Topics
- Introduction (starting with old devices)
- How to handle a new Firmware
- How to set up your Mac and Device for Vuln Research/Exploit Development
- How to boot own Kernels
- How to patch own Code into the Kernel
- How to write Code for your iDevice
- Low Level ARM / ARM64
- Differences between ARM and ARM64
- Exception Handling
- Hardware Page Tables
- Special Registers used by iOS
- ...
- iOS Kernel Source Code
- Structure of the Kernel Source Code
- Where to look for Vulnerabilities
- Implementation of Mitigations
- MAC Policy Hooks, Sandbox, Entitlements, Code Signing
- ...
- iOS Kernel Reversing
- Structure of the Kernel Binary
- Finding Important Structures
- Porting Symbols
- Closed Source Kernel Parts and How to analyze them
- ...
- iOS Kernel Debugging
- Panic Dumps
- Using the KDP Kernel Debugger
- Extending the Kernel Debugger (KDP++)
- Debugging with own Patches
- Kernel Heap Debugging/Visualization
- iOS Kernel Heap
- In-Depth Explanation of How the Kernel Heap works (including recent changes in iOS 7/7.1)
- Different techniques to control the kernel heap layout
- iOS Kernel Exploit Mitigations
- Discussion of all the iOS Kernel Exploit Mitigations introduced
- Discussion of various weaknesses in these protections
- iOS Kernel Vulnerabilities and their Exploitation
- Discussion of previous kernel vulnerabilities used in public jailbreaks
- Introduction to kernel exploitation with a DEMO vulnerability
- Exploitation of a real kernel vulnerability at iOS 7.0.4
- iOS Kernel Jailbreaking
- Discussion of all the Kernel Patches applied by iOS Jailbreaks
- Handling of New Devices
- Discussion of necessary steps to port exploits from old to new devices
- iOS 7.1?
- Because the release date of iOS 7.1 is unknown at the moment it is not possible to predict what changes there might be in the kernel. However we will incorporate all the information known about the iOS 7.1 kernel until the training into the material.
- Persistence
- The topic of persistence or untethering will be discussed although the kernel land is only partially involved