be held at the Le Méridien Parkhotel Frankfurt (Germany). The hotel is located near the main train station of Frankfurt, which is an ICE train ride of about 20 minutes away from the airport of Frankfurt (FRA).
We offer the following rates for this training. Attention: Trainees paying for the training themselves or companies within the European Union have to pay VAT on top of the base price.
Early Bird (before 8th September)
Regular (before 13th October)
Late (after 13th October)
If you have further questions or want to register for this training please contact us by e-mail firstname.lastname@example.org.
In-House Training / Conferences / Additional Trainings
If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again that a later time please contact us by e-mail email@example.com.