Recon Training - iOS security/exploitation workshop

Instructors: Stefan Esser
Dates: 17-20 June 2013
Availability: 18 Seats

This course will introduce you to the world of iOS and iDevice exploitation. First you will learn how to setup and configure your iDevice for vulnerability research, debugging and exploit development, so that you are prepared for all the training's hands-on sessions.

We will cover the latest iOS 6 security features, discuss their weaknesses and you will learn how to circumvent them. All attacks will be carried out against a mix of self written applications and applications you can find on any iOS device.

Each part of the training will first give you an introduction into the basics you need to know and then we will discuss exploitation step by step. And each step will then be performed by yourself on your iDevice.

At the end of the course you should be able to exploit new vulnerabilities in iOS 6 that you discover in user land or kernel land on your own.

Part 1: Introduction to iOS Hacking
You will learn some basics you need to know about iOS and iOS devices and we will go step by step through all the things required to prepare your device for exploit research and development. This includes configuring your device for local and remote debugging and how to develop tools that run on the device or communicate with it via USB.

Part 2: iOS User Space Exploitation

You will learn about the general structure of iOS user space programs, the mach-o file format, codesigning blobs, entitlements and the structure of the dyld_shared_cache that contains all the dynamic libraries. You will learn how to decrypt applications from the Apple Appstore for further analysis and get some tips about how to audit them.

We will discuss the ASLR and stack canary implementations of iOS and how they affect exploit development. We will briefly cover the topic of iOS application fuzzing.

We will build a ROP gadget catalog based on some common libraries, then try it out against different targets and discuss the work required to port it to other device types or iOS versions.

While this training is not a browser exploitation training we will discuss some specifics for attacks against MobileSafari like injecting code into the JIT area of JavaScriptCore.

Attacked targets during this part of the training will be a mixture of self written dummy targets and real applications from the Appstore or from the root filesystem of the device.

Part 3: iOS Kernel Debugging and Exploitation

The last part of the course will cover iOS kernel exploit development. Analogous to the user space part we will first go over the general structure of the iOS kernel and then discuss all the recently introduced security features in iOS like KASLR, kernel stack cookies and kernel heap hardening. We will highlight weaknesses in these mitigations and how we can abuse them.

You will learn how to boot your own patched kernels and how this helps in debugging problems inside the kernel. You will learn about KDP debugging and how panic dumps are often enough to debug problems.

During the training we will attack demo kernel vulnerabilities we introduce ourselves by patching the kernel and shortly discuss previous vulnerabilities from public jailbreaks.

We will deeply discuss the iOS kernel heap and how you can influence and control it in order to exploit kernel heap memory corruptions. You will learn and try out the work required to achieve arbitrary code execution inside the kernel, which got a lot harder since iOS 6.

Finally we will also have a look at the various kernel patches required to jailbreak a device.

Class Requirements


IMPORTANT: You must be able to understand and write C code. Understanding Python code is also required but being able to write it is only optional.

* It is important that you understand ARM assembly and understand how to rearrange ARM code gadgets in ROP exploitation cases. Low level ARM CPU knowledge is helpful but not required for the course.

Minimum Software to install:

* Legal IDA Pro license (6.0+ recommended). Hexrays for ARM helpful, but not required.

* You must have a Mac OS X machine to attend, and you should have a version of XCode with the iOS SDK installed.

* An A4 iOS device capable of running iOS 6.1.2/3 or higher is required to be able to perform all the Hands-On tasks within the training course. This means an iPod 4G or iPhone 4. If you cannot get these devices contact the conference and we might be able to help out. If you decide to take the course anyway then your device must be jailbroken at iOS 6.1.2.


Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apple's iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook.

To Register

Click here to register.