Technologeeks - *OS - Security & Insecurity Workshop

*OS - Security & Insecurity Workshop -- Duration: 3 days
----------------------------------------------
Synopsis

This course, modeled after Jonathan Levin's "*OS Internals: Volume III", takes a practical approach to explaining the security of Apple's operating systems, by explaining the various mechanisms employed by Apple to secure the system - and yet demonstrating how they fail, time and time again. Through case studies of jailbreaks and Pegasus (the only weapons-grade malware caught in the wild), the techniques for protecting the OS integrity - as well as past measures used to bypass them - are detailed.

Code samples detailing usage of each mechanism, and reversing of binaries are provided as actual examples for discussion in class. Advanced tools - such as Xn00p2, our live kernel inspection/debugging tool - allow unprecedented visualization of what happens behind the scenes in every step of the jailbreak process. This course is updated to the latest Darwin 24 releases (iOS18, macOS 10.20/"15") - and by the time OBTS takes place - we'll be ready for iOS 19 and the next macOS!

Target Audience

Reverse Engineers, Security and/or Malware Researchers - both Mac and iOS - interested in getting to know Apple's Operating Systems and their security measures intimately. Alumni of our previous trainings or avid readers of MOXiI would especially benefit from this

Prerequisites

This course is an advanced course, and requires a priori familiarity with MacOS or iOS, as per Jonathan's Levin or Amit Singh's "Mac OS [and iOS] Internals" books. It does not discuss basic internals, but rather builds on them so as to focus on security. Participants are highly encouraged to read the books (see below, "Required Reading") throughly.

We would also suggest participants consider the basic MacOS/iOS Internals course prior to this one. For that course's alumni, this makes a perfect sequel and a chance to revisit internals - especially kernel aspects - in far greater detail

Knowledge of Mac OS X and/or iOS, and user mode programming.
Knowledge of *OS kernel concepts: XNU = { Mach + BSD + IOKit }
Knowledge of Mach IPC - ports and message format
Familiarity with x86_64 and/or ARM32/64 is highly recommended
Students must bring MacBooks with XCode 15.x + latest XNU Sources (11215+) installed (ask us about renting one!)
Tools:
- Apple Silicon Mac, preferably SIP disabled in a VM like Parallels (don't ever disable SIP on a system you care abot!)
- Latest iOS IPSW image - by then it will likely be iOS 19 - that's totally fine - and better! Get one from iPhone 16 or 17(?) that has exclaveCore, SPTM and TXM images. IPSW.me is a good site.
- disarm (the unofficial "jtool3")
- ProcExp
- Imjtool

Objectives

Understand the MAC Framework in MacOS and the iOS Variants
Understand kernel memory protections
Explain the methodology employed by jailbreaks and malware alike to elevate privileges and obtain unrestricted access
Understand how jailbreaks repeatedly find flaws and circumventions in Apple's mechanisms
Understand the Apple Sandbox, its profiles, and interaction with AMFI, TCC and other components
Explain common jailbreaking techniques, before and after kernel patch protection
Understand attack surfaces in OS X and iOS (and its derivatives), particularly those of the kernel, kexts (I/O Kit) and system daemons.

Exercises

This course is too packed for exercises, but does have a lot of hands-on walk throughs, with code samples, disassembly, and Xn00p(2)ing around.

Suggested Reading

The following books are suggested as additional references for this course:

MODULES

1.	Introduction
	1 hours

An overview of the architecture of *OS variants, from a threat assessment perspective. Focus on different abuse cases, and the mitigation techniques devised by Apple to address and prevent them.

Quick recap of the *OS Architecture
High level presentation of mitigation techniques
Attack surface of MacOS and the iOS variants
Divergences between MacOS and iOS variants
IPC Channels (refresher): Sockets, Mach Messages, XPC
PAC and its importance, and the inevitability of MTE

*.	Monitoring
	1-2 hours

Explaining the reactive mechanisms by means of which system activity can be monitored (though not intercepted) and logged. This includes a detailed discussion of:

Auditing (MacOS) and the move to EndPoint Security
KDebug
DTrace (MacOS)
FSEvents
Stackshot
Proc info

2.	Code Signing
	3 hours

Code Signing in Darwin not only secures code by authenticating and tamper proofing it - but also provides the substrate for all of its security features. Entitlements, Code Signature Requirements, and (more recently) Launch Constraints are all based on this important facility, which we discuss in unprecdented detail.

The Security Framework (participants will need the open sources)
Refreshing Mach-O principles
LC_CODE_SIGNATURE
The Code Signature SuperBlob
The Code Directory
Special Blobs
Self-Signing and Ad-Hoc Code Signatures
Entitlements
Launch Constraints

3.	The Mandatory Access Control Framework
	0.5-1 hours

The Mandatory Access Control Framework (MACF) is the de-facto standard for all of Apple's security mitigation techniques - from code signing, through sandboxing. A legacy of TrustedBSD, although it is a "private" KPI, it is remarkably simple and, at the same time, powerful.

Precursor: KAuth
Introducing: MACF
The MACF KPIs
MAC Policies
Creating a simple MACF policy
Case study: MacOS Quarantine
Case Study: MacOS 10.15 EndpointSecurity

4.	AppleMobileFileIntegrity
	2 hours

Sworn nemesis of jailbreakers, AppleMobileFileIntegrity (amfi) has become the linchpin of Darwin security, controlling the kernel-enforcement of code signing and kernel-level entitlements.

AMFI components (kext, daemon)
Detailed breakdown of AMFI.kext
Full reversing of amfid
AMFI.kext as an entitlement enforcement
The AMFI User Client
iOS 12: CoreTrust
iOS 16: Developer Mode
iOS 18: Restricted Execution Mode

5.	Sandboxing
	2 hours

The Apple Sandbox mechanism has evolved dramatically since its inception in MacOS 10.5 as "SeatBelt". It has also diverged in its implementations outside MacOS.

