Recon Training - iOS 7 Kernel Exploitation Training

Instructors: Stefan Esser
Dates: 23-26 June 2014
Capacity: 18 Seats

With the release of iOS 6 in 2012 Apple has started to drastically improve the security of the iOS kernel. The exploitation of kernel vulnerabilities has become far more complex and difficult than it has been in the good old days of iOS 5. And not only that, with the recent release of iOS 7 Apple has once again changed the game. On the one hand core data structures and algorithms have been changed, like the heap zone allocator, which will break exploits designed for previous versions of iOS and on the other hand additional mitigations have been added to the iOS kernel to make attacks even harder.

Throughout this course students will get to know all these changes, how they have been circumvented in previous iOS kernel exploits and will learn strategies required for future kernel exploitation. And they will do this hands-on on actual devices running iOS 7.

Coming out of this training students will have an understanding of how to exploit kernel vulnerabilities in iOS 7 and will have learned strategies to find new such vulnerabilities.


* Introduction (starting with old devices)
- How to handle a new Firmware
- How to set up your Mac and Device for Vuln Research/Exploit Development
- How to boot own Kernels
- How to patch own Code into the Kernel
- How to write Code for your iDevice

* Low Level ARM / ARM64
- Differences between ARM and ARM64
- Exception Handling
- Hardware Page Tables
- Special Registers used by iOS

* iOS Kernel Source Code
- Structure of the Kernel Source Code
- Where to look for Vulnerabilities
- Implementation of Mitigations
- MAC Policy Hooks, Sandbox, Entitlements, Code Signing

* iOS Kernel Reversing
- Structure of the Kernel Binary
- Finding Important Structures
- Porting Symbols
- Closed Source Kernel Parts and How to analyze them

* iOS Kernel Debugging
- Panic Dumps
- Using the KDP Kernel Debugger
- Extending the Kernel Debugger (KDP++)
- Debugging with own Patches

* Kernel Heap Debugging/Visualization
- iOS Kernel Heap
- In-Depth Explanation of How the Kernel Heap works (including recent changes in iOS 7)
- Different techniques to control the kernel heap layout

* iOS Kernel Exploit Mitigations
- Discussion of all the iOS Kernel Exploit Mitigations introduced
- Discussion of various weaknesses in these protections

* iOS Kernel Vulnerabilities and their Exploitation
- Discussion of previous kernel vulnerabilities used in public jailbreaks
- Exploitation of a real kernel vulnerability at iOS 7.0.4

Class Requirements


* Students must have a general understading of ARM assembly

* Students must understand the concept of ROP exploitation, buffer overflows, ...

Minimum Software to install:

* Macbook running latest OSX Mountain Lion or Mavericks

* Copy of IDA 6.x (IDA 6.5 preferred)

* Latest XCode with iOS 7 SDK

* Students should bring an iPhone 4 at iOS 7 that is jailbroken

* Trainer will have a few spare iPhone 4 for students that cannot bring an iPhone 4

* Students can optionally bring newer iOS devices but those must be jailbroken on iOS 7.0.x


Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apple's iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook.

To Register

Click here to register.