Antid0te

iOS 14/15 Userspace Exploitation

Posted: by Stefan Esser   |  More posts about Blog Training iOS Userpace iMessage WebKit XPC Exploitation
Instructor: Stefan Esser (Antid0te UG/Antid0te SG)
Dates: 18th April - 22th April 2022 (APAC Timezone)
Dates: 25th April - 29th April 2022 (EU/North America Timezone)
Venue: Online, Zoom
Availability: 20 Seats
Language: English

With the release of iOS 14 and 15 Apple has not only raised the bars in terms of kernel level security but they have also made improvements in regards to protecting userspace applications from being exploited and added mitigations that make post exploitation more difficult. This course will give trainees with an already existing background knowledge in exploitation a complete introduction into the specifics of targetting iOS applications or daemons. In particular popular targets like XPC services, WebKit/MobileSafari and iMessage will be covered.

This training will be held virtually in April 2022 via Zoom Sessions with support via a Discord server. It will be perfomed twice to allow trainees accross different timezones to attend the course. For 5 days there will be daily live training sessions around 5h in length. In addition to that all trainees will receive 1-2 weeks before the course a multi hour set of introduction videos they need to work through before the course. This course is targeted at security researchers that want to learn how to find and exploit userpace vulnerabilities in iOS 14 and 15.

The course will require trainees to have an own iOS device that is jailbroken on iOS 14 or iOS 15. A device compatible with the checkra1n iOS 14 jailbreak might be best. If checkra1n is available for iOS 15 devices until the course then this is also acceptable. Alternatively MacOS ARM64 devices can be used to perform hands on tasks.

Topics

The following list of topics shows what is usually covered by the course.

  • Introduction
    • How to set up your Mac and Device for Vuln Research/Exploit Development
    • iOS Userspace Memory Layout
    • Dynamic Loading Frameworks, Libraries and ASLR
    • iOS Sandboxing and Inter Process Communication
    • Userspace Exploit Mitigations
    • Userspace Attack Surface
  • Objective-C and SWIFT Target
    • Discuss specific objective-c and swift exploitation strategies
  • ARM v8.3 Pointer Authentication
    • Exploitation despite modern mitigations
  • iOS Userland Debugging
    • Using the iOS Userland Debugger for vulnerability research
    • How to deal with iOS Anti Debugging Tricks
  • iOS Userland Heap
    • Discussion of the iOS Userland Heap implementation
    • Discussion of other heap implementations in our targets
    • Introduction of new iOS userland heap visualization toolset
  • MIG and other forms of IPC
    • Introduction to MIG/IPC
    • Understanding the MIG/IPC architecture and its attach surface
    • Mach messages
    • Fuzzing and Exploitation of MIG services
  • XPC services
    • Introduction to XPC services
    • Understanding the XPC architecture and attack surface
    • Understanding target specific mitigations
    • XPC serialization / deserialization
    • Fuzzing XPC services
    • Exploiting XPC services
  • Mobile Safari
    • Introduction to Mobile Safari and its architecture
    • Understanding the attack surface of WebKit and JavaScript Core
    • Understanding target specific mitigations
    • Understanding the heap implementation
    • Introspection and instrumentation
    • Fuzzing Mobile Safari
    • Exploiting Mobile Safari
  • iMessage Exploitation
    • Introduction to iMessage and its architecture
    • Understanding the attack surface
    • Understanding target specific mitigations
    • Introspection and instrumentation
    • Fuzzing iMessage
    • Exploiting iMessage
  • What is new in iOS 15
    • New mitigations in iOS 15 will be covered

Training Takeaways

  • The whole training material (multiple hundred slides) will be handed to the students in digital form.
  • For up to 5 days after the training students can rewatch video recordings of all sessions.
  • Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software.

Training Requirements

  • Student Requirements
    • Basic understanding of exploitation
    • C and Python Programming knowledge
    • Knowledge of ARM64 assembly
  • Hardware Requirements
    • Apple Mac Notebook
    • jailbroken iOS device on iOS 14/15 (best one that is compatible to checkra1n)
    • Access to Apple ARM64 MacBook could be helpful to replace lack of iOS device (we will have some available via remote access)
  • Software Requirements
    • IDA Pro 7.x license (ARM64 support required)
    • Ghidra (Fully supported now)
    • Hexrays for ARM64 helpful, but not required
    • BinDiff for IDA helpful, but not required
    • MacOS, with latest XCode and iOS 14.x SDK (or newer)
    • Additional Software will be made available during the training

Virtual Venue

The training sessions will be held via Zoom video conferencing. Training sessions will be around 5 hours per training day. In addition to that trainees will get access to a few hours worth of introductory videos.

Furthermore trainees get access to a Discord server that will be used to post information regarding the training and will be used to discuss exercises and their solution, unless those will be covered via Zoom.

All training sessions will be recorded and made available as videos until 5 days after the training. During that time trainees can rewatch sessions as often as they want.

Timezones

We offer this training in an EU/North America edition and in an APAC timezone edition. For other timezones please enquire. Unlike in person training courses when all attendees are present and share the same timezone the execution of online training courses requires some adjustments to be made to allow attendees accross different timezones to attent.

EU / North America Edition

17:00 - 22:00 Berlin
16:00 - 21:00 London
08:00am - 01:00pm Seattle / Vancouver
11:00am - 04:00pm New York / Montreal

Asia Pacific Edition

01:00pm - 06:00pm Singapore
02:00pm - 07:00pm Seoul
02:00pm - 07:00pm Tokyo
03:00pm - 08:00pm Sydney
07:00 - 12:00 Berlin

Please note that training times will be in afternoon for APAC edition because trainer might be in Germany during that time.

Pricing

We offer the following rates for this training.

EUR 4000,- EUR
SGD 6200,- SGD
USD 4750,- USD

Payment will be possible via international bank transfer or via credit card featured by STRIPE. Please note that we will usually charge EU customers in EUR and the rest of the world in SGD. On request we can charge in USD.

Register

If you have further questions or want to register for this training please contact us by e-mail training@antid0te.com. Please notice that signup, billing and execution of the training is handled by Antid0te SG Pte. Ltd..

In-House Training / Conferences / Additional Trainings

If you are interested in this training, but want us to perform the training for your people, want to feature our training at your online conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@antid0te.com.