3-DAY TRAINING 10 – iOS 11/12 Userspace Exploitation Training


CAPACITY: 20 pax


EUR2599 (early bird)

EUR3199 (normal)

Early bird registration rate ends on the 28th of February


For years we have taught iOS Kernel Exploitation to a large crowd of students. However more and more students have been asking for a similar course targetted at iOS Userspace Exploitation. Therefore for 2019 we have finally added this course to our syllabus.

In this three day training participants will take a deep dive into topics related to iOS 11/12 userpace level exploitation. This starts with a short crash course in ARM64 followed by an introduction into the details of iOS userspace from memory layout and its randomization over sandboxing and IPC to the attack surface of applications, daemons and browsers. The following days will then concentrate on common vulnerabilities in these areas and how they are usually exploited. The course will also introduce the students to the heap implementations involved to fully understand the heap exploitation examples.

All hands on exercises will be performed on iOS devices on iOS 11.x that will be provided by the trainer for the duration of the course.

Who Should Attend

Anyone who wants to understand iOS userpace level exploitation with some prior knowledge in exploitation.

Key Learning Objectives

– Understanding iOS exploitation on ARM64
– Understanding the iOS sandboxing from userspace
– Understanding userspace exploit mitigations
– Common vulnerabilities in iOS applications and daemons and their exploitation
– Understanding iOS userpace heap implementations
– Basics of iOS browser exploitation

Prerequisite Knowledge

– Basic knowledge of exploitation (preferably on ARM platform)

Hardware / Software Requirements

– MacBook with latest MacOS
– latest XCode with support for iOS 11/12
– IDA Pro 7.x or Hopper
– (optionally) iOS device on iOS 11

Agenda – Day 1:

– ARM64 Architecture and Assembly for Userspace Exploitation
– iOS Userspace Memory Layout
– Dynamic Loading Frameworks, Libraries and ASLR
– Understanding Applications, Daemons and Browsers
– iOS Sandboxing and Inter Process Communication
– Userspace Exploit Mitigations
– Userspace Attack Surface

Agenda – Day 2:

– Debugging on iOS
– Working with or without Jailbreaks
– iOS Userland Heap Implementation
– Vulnerabilities and their Exploitation in Applications
– Vulnerabilities and their Exploitation in Daemons

Agenda – Day 3:

– ARMv8.3 Pointer Authentication
– WebKit Heap Implementation
– Exploitation of WebKit/JavaScriptCore based bugs

Note: This training is not a full browser exploitation training and will only cover basics.

Location: Training Rooms Date: May 6, 2019 Time: 9:00 am - 6:00 pm Stefan Esser