TECH TRAINING 3 – IOS EXPLOITATION TECHNIQUES

________________

OVERVIEW

Arm yourself with the essential skills and knowledge to become the next iOS jailbreaker!

This 2-day course will put you in the drivers seat as you learn everything from a basic introduction to iOS to the most advanced techniques used by the evad3rs team in their latest jailbreaks. Topics covered will span the A-Z of iOS exploitation including reverse engineering, debugging, fuzzing and next generation exploitation techniques.

KEY LEARNING OBJECTIVES

- Understanding iOS Security Features

- Understanding Buffer/Heap/Stack Overflows

- Exploiting iOS applications, services, and the kernel

WHO SHOULD ATTEND

Penetration Testers, Security Auditors/Administrators/Managers, Forensic Scientists, (Wannabe-)Jailbreak developers, or anyone interested in jailbreaking or improving the general knowledge about how to play with and/or break the security features of iOS.

PREREQUISITE KNOWLEDGE

Students should have a basic knowledge and understanding of writing code in python and C as well as familiarity with using the terminal to compile code with gcc. Knowledge of gdb and a basic understanding of ARM assembly is advantageous but not mandatory.

HARDWARE / SOFTWARE REQUIREMENTS

Students must bring their own laptops running OS X (10.8 / 10.7) with root access to install software and tools. The latest version of Xcode needs to be installed. For a better hands-on training experience, students are also strongly encouraged to bring an iOS device with the USB cable – iPhone 4, iPod Touch 4th gen. or iPhone 3GS with either iOS 6.1.2 installed or with VALID SHSH blobs to restore to 6.1.2. Students can also bring their jailbroken iOS 6.1.2 devices. Please keep in mind that the devices might lose all it’s data and we are not responsible for any data loss incurred.

COURSE AGENDA

Day 1

- Introduction on iOS security features :

    – mandatory code signing

    – sandbox

    – exploit mitigations at boot, user and kernel level

- Reverse engineering and forensics :

- passcode bruteforcing

- raw partition access for offline analysis

- online, usb file access

- ramdisks and recovery

- firmware, boot loaders, and kernel decryption

- application decryption

- IDA setup, tips and tricks

- dynamic instrumentation at boot and user level

- debuggers

- Mach-O binary course: file format, entitlements, dynamic library loading

- Return Oriented Programming and tips

- Fuzzing apps and services (hands-on) :

    – fuzzing mobile services using python and C

    – how to recognize an interesting crash

Day 2

- In-depth userland and kernel security mechanisms and weaknesses

    – code signing, entitlements, and sandbox enforcement

- Exploitation techniques

    – Integer overflows

    – Stack based buffer overflows: how to get through stack canaries

    – Heap based buffer overflows: heap spraying, heap massage and how to get control

    – Write anywhere kind of vulnerabilities

- Exploitation (hands-on) :

    – from user-land memory corruption to code execution

    – we will provide examples of vulnerable programs and 0 days for the hands-on

- Kernel Fuzzing (hands-on) :

    – writing a kernel fuzzer from scratch in C

    – discussing the vulnerabilities found

- Kernel exploitation techniques :

    – from kernel-land memory corruption to code execution

    – from code execution to jailbreak

ABOUT THE TRAINERS

Cyril (@pod2g)

Cyril (@pod2g) is a security researcher working for QuarksLab who has discovered and exploited several bootrom exploits on iDevices, including 24kpwn, steaks4uce, and SHAtter, as well as several userland and kernel exploits that have been used in various jailbreak tools. He is the initiator of Corona and Rocky-Racoon, the latests public jailbreaks for iOS. In December 2012, he created the 2G Lab company, focused on software development and security research projects.

Nikias Bassen (@pimskeks)

Nikias Bassen (@pimskeks) is the main developer of libimobiledevice, usbmuxd, and other related projects that form an open source implementation of communication and service protocols for iDevices. He found several flaws and directory traversals in iDevice services that allowed installation of Corona, Rocky-Racoon and the latest iOS 6 jailbreak. Apart from reverse engineering and security research he founded the company samaraIT and is working as an independent developer for international clients.