2024 archived version go to current version

iOS for Security Engineers

4200€ | 30th of September to the 3rd of October 2024 | Espace Cléry, 17 Rue de Cléry, Paris

During this training, participants will discover the ecosystem and the fundamental bricks of the iOS operating system. They will discover the macOS toolchain used to deploy applications, and the debugging and diagnostic tools.

Participants will be teached fundamentals to reverse-engineer applications and system services: Objective-C internals, IPC mechanisms (XPC, NSXPC) and kernel APIs.
Practical examples and exercices built on iOS 17 will guide them all along the training. Hardware and software security measures unique to iOS will be covered, from both userland and kernel perspectives.


Objectives of the training

Discover the iOS ecosystem

Deploy code using the macOS toolchain

Use debugging and diagnostic tools

Get a global overview of XNU

Explore Objective-C internals

Use IPC mechanisms (XPC, NSXPC) and kernel APIs

Study XNU & hardware security (PAC, SPTM, sandbox, heap protections and more)

Get ready to perform iOS security research on your own

The trainer

Who will run this training?

Quentin
Meffre

Synacktiv
@0xdagger

Quentin Meffre is a security researcher at Synacktiv.

His main interests are vulnerability research and exploit development. He especially likes iOS security.

He has spoken at international conferences including, Hexacon, BlackHat EU and SSTIC.

Etienne
Helluy-Lafont

Synacktiv

Etienne Helluy-Lafont is a security researcher working at Synacktiv.

His main research topics are kernels and wireless stacks.

He likes reading XNU's code, but his laptop is running Linux🐧.

Syllabus

What will we do?

Content

Day 1: Introduction to reverse engineering on Apple platforms

  • Setup of the working environment (pre-installed Debian laptop with macOS VM)
  • Developing on Apple platforms (macOS and iOS)
  • Using diagnostic tools
  • Introduction to the Apple ecosystem
  • Extraction of updates
  • Important file formats and tools

Day 2: Mach mechanisms

  • Introducing the XNU kernel
  • Monitoring kernel functions with DTrace
  • Explanations and exercices on inter-process communications in userland
  • Understanding how userland interacts with the kernel

Day 3: Reverse engineering Mach services

  • Discovering and experimenting with Objective-C internals
  • Using Frida to instrument userland services
  • Theory and practice on the XPC and NSXPC inter-process communications abstractions

Day 4: XNU security

  • Overview of pointer authentication on Apple platforms
  • Presentation of the MACF framework
  • Overview of AMFI and sandbox policies
  • Understanding defense in depth in the design of XNU
  • Hardware-specific kernel security measures
  • Interacting with Kernel extensions
  • Kernel exploit mitigations

Audience and prerequisites

iOS for Security Engineers is an intermediate level course, designed for security engineers wishing to perform research on this system:

  • Pentesters
  • iOS developers
  • Security engineers

Good knowledge of C development and basic knowledge in reverse engineering are recommended.

Software requirements

  • Disassembler/Decompiler with ARM support is nice to have.
  • 100GB of free disk space
  • A Linux distribution (Debian is recommended) with admin privileges
  • Latest VirtualBox
  • Docker
  • Your favorite code editor
  • A PDF reader
  • SSH client + sshfs

Other trainings

What else might interest you?

Android Kernel Security

Vitaly Nikolenko

Hypervisor development for security analysis

Satoshi Tanda

Advanced Active Directory and Azure exploitation

Hugo Vincent & Wilfried Bécard

Attacking Instant Messaging Applications

Iddo Eldor & Jacob Bech

Introduction to Browser Exploitation

Javier Jimenez

Practical Baseband Exploitation

Pedro Ribeiro & Nitay Artenstein

Software Deobfuscation Techniques

Tim Blazytko

Windows Exploit Engineering Foundation

Cedric Halbronn