iOS Kernel Exploitation Training (December 2016)
SektionEins in cooperation with Antid0te organises an iOS Kernel Exploitation Training in Berlin in December 2016.
The SektionEins and Antid0te UG iOS Kernel Exploitation Trainings in 2014-2016 have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks. Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases. However Apple's internal development of the iOS kernel never stands still and at least once a year around October when the next major iOS version is released new changes have been made to the kernel to add new security mitigations or to defeat previously used attacks.
Especially the release of iOS 10 with its overhauled kernel zone heap implementation has brought drastic changes to the landscape of iOS kernel heap exploitation. Therefore our late 2016 training has once again been updated to contain the latest changes and new exploit mitigations that you can find in iOS 9.3.x and iOS 10 beta.
The next training at the end of the year at the beginning of December 2016. Unlike previous trainings it will happening in Berlin in the RAMADA Hotel Berlin - Alexanderplatz between December 5th and 9th 2016. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.
The 2016 December edition of the training will focus on 64 bit iOS devices and most of the work will be performed on 64bit iPod touch 16GB (64 bit) devices that each trainee can take home after the course. These devices will be running iOS 9.x.
NEW: This training will offer attendees the chance to select topics of their choice before the training. We will then integrate the most wanted topics among the trainees into the training.
The goal of this training is to enable you to exploit new vulnerabilities in the iOS kernel that you discover on your own.
Topics
The following list of topics might change slightly before the course. (Please check every now and then to see an updated list of topics.)
-
Introduction
How to set up your Mac and Device for Vuln Research/Exploit Development
How to load own kernel modules into the iOS kernel
How to write Code for your iDevice
Damn Vulnerable iOS Kernel Extension
-
Low Level ARM / ARM64
Differences between ARM and ARM64
Exception Handling
Hardware Page Tables
Special Registers used by iOS
...
-
iOS Kernel Source Code
Structure of the Kernel Source Code
Where to look for Vulnerabilities
Implementation of Mitigations
MAC Policy Hooks, Sandbox, Entitlements, Code Signing
...
-
iOS Kernel Reversing
Structure of the Kernel Binary
Finding Important Structures
Porting Symbols
Closed Source Kernel Parts and How to analyze them
...
-
iOS Kernel Debugging
Panic Dumps
Using the KDP Kernel Debugger (hands on tasks limited to 30 pin devices)
Extending the Kernel Debugger (KDP++)
Debugging with own Patches
Kernel Heap Debugging/Visualization (new software package)
-
iOS Kernel Heap
In-Depth Explanation of How the Kernel Heap works (including all the changes in iOS 10.x)
Different techniques to control the kernel heap layout (including non-public ones)
About the heap randomness in iOS >= 9.2
All the changes to the heap with iOS 10
-
iOS Kernel Exploit Mitigations
Discussion of all the iOS Kernel Exploit Mitigations introduced
Discussion of various weaknesses in these protections
-
iOS Kernel Vulnerabilities and their Exploitation
NEW Full walkthrough through exploitation of 10 prior known iOS memory corruption vulnerabilities
NEW Overview over different vulnerability types commonly found in iOS kernel and exploit strategies
NEW Part of the training will be to reimplement bits and pieces of an iOS 9.3.3 kernel exploit
-
iOS Kernel Jailbreaking
NEW Full walkthrough through the Kernel Patch Protection as leaked by Apple
NEW Discussion of all the Kernel Patches applied by recent iOS Jailbreaks
Discussion of differences between 32 bit and 64 bit patches
-
Handling of New Devices
Discussion of necessary steps to port exploits from old to new devices
-
Persistence
Persistence really required?
NEW Overview of types of persistence exploits so far
The topic of persistence or untethering will be discussed although the kernel land is only partially involved.
Training PLUS++
This training course allows trainees to submit a list of topics they are missing from the list of topics and would like to see discussed. The most wanted topics of all attendees will be added to the course.
Attendees of our trainings will now get a 9 months guarantee of updates: This means if another training of the same kind is held within 9 month of their booked training they will receive the updated training material free of charge (after the new training was held).
Training Takeaways
All students will take home an iPod Touch 16GB (64 bit) with a retail value of now 229,- EUR (these iPods are jailbroken on iOS 9.x for the hands-on during the training).
The whole training material (multiple hundred slides) will be handed to the students in digital form.
In addition the training material of our previous course will be handed in digital form.
Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software.
Training Requirements
-
Student Requirements
This course will not give an introduction to ARM basics. The trainee is required to understand basic ARM assembly. It is not required to have previous experience with ARM64 cpus, because their differences are discussed within the training. There is a short refresher inside the training. Low level ARM CPU knowledge will be helpful, but is not required for this course - part of it will be explained within the course.
This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...
About 3 weeks before the training trainees will receive a paper that covers introductory information. Trainees are required to read and work through this document in order to ensure that all software is correctly installed and some basics are understood.
Due to new EU export regulations on so called "Intrusion Software Technology" all exploitation trainings are subject to export control. This means we can currently only accept students from EU, Switzerland, USA, Canada, Japan, Norway, Lichtenstein, New Zealand, Australia.
-
Hardware Requirements
An Apple Mac Notebook is required in order to run OS X Yosemite and XCode.
Training hands-on exercises will be performed on devices provided by Antid0te. It is not required for students to bring their own iOS devices.
Every student will be handed an iPod Touch 16GB at the beginning of the training that they will work on and can take home after the training.
Students can optionally bring their own iOS device for experiments. But for best results these devices should run an iOS version which has a public jailbreak for it.
Students are not required to bring iOS serial cables for older devices to the training, because these will be provided by Antid0te if required.
-
Software Requirements
Legal IDA Pro 6.x license (ARM64 support required) / Hopper use at own risk
Hexrays for ARM helpful, but not required
BinDiff for IDA helpful, but not required
Mac OS X 10.11, with latest XCode and iOS 9.x SDK (or newer)
Additional Software will be made available during the training
Venue
The training will be held at the RAMADA Hotel Berlin (Germany). The hotel is located near the Alexanderplatz in Berlin, which is easily reachable with public transportation from many parts of Berlin.
No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.
Pricing
Price |
VAT |
|
Early Bird (before 1st September) |
3800,- EUR |
722 EUR |
Regular (before 4th November) |
4000,- EUR |
760,- EUR |
Late (after 4th November) |
4500,- EUR |
855,- EUR |
The training ticket price include daily lunch, morning and afternoon coffee breaks, free soft drinks in the training room.
Register
If you have further questions or want to register for this training please contact us by e-mail training@antid0te.com. Please notice that signup, billing and execution of the training is performed by Antid0te UG (haftungsbeschränkt).
In-House Training / Conferences / Additional Trainings
If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@antid0te.com.