*OS - Security & Insecurity Workshop
Duration: 2 days

Back to course list Home
Synopsis This course, modeled after Jonathan Levin's "*OS Internals: Volume III", takes a practical approach to explaining the security of Apple's operating systems, by explaining the various mechanisms employed by Apple to secure the system - and yet demonstrating how they fail, time and time again. Through case studies of jailbreaks and Pegasus (the only weapons-grade malware caught in the wild), the techniques for protecting the OS integrity - as well as measures used to bypass them - are detailed.

Code samples detailing usage of each mechanism are provided as actual examples for discussion in class. Actual jailbreak code, including the latest iOS 11.1.2 Liber* family of jailbreaks, is presented. Advanced tools - such as Xn00p, our live kernel inspection/debugging tool - allow unprecedented visualization of what happens behind the scenes in every step of the jailbreak process.
Target Audience Reverse Engineers, Security and/or Malware Researchers and/or Forensics Experts - both Mac and iOS - interested in getting to know Apple's Operating Systems and their security measures intimately.
This course is an advanced course, and requires a priori familiarity with MacOS or iOS, as per Jonathan's Levin or Amit Singh's "Mac OS [and iOS] Internals" books. It does not discuss basic internals, but rather builds on them so as to focus on security. Participants are highly encouraged to read the books (see below, "Required Reading") throughly.

We would also suggest participants consider the basic MacOS/iOS Internals course prior to this one. For that course's alumni, this makes a perfect sequel and a chance to revisit internals - especially kernel aspects - in far greater detail.
  • Knowledge of Mac OS X and/or iOS, and user mode programming.
  • Knowledge of *OS kernel concepts: XNU = { Mach + BSD + IOKit }
  • Knowledge of Mach IPC - ports and message format
  • Familiarity with x86_64 and/or ARM32/64 is highly recommended
  • Bring your own Mac/jailbroken i-Device (ask us about renting one for class!)
  • Students must bring MacBooks with XCode 9.x + latest XNU Sources (4570+) installed (ask us about renting one!)
  • For iOS examples, it is recommended that students be in possession of a provisioning profile, or use jtool/ldid to self-sign
  • Understand the MAC Framework in MacOS and the iOS Variants
  • Understand kernel memory protections
  • Explain the methodology employed by jailbreaks and malware alike to elevate privileges and obtain unrestricted access
  • Understand how jailbreaks repeatedly find flaws and circumventions in Apple's mechanisms
  • Understand the Apple Sandbox, and its profile language
  • Explain common jailbreaking techniques, before and after kernel patch protection
  • Understand attack surfaces in OS X and iOS (and its derivatives), particularly those of the kernel, kexts (I/O Kit) and system daemons.
Exercises This course contains quite a few hands-on exercises, and walks through code samples (often in the form of guided instructor demos), as shown below
Suggested Reading: The following books are suggested as additional references for this course:
1. Introduction
1 hours
An overview of the architecture of *OS variants, from a threat assessment perspective. Focus on different abuse cases, and the mitigation techniques devised by Apple to address and prevent them.
  • Quick recap of the *OS Architecture
    • High level presentation of mitigation techniques
      • Attack surface of MacOS and the iOS variants
        • Divergences between MacOS and iOS variants
          2. The Boot Sequence
          2 hours
          The boot sequence - aside from starting up the system - is responsible for establishing and securing the chain of trust, which ensures component integrity. MacOS boot is (still) fairly lax, but that of the *OS variants is rigorously designed to be as bulletproof as possible.
          This module takes a close look at the stages of boot, focusing in particular on iBoot. Focusing on a purely reverse engineering approach, this module takes apart iBoot - from BootROM to kernelcache loading:
          • Boot sequence components: BootROM, iLLB, iBoot and friends
            • SHSH blobs and APTickets
              • Attack surface and potential vulnerability discussion
                • Reversing iBoot
                  3. The Mandatory Access Control Framework
                  0.5-1 hours
                  The Mandatory Access Control Framework (MACF) is the de-facto standard for all of Apple's security mitigation techniques - from code signing, through sandboxing. A legacy of TrustedBSD, although it is a "private" KPI, it is remarkably simple and, at the same time, powerful.
                  • Precursor: KAuth
                    • Introducing: MACF
                      • The MACF KPIs
                        • MAC Policies
                          • Creating a simple MACF policy
                            • Case study: MacOS Quarantine
                              4. AppleMobileFileIntegrity
                              2-3 hours (may spillover to day 2)
                              Sworn nemesis of jailbreakers, AppleMobileFileIntegrity (amfi) has become the linchpin of Darwin security, controlling the kernel-enforcement of code signing and kernel-level entitlements.
                              • AMFI components (kext, daemon)
                                • Detailed breakdown of AMFI.kext
                                  • Full reversing of amfid
                                    • AMFI.kext as an entitlement enforcement
                                      • The AMFI User Client
                                        Day 2
                                        5. Sandboxing
                                        2-3 hours
                                        The Apple Sandbox mechanism has evolved dramatically since its inception in MacOS 10.5 as "SeatBelt". It has also diverged in its implementations outside MacOS.
                                        • Sandboxing Terminology
                                          • Implementation in MacOS: The App Sandbox
                                            • The Sandbox Profile Language (SBPL)
                                              • Compiling profiles
                                                • Decompiling profiles
                                                  • Creating custom profiles
                                                    • Debugging the sandbox
                                                    • User mode APIs
                                                      • Implementation in *OS: forcing Containers
                                                        • Sandbox extensions
                                                          • Detailed reversing of the Sandbox kernel extension
                                                            • System Integrity Protection as a manifestation of the Sandbox
                                                              • iOS 10 and the platform profile
                                                                7. Data Protection
                                                                2 hours
                                                                No other OS vendor has publicly expressed tenacity to protect user's private data as Apple has. We discuss the mechanisms employed by Apple to achieve these goals, both in MacOS and *OS, including:
                                                                • FileVault and FileVault2
                                                                  • iOS Effaceable storage
                                                                    • Keybags and keychains
                                                                      • The AppleKeyStore and the role of SEP
                                                                        • Locking and unlocking i-Devices
                                                                          • APFS features (iOS 10.3+ and MacOS 13)
                                                                            7. Kernel level protections
                                                                            3 hours
                                                                            All of the mechanisms described thus far fail miserably when the ultimate trust boundary - the kernel - is compromised. We therefore discuss Apple's kernel exploit mitigations in depth, including:
                                                                            • Kernel Address Space Layout Randomization
                                                                              • Zone ("kernel heap") hardening
                                                                                • Kernel Patch Protection (iOS 9+, 64-bit)
                                                                                  • KPP past vulnerabilities and bypass techniques
                                                                                    • AMCC (iPhone 7)
                                                                                      8. Vulnerabilities and Exploits
                                                                                      2 hours (interleaved throughout other modules)
                                                                                      We turn our attention to discuss a few examples from the MacOS world, as well as past jailbreaks - as many as time permits, with actual code samples showing point proofs of concept on vulnerable (past) versions of MacOS and *OS. Exact samples may change by time of training, but at this point are:
                                                                                      • Ian Beer's 11.1.2 async_wake
                                                                                        • The 9.3.5 ("Phoenix") jailbreak
                                                                                          • Discussion of the OSUnserialize* bugs behind Pegasus
                                                                                            • So we have a UaF in XNU/IOKit. Now what?
                                                                                              • The QiLin post-exploitation toolkit
                                                                                                • Vulnerabilities from MacOS 12.x, with possibly a live Malware sample or two

                                                                                                  Frequently Asked Questions