iOS 7 Exploitation (Focus: MobileSafari Case Study)

- Stefan Esser

Within this 3 day class we will introduce the students to the security architecture of iOS 7 and teach them how to setup devices for vulnerability research, debugging and exploitation. We will discuss exploitation of user land applications using previously disclosed real vulnerabilities in the MobileSafari browser as example. We will discuss exploitation on ARM devices (A4-­‐A6) and in ARM64 devices (A7). Students will be introduced into the differences between the ARM64 and ARM architectures.

Pre-requisite of Training Class

Student

• basic knowledge of ARM assembly
• basic knowledge of C/C++/Objective C/Scripting languages
• basic knowledge of software exploitation
• course not targeted to people that already have exploited lots of iOS apps/kernels
• course targeted to exploiters that switch over to iOS
• having read the iOS Hackers Handbook is a good starting point

Hardware

• iOS device capable of running iOS 7 (preferred device: iPhone 4) - please notify the trainer beforehand what kind of device you will bring
• MacBook (for Xcode) - if you borrow a MacBook please ensure you have the right to install software

Software

• IDA (preferably a current version with iOS support)
• OS X Mountain Lion 10.8.5 or newer (please no betas)
• Latest Xcode
• ALl other required software will be provided on a DVD/as download

Class Outline

Setting up an iOS environment that allows

• Building
• Testing
• Debugging
• Exploiting

ARM vs ARM64 - Introduction to 64bit ARM

iOS Userland Exploitation

• iOS Userland Security Features and their weaknesses
• building ARM/ARM64 ROP chains
• MobileSafari Case Study
• Untethering of the Challenge of Persistence

Brief Introduction to iOS Kernel Security Features

• we discuss different iOS Kernel Security Features introduced between iOS 4 and 7.1
• however this training focuses on userland/browser exploitation