iOS Kernel Exploitation Training (November 2015)

SektionEins organises an iOS 8/9 Kernel Exploitation Training in Frankfurt in November 2015.

/images/iosthumb.jpg
Instructor: Stefan Esser (Antid0te UG)
Dates: 23rd November - 27th November 2015 (5 days)
Venue: Le Méridien Parkhotel Frankfurt, Germany
Availability: 15 Seats
Language: English

Our iOS 7/8 Kernel Exploitation Trainings in 2014/2015 have been so successfull that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of the public iOS 7.1 and iOS 8.x jailbreaks. However our training material was a combination of kernel internals interesting for security researchers on the one hand and exploitation topics on the other hand. We have decided to split up the material into two separate courses. If you are more interested in kernel internals for security researchers you can book the other course instead. If you are more interested in actual exploitation then our November course is the right thing for you.

The next training at the end of November 2015 will take place in the Le Meridien hotel in Frankfurt (Germany) between 23rd November and 27th November. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.

Because of the split of the training into two separate trainings the new iOS Kernel Exploitation Course will feature many more exploitation exercises. We will cover the latest iOS 8 and iOS 9 kernel security features, discuss their weaknesses and you will learn how to circumvent them. The training format has been changed in a way that we will start every day with objectives that we want to achieve and then we will go through a mix of lectures and hands-on explaining the requires steps to achieve our objective.

The november edition of the training will focus on 64 bit iOS devices and most of the work will be performed on 64bit iPad mini 2 16GB (retina+WiFi) devices that each trainee can take home after the course.

NEW: This training will offer attendees the chance to select topics of their choice before the training. We will then integrate the most wanted topics among the trainees into the training.

The goal of this training is to enable you to exploit new vulnerabilities in the iOS 8 / 9 kernel that you discover on your own.

Topics

We are currently in the process of restructuring the training material to fit the new objective driven training style. Also we will support iOS 9 in our training and that has not been released, yet. So the following list of topics might change slightly in the final course. (Please check every now and then to see an updated list of topics.)

  • Introduction

    • How to set up your Mac and Device for Vuln Research/Exploit Development

    • How to load own kernel modules into the iOS kernel

    • How to write Code for your iDevice

    • Damn Vulnerable iOS Kernel Extension

  • Low Level ARM / ARM64

    • Differences between ARM and ARM64

    • Exception Handling

    • Hardware Page Tables

    • Special Registers used by iOS

    • ...

  • iOS Kernel Source Code

    • Structure of the Kernel Source Code

    • Where to look for Vulnerabilities

    • Implementation of Mitigations

    • MAC Policy Hooks, Sandbox, Entitlements, Code Signing

    • ...

  • iOS Kernel Reversing

    • Structure of the Kernel Binary

    • Finding Important Structures

    • Porting Symbols

    • Closed Source Kernel Parts and How to analyze them

    • ...

  • iOS Kernel Debugging

    • Panic Dumps

    • Using the KDP Kernel Debugger (limited to 30 pin devices)

    • Extending the Kernel Debugger (KDP++)

    • Debugging with own Patches

    • Kernel Heap Debugging/Visualization (new software package)

  • iOS Kernel Heap

    • In-Depth Explanation of How the Kernel Heap works (including recent changes in iOS 7/8)

    • Different techniques to control the kernel heap layout (including non-public ones)

  • iOS Kernel Exploit Mitigations

    • Discussion of all the iOS Kernel Exploit Mitigations introduced

    • Discussion of various weaknesses in these protections

  • iOS Kernel Vulnerabilities and their Exploitation

    • Discussion of differen kernel vulnerability types and strategies for their exploitation using the Damn Vulnerable iOS Kernel Extension

    • Discussion of real world exploitation of vulnerabilities disclosed by Jailbreaks or Google's project 0

  • iOS Kernel Jailbreaking

    • Discussion of all the Kernel Patches applied by iOS Jailbreaks

    • Discussion of differences between 32 bit and 64 bit patches

  • Handling of New Devices

    • Discussion of necessary steps to port exploits from old to new devices

  • Persistence

    • The topic of persistence or untethering will be discussed although the kernel land is only partially involved.

