*OS - Security & Insecurity Workshop

Synopsis

This course, modeled after Jonathan Levin's "*OS Internals: Volume III", takes a practical approach to explaining the security of Apple's operating systems, by explaining the various mechanisms employed by Apple to secure the system - and yet demonstrating how they fail, time and time again. Through case studies of jailbreaks and Pegasus (the only weapons-grade malware caught in the wild), the techniques for protecting the OS integrity - as well as measures used to bypass them - are detailed.

Code samples detailing usage of each mechanism are provided as actual examples for discussion in class. Actual jailbreak code, including the latest iOS 12.1.2 Liber* family of jailbreaks, is presented. Advanced tools - such as Xn00p, our live kernel inspection/debugging tool - allow unprecedented visualization of what happens behind the scenes in every step of the jailbreak process. This course is updated to the latest Darwin 19 beta releases!

Target Audience

Reverse Engineers, Security and/or Malware Researchers - both Mac and iOS - interested in getting to know Apple's Operating Systems and their security measures intimately.

Prerequisites

This course is an advanced course, and requires a priori familiarity with MacOS or iOS, as per Jonathan's Levin or Amit Singh's "Mac OS [and iOS] Internals" books. It does not discuss basic internals, but rather builds on them so as to focus on security. Participants are highly encouraged to read the books (see below, "Required Reading") throughly.

We would also suggest participants consider the basic MacOS/iOS Internals course prior to this one. For that course's alumni, this makes a perfect sequel and a chance to revisit internals - especially kernel aspects - in far greater detail.

Knowledge of Mac OS X and/or iOS, and user mode programming.
Knowledge of *OS kernel concepts: XNU = { Mach + BSD + IOKit }
Knowledge of Mach IPC - ports and message format
Familiarity with x86_64 and/or ARM32/64 is highly recommended
Bring your own Mac/jailbroken i-Device (ask us about renting one for class!)
Students must bring MacBooks with XCode 10.x + latest XNU Sources (4903+) installed (ask us about renting one!)
For iOS examples, it is recommended that students be in possession of a provisioning profile, or use jtool/ldid to self-sign

Objectives

Understand the MAC Framework in MacOS and the iOS Variants
Understand kernel memory protections
Explain the methodology employed by jailbreaks and malware alike to elevate privileges and obtain unrestricted access
Understand how jailbreaks repeatedly find flaws and circumventions in Apple's mechanisms
Understand the Apple Sandbox, and its profile language
Explain common jailbreaking techniques, before and after kernel patch protection
Understand attack surfaces in OS X and iOS (and its derivatives), particularly those of the kernel, kexts (I/O Kit) and system daemons.

Exercises

This course contains quite a few hands-on exercises, and walks through code samples (often in the form of guided instructor demos), as shown below

Suggested Reading:

The following books are suggested as additional references for this course:

Modules

1.	Introduction
	1 hours

An overview of the architecture of *OS variants, from a threat assessment perspective. Focus on different abuse cases, and the mitigation techniques devised by Apple to address and prevent them.

Quick recap of the *OS Architecture
High level presentation of mitigation techniques
Attack surface of MacOS and the iOS variants
Divergences between MacOS and iOS variants

*.	Monitoring
	1-2 hours

Explaining the reactive mechanisms by means of which system activity can be monitored (though not intercepted) and logged. This includes a detailed discussion of:

Auditing (MacOS)
KDebug
DTrace (MacOS)
FSEvents
Stackshot
Proc info

2.	The Boot Sequence
	2 hours

The boot sequence - aside from starting up the system - is responsible for establishing and securing the chain of trust, which ensures component integrity. MacOS boot is (still) fairly lax, but that of the *OS variants is rigorously designed to be as bulletproof as possible.
This module takes a close look at the stages of boot, focusing in particular on iBoot. Focusing on a purely reverse engineering approach, this module takes apart iBoot - from BootROM to kernelcache loading:

Boot sequence components: BootROM, iLLB, iBoot and friends
SHSH blobs and APTickets
Attack surface and potential vulnerability discussion
Reversing iBoot (once decrypted)
Reversing the Secure Enclave Processor (SEP) image (once decrypted)

3.	The Mandatory Access Control Framework
	0.5-1 hours

The Mandatory Access Control Framework (MACF) is the de-facto standard for all of Apple's security mitigation techniques - from code signing, through sandboxing. A legacy of TrustedBSD, although it is a "private" KPI, it is remarkably simple and, at the same time, powerful.

