Stefan Esser


29 January to 01 February 2018


24 Seats


2900 EURO before January 1,
3500 EURO after.

This course introduces you to the low level internals of the iOS 11 and MacOS HighSierra kernels from the perspective of a security researcher interested in vulnerability analysis, kernel rootkit/malware analysis/detection or kernel exploit development.

The training will discuss both MacOS High Sierra on the x64 cpu architecture and iOS 11 on ARM64 architecture. The course material was updated to the latest changes to the security features of MacOS and iOS. The course material has been updated from previous years to incorporate the latests changes Apple made to the security features and also several of the hands-on tasks have been switched out against new ones to make the course exciting even for repeated participants.

Pre-requisite of Training Class:


  • able to write C code
  • able to understand python code
  • able to understand assembly language to some degree (x64, arm64)


  • MacBook (powerful enough to run a VM)
  • optionally a pre iPhone 7 iOS device on iOS 10.0.1-10.1.1


  • MacOS High Sierra (or Sierra)
  • Xcode with latest SDK
  • VMWare Fusion for running MacOS in a VM (other virtualization software possible but not officially supported)
  • IDA Pro for disassembling of X64 and ARM64 (other disassemblers like Hopper, Binary Ninja, radare2 possible but not officially supported)

Class Outline:


  • How to set up your Mac and Device for Vuln Research/Exploit Development
  • How to load own kernel modules into the iOS kernel
  • How to write Code for your iDevice
  • Damn Vulnerable iOS Kernel Extension

Low Level CPU

  • Differences between X64, ARM and ARM64
  • Exception Handling
  • Hardware Page Tables
  • Special Registers used by iOS
  • SMAP, SMEP, PAN and Pointer Authentication

MacOS/iOS Kernel Source Code

  • Structure of the Kernel Source Code
  • Where to look for Vulnerabilities
  • Implementation of Mitigations
  • MAC Policy Hooks, Sandbox, Entitlements, Code Signing

MacOS Kernel Security Programming Interfaces

  • Socket Filter
  • IP Filters
  • Mac Framework and other private security API

iOS Kernel Reversing

  • Structure of the Kernel Binary
  • Finding Important Structures
  • Porting Symbols
  • Closed Source Kernel Parts and How to analyze them

MacOS Kernel Debugging

  • Panic Dumps
  • Using the KDP Kernel Debugger
  • Kernel Heap Debugging/Visualization (new software package)

MacOS/iOS Kernel Heap

  • In-Depth Explanation of How the Kernel Heap works
  • how do attackers control the kernel heap layout?
  • About the heap randomness in iOS >= 9.2
  • All the changes to the heap in the latest version

MacOS/iOS Kernel Exploit Mitigations

  • Discussion of all the iOS Kernel Exploit Mitigations introduced

MacOS Kernel Rootkits

  • What techniques are common?
  • How to detect them?


Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apple’s iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook. Since then he focuses on the security of the MacOS and iOS kernel and teaches these topics in trainings all around the world.


Click here to register.