Practical MacOS Monterey Kernel Exploitation on ARM64

VIRTUAL 32 CPE HOURS TRAINING: October 2022

## Course Description: With the release of MacOS Monterey Apple has once again raised the bars in terms of kernel level security. This newly created course will introduce you to state of the art kernel exploitation of these security features on the latest Apple M1 based Macs. We concentrate on MacOS instead of iOS because these devices make teaching and learning about cutting edge kernel exploitation against newest kernel mitigations a lot more accessible than it can be done with off the shelf iOS devices. This training follows a hands on approach. This means instead of first introducing the trainee to things like the MacOS kernel heap or to list all the different kernel security features we will first get into the exploitation of multiple vulnerabilities and then learn about the required background information when exploitation requires it. The course will require trainees to have access to a Apple M1 Mac based computer in addition to the computer they use to stream the virtual training material and use as kernel debugging host. ## Topics #### Introduction and Setup - How to set up your M1 Mac for Kernel Exploitation - How to load own kernel modules into Apple M1 kernels - How to patch your kernel - Damn Vulnerable M1 MacOS Kernel Extension #### MacOS Kernel Debugging - Panic Dumps - Debugging with own Patches - Kernel Heap Debugging/Visualization #### MacOS Kernel Heap - In-Depth Explanation of How the Kernel Heap works (up to date for MacOS Monterey) - Different techniques to control the kernel heap layout (including non-public ones) - Discuss weaknesses in current heap implementation #### MacOS Kernel Exploit Mitigations - Discussion of MacOS Kernel Exploit Mitigations that we encounter - Includes software and hardware based mitigations like (KTRR, PAC, PAN) - Including newest mitigations already known in latest kernels - Discussion of various weaknesses in these protections #### MacOS Kernel Vulnerabilities and their Exploitation - Walkthrough of MacOS kernel memory corruption vulnerabilities - Analysis of public exploits and discussion how to improve them - Overview over different vulnerability types commonly found in MacOS kernel and exploit strategies ## Student Pre-requisites - Basic understanding of exploitation - C and Python Programming Knowledge - Basic Knowledge of ARM64 assembly ## Hardware Requirements - Apple Mac M1 based computer for Hands On Kernel Exploitation - A second Apple Mac Computer for Streaming the Course and as Host for Kernel Panic Dumps ## Software Requirements - IDA Pro 7.x license (ARM64 support required) - Ghidra - Hexrays for ARM64 helpful, but not required - MacOS, with latest XCode and iOS 14.x SDK (or newer) - Additional Software will be made available during the training
Stefan Esser

Stefan Esser
Antid0te UG

Register Now

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apple's iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook. In 2013 he founded Antid0te UG a company that focuses on iOS security research and consulting.