iOS Kernel Exploitation Training (April 2015)

Instructor: Stefan Esser

Dates: 27th April - 1st May 2015 (5 days)

Venue: Le Méridien Parkhotel Frankfurt, Germany

Availability: 15 Seats

Language: English

Our iOS 7/8 Kernel Exploitation Trainings in 2014 have been so successfull that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of the public iOS 7.1 and iOS 8.x jailbreaks. However our training material was originally developed for 32 bit iOS devices and only over time has been improved to cover 64 bit devices, too. For 2015 we therefore started to redesign the course to focus much more on the new ARM64 iOS devices and their exploitation. We have completely ripped out some 32 bit specific slide decks and replaced them with new 64 bit material.

The next training at the end of April 2015 will take place in the Le Meridien hotel in Frankfurt (Germany) between 27th April and 1st May. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.

We will cover the latest iOS 8 kernel security features, discuss their weaknesses and you will learn how to circumvent them. Every part of the course will start with a lecture introducing you to the topic and end with hands-on exercises, where you use your newly gained knowledge to implement an attack against a real device. In our 2015 course we have also added some additional hands-on exercises for students with more advanced pre-knowledge.

The 2015 edition of the training will focus on 64 bit iOS devices, but we will also cover the introductory basics like KDP kernel debugging on older 32 bit devices and booting own kernels on A4 devices. However most of the work will be performed on 64bit iPad mini 2 16GB (retina+WiFi) devices that each trainee can take home after the course.

The goal of this training is to enable you to exploit new vulnerabilities in the iOS 8 kernel that you discover on your own.

Topics

We are currently improving the course material and are working on some things that allow us to better cover iOS 8 during the training. So the following list of topics might change slightly in the final course.

• Introduction
  • How to handle a new Firmware
  • How to set up your Mac and Device for Vuln Research/Exploit Development
  • How to boot own Kernels (32 bit specific)
  • How to patch own Code into the Kernel
  • How to write Code for your iDevice
• Low Level ARM / ARM64
  • Differences between ARM and ARM64
  • Exception Handling
  • Hardware Page Tables
  • Special Registers used by iOS
  • ...
• iOS Kernel Source Code
  • Structure of the Kernel Source Code
  • Where to look for Vulnerabilities
  • Implementation of Mitigations
  • MAC Policy Hooks, Sandbox, Entitlements, Code Signing
  • ...
• iOS Kernel Reversing
  • Structure of the Kernel Binary
  • Finding Important Structures
  • Porting Symbols
  • Closed Source Kernel Parts and How to analyze them
  • ...
• iOS Kernel Debugging
  • Panic Dumps
  • Using the KDP Kernel Debugger (limited to 30 pin devices)
  • Extending the Kernel Debugger (KDP++)
  • Debugging with own Patches
  • Kernel Heap Debugging/Visualization (new software package)
• iOS Kernel Heap
  • In-Depth Explanation of How the Kernel Heap works (including recent changes in iOS 7/8)
  • Different techniques to control the kernel heap layout (including non-public ones)
• iOS Kernel Exploit Mitigations
  • Discussion of all the iOS Kernel Exploit Mitigations introduced
  • Discussion of various weaknesses in these protections
• iOS Kernel Vulnerabilities and their Exploitation
  • Discussion of kernel info leak vulnerabilities used in public jailbreaks
  • Discussion of kernel memory corruption vulnerabilities used in public jailbreaks
  • Introduction to kernel exploitation with a 64 bit DEMO vulnerability
• iOS Kernel Jailbreaking
  • Discussion of all the Kernel Patches applied by iOS Jailbreaks
  • Discussion of differences between 32 bit and 64 bit patches
• Handling of New Devices
  • Discussion of necessary steps to port exploits from old to new devices
• Persistence
  • The topic of persistence or untethering will be discussed although the kernel land is only partially involved.

Training Takeaways

• all students will take home an iPad mini 2 - 16GB (retina+WiFi) with a retail value of now 289,- EUR (these iPads are new, unpacked and kept on the latest jailbreakable firmware available before the training. Currently this is iOS 8.1.2)
• all students will take home an 30 pin debugging adapter
• the whole training material (multiple hundred slides) will be handed to the students in digital and printed form
• trainees will get a license for the SektionEins software and scripts that are used during the training that allows usage but not redistribution of said software

Training Requirements

• Student Requirements
  • This course will not give an introduction to ARM basics. The trainee is required to understand basic ARM assembly. It is not required to have previous experience with ARM64 cpus, because their differences are discussed within the training. An ARM64 assembly introduction will be sent to the trainees before the course. Low level ARM CPU knowledge will be helpful, but is not required for this course - part of it will be explained within the course.
  • This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...
  • Trainees will receive about 3 weeks before the training a paper that covers introductory information. This material will contain an introductory ARM64 assembly primer. Trainees are required to read and work through this document in order to ensure that all software is correctly installed and some basics are understood.
• Hardware Requirements
  • An Apple Mac Notebook is required in order to run OS X Mavericks / Yosemite and XCode.
  • Training hands-on exercises will be performed on devices provided by SektionEins. It is not required for students to bring their own iOS devices.
  • Every student will be handed an iPad mini 2 16GB (Retina+Wifi) at the beginning of the training that they will work on and can take home after the training.
  • Students can optionally bring their own iOS device for experiments. But for best results these devices should run an iOS version which has a public jailbreak for it.
  • Students are not required to bring iOS serial cables for older devices to the training, because these will be provided by SektionEins as well.
• Software Requirements
  • Legal IDA Pro 6.x license (ARM64 support required) / in process of porting some scripts to Hopper
  • Hexrays for ARM helpful, but not required
  • BinDiff for IDA helpful, but not required
  • Mac OS X Mavericks (or Yosemite), with latest XCode and iOS 8.1 SDK (or newer)
  • Additional Software will be made available during the training

Venue