Sandboxing Terminology
Implementation in MacOS: The App Sandbox
The Sandbox Profile Language (SBPL)
- Compiling profiles
- Decompiling profiles
- Creating custom profiles
- Debugging the sandbox
User mode APIs
Implementation in *OS: forcing Containers
Sandbox extensions
Detailed reversing of the Sandbox kernel extension
System Integrity Protection as a manifestation of the Sandbox
iOS 10 and the platform profile
TCC integration

6.	kobjects
	3 hours

Ports are mere 32-bit identifiers in user space, but kernel space reveals a vast menagerie of complicated objects, of which IPC ports are but one type. Processes ("PIDs") become proc_ts, tasks become task_ts, and virtual memory is laid out through the vm_map_ts. This module examines thoese objects in detail, showing live kernel memory using Xn00p2 of various objects, including:

The BSD objects (processes, threads and files)
The ipc_object_t
The ipc_port_t
The task_t and thread_t
The vm_map

7.	Aie, Aie, IOKit
	2 hours

IOKit is the most advanced and powerful feature of XNU, allowing C++ code in kernel with all its might - Object orientation and inheritance - and all its weaknesses. IOKit objects have become crucial for many an exploit, both as a vector for vulnerabilities, and as a mechanism for kernel code execution.

IOKit objects: Services and user clients
Enumerating and identifying IOKit objects in *OS kernels
Object corruption and fake objects
Kernel code execution primitives (and how to survive without them)

8.	Get in the (kernel) zone
	3 hours

Everything that user mode "sees" and touches is a figment of the kernel's memory. Understanding memory structures and management is paramount - for researchers and exploiters alike. This module discusses in depth the various allocation mechanisms of kernel memory

The kernel_map
The Zone allocator, emphasizing changes since Darwin 20 and "*OS Internals" Vol II
Darwin 19-20: R/O Zones, Sequestering, zone_require, kalloc types and more
Garbage collection, Feng Shui, and other techniques
Zone ("kernel heap") hardening

9.	Let's Get Physical
	3 hours

Apple is one of the only vendors to adopt proprietary protections for physical memory. Starting with the simple "WatchTower" KPP, Apple moved to introduce KTRR in the A10, followed by APRR (A11), GXF (A12) and applications such as PPL and, most recently (in iOS 17.0), SPTM & TXM. But what do all these acronyms mean? And what is their impact on exploitation

The pmap abstraction
ARM64 page tables
The kernel_pmap
A6-A9, iOS9+: KPP
A10+: KTRR
A11+: APRR
A12+: PPL
A14+: GXF
A16+: Exclaves and the "Secure Kernel"

10.	Q & A / AJA
	1 hours

Open session for Q & A on any topics participants would like to discuss. May spill over past end of day, depending on demand

Frequently Asked Questions

How is this course different from the standard OS X/iOS Internals course you offer?
Radically. For one, this is a sequel to the standards internal courses, and does not actually discuss various aspects - like the MachO format, runtime environment, Mach objects - which are deemed to be prerequisites for this course. For two, Jonathan Levin doesn't deliver MOXiI trainings anymore (he's happily evolved past Darwin). But, for this special occasion he's back - so now's your chance to see him and get his unique insights on Darwin for, quite possibly, the last time in the foreseeable future.

Do I aboslutely have to know [Intel/ARM32/ARM64/Any] Assembly?
Not really, but it's recommended, since we will be disassembling Apple binaries. Intel is irrelevant. We focus only on ARM64e.

Why such strict prerequisites?
Because. It is already extremely tight to fit all this information - this alone could have taken double that time. But we already have five days in the standard course, so we opted to make this the unofficial "sequel".

How is this course different from other iOS exploitation courses?
Several ways:
- First, we try and parallel OS X and iOS, in much the same way MOXiI has. In that, we are not focused on one or the other operating system, but take their (rather large) common denominator as a base, and make segues and side discussion for idiosyncratic features of one or the other.
- Second, we do not demonstrate, sell or otherwise provide any active 0-days. We do, however, explain past vulnerabilities in great detail, as well as the exploitation methodology, which applies to the present day.
- We present unparalleled views of kernel memory and objects using advanced tools, such as our proprietry Xn00p2 kernel memory inspector
- Our trainer is the person who, quite literally, wrote the book(s) on the subject.
- Lastly, other trainings are myopic, focusing only on the exploitation. We believe that true understanding of the internals of a system goes further.

When and where is the next course for this scheduled?
There is no guaranteed 'next' here. This is a one-time engagement by Jonathan Levin at the specific request of Objective By The Sea. Patrick Wardle, the organizer, is a paragon of macOS security, and a great friend. And also, any excuse is to get to be in I-B-I-Z-A!

I don't have a (jailbroken) iOS device. What do I do?
That's understandable. There haven't been public jailbreaks since 16.something. No problem! Any Apple Silicon Mac will do, and participants get our xn00p2 LiTe with an iOS 18.x (possibly 19, but no promises) kernel image to play around with during the training and any time thereafter!

Is it true what I hear about "surprise, mystery guests" attending your courses?
If we admitted to anything, it wouldn't be a surprise, nor a mystery, now, would it? :-)

How much??
4,000 Euro for the three day experience, and J will make it worth every euro-cent. Oh, and - xn00p Lite license ($1,000 value) included.

How do I register?
Email us at i/n/f/o@ (no slashes, though). We'll take it from there :-)

------------------------------------------------

Completed in 0.01s