How to set up your Mac and Device for Vuln Research/Exploit
Development
How to boot own Kernels
How to patch own Code into the Kernel
How to write Code for your iDevice
Low Level ARM / ARM64
Differences between ARM and ARM64
Exception Handling
Hardware Page Tables
Special Registers used by iOS
...
iOS Kernel Source Code
Structure of the Kernel Source Code
Where to look for Vulnerabilities
Implementation of Mitigations
MAC Policy Hooks, Sandbox, Entitlements, Code Signing
...
iOS Kernel Reversing
Structure of the Kernel Binary
Finding Important Structures
Porting Symbols
Closed Source Kernel Parts and How to analyze them
...
iOS Kernel Debugging
Panic Dumps
Using the KDP Kernel Debugger
Extending the Kernel Debugger (KDP++)
Debugging with own Patches
Kernel Heap Debugging/Visualization
iOS Kernel Heap
In-Depth Explanation of How the Kernel Heap works (including recent
changes in iOS 7/7.1)
Different techniques to control the kernel heap layout
iOS Kernel Exploit Mitigations
Discussion of all the iOS Kernel Exploit Mitigations introduced
Discussion of various weaknesses in these protections
iOS Kernel Vulnerabilities and their Exploitation
Discussion of previous kernel vulnerabilities used in public
jailbreaks
Introduction to kernel exploitation with a DEMO vulnerability
Exploitation of a real kernel vulnerability at iOS 7.0.4
iOS Kernel Jailbreaking
Discussion of all the Kernel Patches applied by iOS
Jailbreaks
Handling of New Devices
Discussion of necessary steps to port exploits from old to new
devices
iOS 7.1?
Because the release date of iOS 7.1 is unknown at the moment it is not
possible to predict what changes there might be in the kernel. However we
will incorporate all the information known about the iOS 7.1 kernel until
the training into the material.
Persistence
The topic of persistence or untethering will be discussed although the
kernel land is only partially involved