Training PLUS++

  • starting with this training course we will try something new: In July we will launch a platform that allows attendees to specify topics they would like to see discussed in the training and then all other attendees can judge on their most favourite additions to the course. We will then pick the most wanted topics from this list and add them to the course (up to 20%).

  • attendees of our trainings will now get a 9 months guarantee of updates: this means if another training of the same kind is held within 9 month of their booked training they will receive the updated training material free of charge (after the new training was held).

Training Takeaways

  • all students will take home an iPad mini 2 - 16GB (retina+WiFi) with a retail value of now 289,- EUR (these iPads are jailbroken on some iOS 8.x for the training)

  • the whole training material (multiple hundred slides) will be handed to the students in digital and printed form

  • in addition the training material of our previous course will be handed in digital form

  • trainees will get a license for the SektionEins software and scripts that are used during the training that allows usage but not redistribution of said software

Training Requirements

  • Student Requirements

    • This course will not give an introduction to ARM basics. The trainee is required to understand basic ARM assembly. It is not required to have previous experience with ARM64 cpus, because their differences are discussed within the training. Low level ARM CPU knowledge will be helpful, but is not required for this course - part of it will be explained within the course.

    • This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...

    • Trainees will receive about 3 weeks before the training a paper that covers introductory information. Trainees are required to read and work through this document in order to ensure that all software is correctly installed and some basics are understood.

  • Hardware Requirements

    • An Apple Mac Notebook is required in order to run OS X Yosemite and XCode.

    • Training hands-on exercises will be performed on devices provided by SektionEins. It is not required for students to bring their own iOS devices.

    • Every student will be handed an iPad mini 2 16GB (Retina+Wifi) at the beginning of the training that they will work on and can take home after the training.

    • Students can optionally bring their own iOS device for experiments. But for best results these devices should run an iOS version which has a public jailbreak for it.

    • Students are not required to bring iOS serial cables for older devices to the training, because these will be provided by SektionEins as well.

  • Software Requirements

    • Legal IDA Pro 6.x license (ARM64 support required) / Hopper use at own risk

    • Hexrays for ARM helpful, but not required

    • BinDiff for IDA helpful, but not required

    • Mac OS X Yosemite, with latest XCode and iOS 8.x SDK (or newer)

    • Additional Software will be made available during the training

Venue

The training will be held at the Le Méridien Parkhotel Frankfurt (Germany). The hotel is located near the main train station of Frankfurt, which is an ICE train ride of about 20 minutes away from the airport of Frankfurt (FRA).

Address:
Le Méridien Parkhotel Frankfurt
Wiesenhüttenplatz 28-38
60329 Frankfurt am Main


View Larger Map

The hotel offers up to 10 rooms for a special rate of 150 EUR per night (including breakfast) until 6 weeks before the training. They will be given out on a first come first serve basis.

Pricing

We offer the following rates for this training. Attention: Trainees paying for the training themselves or companies within the European Union have to pay VAT on top of the base price.

Price

VAT

Very Early Bird (before 6th July)

4250,- EUR

807,50 EUR

Early Bird (before 3rd August)

4500,- EUR

855,- EUR

Regular (before 19th October)

4750,- EUR

902,50 EUR

Late (after 19th October)

5000,- EUR

950,- EUR

The training ticket price includes a daily lunch buffet (or 3 course menu), various food selections during morning and afternoon coffee breaks, free soft drinks in the training room and a one night surprise dinner.

Register

If you have further questions or want to register for this training please contact us by e-mail training@sektioneins.de.

In-House Training / Conferences / Additional Trainings

If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@sektioneins.de.