Precursor: KAuth
Introducing: MACF
The MACF KPIs
MAC Policies
Creating a simple MACF policy
Case study: MacOS Quarantine
Case Study: MacOS 10.15 EndpointSecurity

4.	AppleMobileFileIntegrity
	2 hours

Sworn nemesis of jailbreakers, AppleMobileFileIntegrity (amfi) has become the linchpin of Darwin security, controlling the kernel-enforcement of code signing and kernel-level entitlements.

AMFI components (kext, daemon)
Detailed breakdown of AMFI.kext
Full reversing of amfid
AMFI.kext as an entitlement enforcement
The AMFI User Client
iOS 12: CoreTrust

5.	Sandboxing
	2 hours

The Apple Sandbox mechanism has evolved dramatically since its inception in MacOS 10.5 as "SeatBelt". It has also diverged in its implementations outside MacOS.

Sandboxing Terminology
Implementation in MacOS: The App Sandbox
The Sandbox Profile Language (SBPL)
- Compiling profiles
- Decompiling profiles
- Creating custom profiles
- Debugging the sandbox
User mode APIs
Implementation in *OS: forcing Containers
Sandbox extensions
Detailed reversing of the Sandbox kernel extension
System Integrity Protection as a manifestation of the Sandbox
iOS 10 and the platform profile
Darwin 18 and TCC integration

Day 2

6.	kobjects
	3 hours

Ports are mere 32-bit identifiers in user space, but kernel space reveals a vast menagerie of complicated objects, of which IPC ports are but one type. This module examines thoese objects in detail, including:

The BSD objects (processes, threads and files)
The ipc_object_t
The ipc_port_t
The task_t and thread_t
Vouchers

7.	Get in the (kernel) zone
	3 hours

Everything that user mode "sees" and touches is a figment of the kernel's memory. Understanding memory structures and management is paramount - for researchers and exploiters alike. This module discusses in depth the various allocation mechanisms of kernel memory

The vm_map abstraction
The pmap abstraction
The Zone allocator
Darwin 18: The Zone Cache
Garbage collection, Feng Shui, and other techniques
Zone ("kernel heap") hardening

8.	Let's Get Physical
	3 hours

Apple is one of the only vendors to adopt proprietary protections for physical memory. Starting with the simple "WatchTower" KPP, Apple moved to introduce KTRR in the A10, followed by APRR (A11), along with novel applications such as PPL. But what do all these acronyms mean? And what is their impact on exploitation?

A6-A9, iOS9+: KPP
A10+: KTRR
A11+: APRR
A12+: PPL

Day 3

9.	Aie, Aie, IOKit
	2 hours

IOKit is the most advanced and powerful feature of XNU, allowing C++ code in kernel with all its might - Object orientation and inheritance - and all its weaknesses. IOKit objects have become crucial for many an exploit, both as a vector for vulnerabilities, and as a mechanism for kernel code execution.

IOKit objects: Services and user clients
Enumerating and identifying IOKit objects in *OS kernels
Object corruption and fake objects
Kernel code execution primitives (and how to survive without them)

10.	Vulnerabilities and Exploits
	6.5 hours (and interleaved throughout other modules)

We turn our attention to discuss a few examples from the MacOS world, as well as past jailbreaks - as many as time permits, with actual code samples showing point proofs of concept on vulnerable (past) versions of MacOS and *OS. Exact samples may change by time of training, but at this point are:

The 9.3.5 ("Phoenix") jailbreak
Ian Beer's 11.1.2 async_wake
User mode jailbreaks: Brandon Azad's Blanket
The most recent iOS 12.1.1 Mach voucher bug (Brandon Azad's and S0rryMyBad's methods)
Discussion of the OSUnserialize* bugs behind Pegasus
The QiLin post-exploitation toolkit

Home

Training

Consulting

Products (NEW)

Contact Us

Frequently Asked Questions