MacOS High Sierra and iOS 11 Kernel Internals for Security Researchers
Click here to register.
Instructor:
Stefan Esser
Dates:
11-14 June 2018
Capacity:
18 Seats
Price:
4600$ CAD before May 1,
5400$ CAD after.
This course introduces you to the low level internals of the iOS and OS X kernels from the perspective of a security researcher interested in vulnerability analysis, kernel rootkit/malware analysis/detection or kernel exploit development. While this course is concentrating on MacOS High Sierra on the x64 cpu architecture the latest security enhancements of iOS 9/10 will also be discussed. The course material was updated to the latest security features of MacOS High Sierra and iOS 11. Apple incorporated lots of changes into iOS MacOS High Sierra and iOS 11. Therefore there are many changes to the material from previous course.
CLASS OUTLINE
- Introduction
- Setting up a development and debugging environment
- Developing your own kernel extensions
- Low Level x64 / ARM / ARM64
- Low level cpu details
- Physical memory management
- Kernel Source Code
- Structure of the source code
- Howto find vulnerabilities
- How security mitigations are implemented
- Kernel Drivers/Extensions
- IOKit
- Driver attack surface
- Kernel driver code-signing
- Kernel Internals
- Important data structures of the kernel
- Mach-o fileformat / encryption
- Mach messages and IPC
- Security: MAC Policy Hooks, Sandbox, Code Signing, Kauth, socket filter
- Filesystems, networking stack
- Kernel Debugging
- Panic Dumps
- Built-in Kernel Debugging
- Debugging with own kernel extensions
- Kernel Heap Debugging/Visualization
- Kernel Heap and Memory Management
- In-depth explanation how various memory allocators work
- Various techniques for kernel heap layout control
- Kernel Vulnerabilities
- History of kernel vulnerabilities and how they were exploited
- Kernel Rootkit Detection
- Discussion of previously hooked / abused data structures in OS X rootkits
- iOS 9 Kernel Patch Protection
- what structures are now protected by KPP
CLASS REQUIREMENTS
Prerequisites
- Basic understanding of exploitation
- Knowledge of X64 assembly
Hardware
- Apple Mac Notebook capable of running latest OS X within VMWARE
- Enough hard disk space to run VMs
Minimum Software to Install
- Mac OS X Sierra / High Sierra
- VMWARE Fusion for running Mac OS X VMs
- IDA Pro with x86_64 and ARM64 support (IDA 7 Freeware not enough)
- Hex-Rays Decompiler for x86_64 and ARM64 nice to have but not required
- Alternatively Hopper or Binary Ninja if IDA is not available (scripts/plugins vary between tools)
BIO
Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Appleās iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook.
TO REGISTER
Click here to register.