Our "OS X and iOS Kernel Internals for Security Researchers Training" immediately sold out at SyScan Singapore 2015 and ReCon 2015. Within this training we look at the internals of the OS X and iOS kernel from the view of a security researcher. We cover material interesting for the developers of OS X endpoint security solutions, OS X/iOS kernel vulnerability/malware researchers and OS X/iOS kernel forensic technicians. If you are a security researcher and interested in kernel internals this is the right course for you. If you are more interested in actual exploitation then our November course is the better choice for you.
The next training at the end of October 2015 will take place in the Le Meridien hotel in Frankfurt (Germany) between 26th October and 30th October. It is a full 5-day course and is targeted at security researchers with a need for OS X and iOS kernel knowledge.
This training will cover both the OS X (Yosemite/ElCapitan) and the iOS (8/9) kernel, because they get more and more related with every new major release. We will discuss differences where applicable. However the training will focus its hands on tasks on the OS X platform.
NEW: This training will offer attendees the chance to select topics of their choice before the training. We will then integrate the most wanted topics among the trainees into the training.
The goal of this training is to enable you to understand the inner working of the OS X and iOS kernels as required for endpoint security solutions, vulnerability research, malware research and basic forensic analysis.
Setting up a development and debugging environment
Compiling your own kernel
Developing your own kernel extensions
Low Level x64 / ARM / ARM64
Low level cpu details
Physical memory management
Kernel Source Code
Structure of the source code
Howto find vulnerabilities
How security mitigations are implemented
Driver attack surface
Kernel driver code-signing
Important data structures of the kernel
Mach-o fileformat / encryption
Mach messages and IPC
Security: MAC Policy Hooks, Sandbox, Code Signing, Kauth, socket filter
Filesystems, networking stack
Built-in Kernel Debugging
Debugging with own kernel extensions
Kernel Heap Debugging/Visualization
Kernel Heap and Memory Management
In-depth explanation how various memory allocators work
Various techniques for kernel heap layout control
History of kernel vulnerabilities and how they were exploited
Kernel Rootkit Detection
Discussion of previously hooked / abused data structures in OS X rootkits
Memory Forensics with Volatility
starting with this training course we will try something new: Around end of July we will launch a platform that allows attendees to specify topics they would like to see discussed in the training and then all other attendees can judge on their most favourite additions to the course. We will then pick the most wanted topics from this list and add them to the course (up to 20%).
attendees of our trainings will now get a 9 months guarantee of updates: this means if another training of the same kind is held within 9 month of their booked training they will receive the updated training material free of charge (after the new training was held).
the whole training material (multiple hundred slides) will be handed to the students in digital and printed form
in addition the training material of our previous course will be handed in digital form
trainees will get a license for the SektionEins software and scripts that are used during
the training that allows usage but not redistribution of said software
This course will not give an introduction to x86/x86_64/ARM basics. The trainee is
required to understand basic assembly for at least one of these platforms.
Low level CPU knowledge will be helpful, but is not required for this course -
the parts that we need will be explained during the training.
This course will not give basic introduction to exploitation or ROP.
Trainees should know concepts like ROP or buffer overflows,
integer overflows, etc...
Trainees will receive about 3 weeks before the training a paper that
covers introductory information. Trainees are required to read and
work through this document in order to ensure that all software is
correctly installed and some basics are understood.
An Apple Mac Notebook is required in order to run OS X Yosemite/El Capitan and XCode.
Notebook must be capable to run virtual machines for hands on tasks.
Training hands-on exercises will be performed on OS X.
Students can optionally bring their own iOS device for experiments.
But for best results these devices should run an iOS version which has a public
jailbreak for it.
Legal IDA Pro 6.x license (64 support required) / Hopper use at own risk
Hexrays for ARM helpful, but not required
BinDiff for IDA helpful, but not required
Mac OS X Yosemite/El Captian, with latest XCode and iOS SDK (or newer)
VMWare Fusion 7.x (or better)
Additional Software will be made available during the training
The training will be held at the Le Méridien Parkhotel Frankfurt (Germany). The hotel is located near the main train station of Frankfurt, which is an ICE train ride of about 20 minutes away from the airport of Frankfurt (FRA).
The hotel offers up to 10 rooms for a special rate of 150 EUR per night (including breakfast) until 6 weeks before the training. They will be given out on a first come first serve basis.
We offer the following rates for this training. Attention: Trainees paying for the training themselves or companies within the European Union have to pay VAT on top of the base price.
Early Bird (before 10th August)
Regular (before 28th September)
Late (after 28th September)
The training ticket price includes a daily lunch buffet (or 3 course menu), various food selections during morning and afternoon coffee breaks, free soft drinks in the training room and a one night surprise dinner.
If you have further questions or want to register for this training please contact us by e-mail firstname.lastname@example.org.
In-House Training / Conferences / Additional Trainings
If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail email@example.com.