With the release of iOS 16 Apple has once again raised the bars in terms of kernel level security. This course will introduce you to the kernel exploitation on iOS 16 kernels. This course will concentrate on the latest security enhancements of iOS 16 while performing exploitation tasks on MacOS ARM64 devices.
This training is an in-person full five day training in April 2023 in Singapore. 2 weeks before the training trainees will be given some basic introductory material that the need to work through before the course starts. This course is targeted at security researchers that want to learn how to find and exploit kernel vulnerabilities in iOS 16.
The course will require trainees to have an own MacOS ARM64 device on which we will perform most hands on tasks, because this will allow us to deal with latest mitigations on latest hardware. Additionally a jailbroken iOS 16 device can be used if available at the time of the course.
The list of topics covered in the training. Please notice that this list is copied from an earlier version of the course and therefore there might be slight changes.
How to set up your Mac and Device for Vuln Research/Exploit Development
How to write Code for your iDevice
Low Level ARM / ARM64
Differences between ARM and ARM64
Hardware Page Tables
Special Registers used by iOS
PAN and PAC (Pointer Authentication)
iOS Kernel Source Code
Structure of the Kernel Source Code
Where to look for Vulnerabilities
Implementation of Mitigations
MAC Policy Hooks, Sandbox, Entitlements, Code Signing
iOS Kernel Reversing
Structure of the Kernel Binary
Finding Important Structures
Closed Source Kernel Parts and How to analyze them
iOS Kernel Heap
In-Depth Explanation of How the Kernel Heap works (concentration on the new heap)
Discussion of Kernel Heap Separation and Anti Heap Feng Shui Mitigations
Discuss remaining weaknesses in current implementation
iOS Kernel Exploit Mitigations
Discussion of all the iOS Kernel Exploit Mitigations introduced
Includes software and hardware based mitigations like (KTRR, KPP, PPL, PAC, PAN, APRR)
Including newest mitigations already known in latest kernels
Discussion of various weaknesses in these protections
iOS Kernel Vulnerabilities and their Exploitation
Concentration of recent vulnerabilities and how they can be exploited with current set of mitigations
iOS Kernel Jailbreaking
Discussion of recent challenges for jailbreaking
The whole training material (multiple hundred slides) will be handed to the students in digital form.
Trainees will get a license for the Antid0te software and scripts that are used during
the training that allows usage but not redistribution of said software.
Basic understanding of exploitation
C and Python Programming knowledge
Knowledge of ARM64 assembly
ARM64 Apple Mac Notebook
iOS device compatible with checkra1n compatible jailbreaks for iOS 16
IDA Pro 7.x license (ARM64 support required)
Ghidra (Fully supported now)
Hexrays for ARM64 helpful, but not required
BinDiff for IDA helpful, but not required
MacOS, with latest XCode and iOS 16.x SDK (or newer)
Additional Software will be made available during the training
The training is held at a yet to determine location in Singapore.
We offer the following rates for this training.
Payment will be possible via international bank transfer or via credit card featured by STRIPE. Please note that we will usually charge EU customers in EUR and the rest of the world in SGD. On request we can charge in USD.
If you have further questions or want to register for this training please contact us by e-mail firstname.lastname@example.org. Please notice that signup, billing and execution of the training is handled by Antid0te SG Pte. Ltd..
In-House Training / Conferences / Additional Trainings
If you are interested in this training, but want us to perform the training for your people, want to feature our training at your online conference or would just like to know if we provide the training again at a later time please contact us by e-mail email@example.com.