iOS Kernel Exploitation Training

SektionEins organisiert im September ein iOS Kernel Exploitation Training in Frankfurt.

Instructor: Stefan Esser
Dates: 2nd-6th September 2013 (5 days)
Venue: InterContinental Hotel Frankfurt, Germany
Availability: 15 Seats

After having received numerous requests to organize an iOS Security and Exploitation Workshop in Europe, we have created this brand new iOS security course that is entirely focused on the iOS kernel and its exploitation. It will take place in Frankfurt (Germany) in September, is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.

We will cover the latest iOS 6 (and maybe iOS 7) kernel security features, discuss their weaknesses and you will learn how to circumvent them. Every part of the course will start with a lecture introducing you to the topic and end with hands-on exercises, where you use your newly gained knowledge to implement an attack against a real device.

Throughout the training we will work on old A4 iOS devices that allow for easier debugging and then learn how to port our attacks to new devices.

At the end of the training you should be able to exploit new vulnerabilities in iOS 6 or 7 that you discover in kernel land on your own.

Topics

  • Introduction

    • How to handle a new Firmware

    • How to set up your Mac and Device for Vuln Research/Exploit Development

    • How to boot own Kernels

    • How to patch own Code into the Kernel

    • How to write Code for your iDevice

  • Low Level ARM

    • Exception Handling

    • Hardware Page Tables

    • Special Registers used by iOS

    • ...

  • iOS Kernel Source Code

    • Structure of the Kernel Source Code

    • Where to look for Vulnerabilities

    • Implementation of Mitigations

    • MAC Policy Hooks, Sandbox, Entitlements, Code Signing

    • ...

  • iOS Kernel Reversing

    • Structure of the Kernel Binary

    • Finding Important Structures

    • Porting Symbols

    • Closed Source Kernel Parts and How to analyze them

    • ...

  • iOS Kernel Debugging

    • Panic Dumps

    • Using the KDP Kernel Debugger

    • Extending the Kernel Debugger (KDP++)

    • Debugging with own Patches

    • Kernel Heap Debugging/Visualization

  • iOS Kernel Heap

    • In-Depth Explanation of How the Kernel Heap works

    • Different techniques to control the kernel heap layout

  • iOS Kernel Exploit Mitigations

    • Discussion of all the iOS Kernel Exploit Mitigations introduced

    • Discussion of various weaknesses in these protections

  • iOS Kernel Vulnerabilities and their Exploitation

    • Discussion of previous kernel vulnerabilities used in public jailbreaks

    • Introduction to kernel exploitation with a DEMO vulnerability

    • Exploitation of a real kernel vulnerability at iOS 6.1.3

  • iOS Kernel Jailbreaking

    • Discussion of all the Kernel Patches applied by iOS Jailbreaks

  • Handling of New Devices

    • Discussion of necessary steps to port exploits from old to new devices

  • iOS 7?

    • While we concentrate on iOS 6.1.3 we will discuss changes that are already known about the iOS 7 kernel throughout the training

  • Persistence

    • The topic of persistence or untethering will be discussed although the kernel land is only partially involved.

Training Requirements

  • Student Requirements

    • This course will not give an introduction to ARM basics. The trainee is required to understand ARM assembly. Low level ARM CPU knowledge will be helpful, but is not required for this course.

    • This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...

    • Trainees will receive about 2 weeks before the training a paper that covers introductionary information. Trainees are required to read and work through this document in order to ensure that all software is correctly installed and the basics are understood.

  • Hardware Requirements

    • An Apple Mac Notebook is required in order to run Mountain Lion and XCode.

    • Training hands-on exercises will be performed on iPod 4G devices running at iOS 6.1.3 that are provided by SektionEins to all students during the training.

    • Students can optionally bring their own newer iOS device for experiments towards the end of the training. But these devices must run an iOS 6 firmware prior to (including) iOS 6.1.4.

    • Students are not required to bring iOS serial cables to the training, because these will be provided as take aways from SektionEins.

  • Software Requirements - Legal IDA Pro 6.x license (latest version recommended)

    • Hexrays for ARM helpful, but not required

    • BinDiff for IDA helpful, but not required

    • Mac OS X Mountain Lion 10.8 , with XCode 4.6 and iOS 6.1 SDK

    • Additional Software will be made available during the training

Venue

The training will be held at the InterContinental Hotel in Frankfurt (Germany). The hotel is located near the main train station of Frankfurt, which is an ICE train ride of about 20 minutes away from the airport of Frankfurt (FRA).

Address:
InterContinental Frankfurt
Wilhelm-Leuschner-Straße 43
60329 Frankfurt am Main


View Larger Map

Attention: Please contact us before booking a room, because the hotel offers a special rate to attendes of the training.

Pricing

We offer the following rates for this training. Attention: the listed prices do not include VAT.

Early Bird (before 5th August)

4000,- EUR

Regular (after 5th August)

4500,- EUR

Late (after 18th August)

5000,- EUR

Please note that the InterContinental Hotel Frankfurt offers a special rate for attendes of the training booking their rooms before 5th of August. In order to get the required CODE for booking this rate please contact us by e-mail training@sektioneins.de.

Register

If you want to register for this training please contact us by e-mail training@sektioneins.de.