OS X and iOS Kernel Internals for Security Researchers Training

SektionEins organises an OS X and iOS Kernel Internals for Security Researcher Training in Frankfurt in October 2015.

Instructor: Stefan Esser (Antid0te UG)
Dates: 26th October - 30th October 2015 (5 days)
Venue: Le Méridien Parkhotel Frankfurt, Germany
Availability: 15 Seats
Language: English

Our "OS X and iOS Kernel Internals for Security Researchers Training" immediately sold out at SyScan Singapore 2015 and ReCon 2015. Within this training we look at the internals of the OS X and iOS kernel from the view of a security researcher. We cover material interesting for the developers of OS X endpoint security solutions, OS X/iOS kernel vulnerability/malware researchers and OS X/iOS kernel forensic technicians. If you are a security researcher and interested in kernel internals this is the right course for you. If you are more interested in actual exploitation then our November course is the better choice for you.

The next training at the end of October 2015 will take place in the Le Meridien hotel in Frankfurt (Germany) between 26th October and 30th October. It is a full 5-day course and is targeted at security researchers with a need for OS X and iOS kernel knowledge.

This training will cover both the OS X (Yosemite/ElCapitan) and the iOS (8/9) kernel, because they get more and more related with every new major release. We will discuss differences where applicable. However the training will focus its hands on tasks on the OS X platform.

NEW: This training will offer attendees the chance to select topics of their choice before the training. We will then integrate the most wanted topics among the trainees into the training.

The goal of this training is to enable you to understand the inner working of the OS X and iOS kernels as required for endpoint security solutions, vulnerability research, malware research and basic forensic analysis.


  • Introduction
    • Setting up a development and debugging environment
    • Compiling your own kernel
    • Developing your own kernel extensions
  • Low Level x64 / ARM / ARM64
    • Low level cpu details
    • Physical memory management
  • Kernel Source Code
    • Structure of the source code
    • Howto find vulnerabilities
    • How security mitigations are implemented
  • Kernel Drivers/Extensions
    • IOKit
    • Driver attack surface
    • Kernel driver code-signing
  • Kernel Internals
    • Important data structures of the kernel
    • Mach-o fileformat / encryption
    • Mach messages and IPC
    • Security: MAC Policy Hooks, Sandbox, Code Signing, Kauth, socket filter
    • Filesystems, networking stack
  • Kernel Debugging
    • Panic Dumps
    • Built-in Kernel Debugging
    • Debugging with own kernel extensions
    • Kernel Heap Debugging/Visualization
  • Kernel Heap and Memory Management
    • In-depth explanation how various memory allocators work
    • Various techniques for kernel heap layout control
  • Kernel Vulnerabilities
    • History of kernel vulnerabilities and how they were exploited
  • Kernel Rootkit Detection
    • Discussion of previously hooked / abused data structures in OS X rootkits
    • Memory Forensics with Volatility

Training PLUS++

  • starting with this training course we will try something new: Around end of July we will launch a platform that allows attendees to specify topics they would like to see discussed in the training and then all other attendees can judge on their most favourite additions to the course. We will then pick the most wanted topics from this list and add them to the course (up to 20%).
  • attendees of our trainings will now get a 9 months guarantee of updates: this means if another training of the same kind is held within 9 month of their booked training they will receive the updated training material free of charge (after the new training was held).

Training Takeaways

  • the whole training material (multiple hundred slides) will be handed to the students in digital and printed form
  • in addition the training material of our previous course will be handed in digital form
  • trainees will get a license for the SektionEins software and scripts that are used during the training that allows usage but not redistribution of said software

Training Requirements

  • Student Requirements
    • This course will not give an introduction to x86/x86_64/ARM basics. The trainee is required to understand basic assembly for at least one of these platforms. Low level CPU knowledge will be helpful, but is not required for this course - the parts that we need will be explained during the training.
    • This course will not give basic introduction to exploitation or ROP. Trainees should know concepts like ROP or buffer overflows, integer overflows, etc...
    • Trainees will receive about 3 weeks before the training a paper that covers introductory information. Trainees are required to read and work through this document in order to ensure that all software is correctly installed and some basics are understood.
  • Hardware Requirements
    • An Apple Mac Notebook is required in order to run OS X Yosemite/El Capitan and XCode.
    • Notebook must be capable to run virtual machines for hands on tasks.
    • Training hands-on exercises will be performed on OS X.
    • Students can optionally bring their own iOS device for experiments. But for best results these devices should run an iOS version which has a public jailbreak for it.
  • Software Requirements
    • Legal IDA Pro 6.x license (64 support required) / Hopper use at own risk
    • Hexrays for ARM helpful, but not required
    • BinDiff for IDA helpful, but not required
    • Mac OS X Yosemite/El Captian, with latest XCode and iOS SDK (or newer)
    • VMWare Fusion 7.x (or better)
    • Additional Software will be made available during the training


The training will be held at the Le Méridien Parkhotel Frankfurt (Germany). The hotel is located near the main train station of Frankfurt, which is an ICE train ride of about 20 minutes away from the airport of Frankfurt (FRA).

Le Méridien Parkhotel Frankfurt
Wiesenhüttenplatz 28-38
60329 Frankfurt am Main

View Larger Map

The hotel offers up to 10 rooms for a special rate of 150 EUR per night (including breakfast) until 6 weeks before the training. They will be given out on a first come first serve basis.


We offer the following rates for this training. Attention: Trainees paying for the training themselves or companies within the European Union have to pay VAT on top of the base price.

  Price VAT
Early Bird (before 10th August) 4000,- EUR 760,- EUR
Regular (before 28th September) 4500,- EUR 855,- EUR
Late (after 28th September) 5000,- EUR 950,- EUR

The training ticket price includes a daily lunch buffet (or 3 course menu), various food selections during morning and afternoon coffee breaks, free soft drinks in the training room and a one night surprise dinner.


If you have further questions or want to register for this training please contact us by e-mail training@sektioneins.de.

In-House Training / Conferences / Additional Trainings

If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@sektioneins.de.