SYS_13_15 - Introduction to iOS Security and Exploitation

Brief Description of Training Class:
Within this 3day class we will first introduce students to the security features of iOS 6.1, discussing changes and differences to previous iOS versions in user- and kernel land. We will then walk everybody through the necessary steps to setup a build, test, debug and exploitation environment and share some secrets that are known inside the jailbreaking community but not much outside of it. And this is only the program for day one. For the rest of the time we will perform actual exploitation of demo and real vulnerabilities in iOS applications and demo vulnerabilities in the kernel. Sorry no kernel 0-day.

PREREQUISITES
  • Student
    • basic knowledge of ARM assembly
    • basic knowledge of C/C++/Objective C/Scripting languages
    • basic knowledge of software exploitation
    • course not targeted to people that already have exploited lots of iOS apps/kernels
    • course targeted to exploiters that switch over to iOS
    • having read the iOS Hackers Handbook is a good starting point
  • Hardware
    • A4 iOS device capable of running iOS 6.1 (iPhone 4, iPod 4, iPhone 3GS)
    • MacBook (for Xcode)
  • Software
    • IDA (preferably a current version with iOS support)
    • Xcode
    • All other required software will be provided on a DVD
Daily Class Outline
Outline is just a raw dump. It is e.g. likely that topics of 1st day will not take the whole day, so we start with the topics for the next day early.

1st day - iOS Security Features from 4.0 to 6.1
  • Setting up an environment that allows
    • building
    • testing
    • debugging
    • exploiting
  • iOS Security/Jailbreak Secrets
    • intro to what makes an iOS jailbreak
    • advanced debugging tips
    • tools one needs to know and have
    • where do these keys on iPhonewiki come from? (aka secret tools)
    • ...
End 1st and 2nd day
  • iOS User Space Exploitation
    • building your own ARM ROP chains
    • exploitation of different Applications
    • we start with different bugs in self written software
    • and then look at real vulnerabilities
End 2nd and 3rd day
  • iOS Kernel Exploitation
    • update of the iOS Hackers Handbook kernel chapter
    • strategies to overcome iOS 6 kernel mitigations (KASLR, ...)
    • how to introduce and exploit demo vulnerabilities
    • writing own code to debug kernel
    • sorry no real kernel vulnerabilities