CanSecWest Vancouver 2020

Site menu:

Register | Conference | Dojo | Speakers | Agenda | Slides | Hotel & Travel | Contact

Security Masters Dojo

Advanced and intermediate security training and technology enhancement for information security professionals.

Practical iOS 13 Kernel Exploitation

Register for the March 14-17, 2020 (4-day course)

Instructor:
Stefan Esser

Description

For the last six years Antid0te has been teaching iOS Kernel Exploitation to a wide variety of students interested in the iOS kernel. Many of our former students have ended up finding and exploiting iOS kernel vulnerabilities since then and have practically demonstrated that by contributing to public jailbreaks of reporting vulnerabilities to Apple.

Teaching iOS exploitation during this time has often be hard due to the lack of access to devices running the most current iOS version. This has dramatically changed in the last weeks with the release of the checkm8 bootrom exploit for iOS devices. This opens up a whole new world of opportunities regarding training practical iOS kernel exploitation to students. For the first time in history we will be able to perform actual hands-on kernel exploitation tasks on devices running the latest firmware.

In this fully redesigned course we will use this to our advantage and will teach students how they can make use of the bootrom exploit to jailbreak current and future iOS versions on demand and how they can disable certain security mitigations to slowly ramp up the difficulty when performing training exercises. In comparison to our previous courses this course will provide more exercises at different difficulty levels.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Class content

Day1

• Setting up your Mac for iOS kernel research/vulnerability development
• Using checkm8 to boot own kernels
• How to patch old vulnerabilities back for training exercises
• How to debug the iOS kernel with own code
• Loading kernel modules

Day2

• The iOS Kernel Heap
• Modern iOS Kernel Heap Feng Shui
• Software based iOS Mitigations and their Weaknesses
• Hardware based iOS Mitigations and their Weaknesses

Day3

• Exploitation of different types of heap memory corruptions by example (UAF, reference counting issues, heap overflows, out of bounds writes, )
• Exploitation Strategies for different bug types

Day4

• Understanding and attacking the iOS sandbox
• Understanding and attacking iOS codesigning
• Subverting and abusing iOS security for arbitrary code execution
• Other jailbreaking related questions

Pre-requisites

Students must have prior knowledge in exploitation (basics will not be taught) and must be capable of understanding/programming exploits in C. Students will get an introduction into low level ARM/ARM64 as part of the course.

Software Requirements

• IDA Pro (Hopper or alternatives partially usable)
• Latest MacOS
• Xcode

Hardware Requirements

• Macbook capable of running latest OS X / MacOS
• Students can optionally bring their own iOS devices that are supported by the checkm8 bases jailbreaks

Sponsors:

More Information:

Sponsorship Information |

Wise words:

"Sen Sen No Waza - to strike the opponent after he has formed the intention to attack and has committed to a specific motion."

Copyright © dragostech.com inc. All Rights Reserved.