iOS 9/10 and MacOS Kernel Internals for Security Researchers


Stefan Esser

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded.

In 2010 and 2011 he got a lot of attention for presenting about iPhone security topics and supplying the jailbreaking scene with an exploit that survived multiple updates by Apple.

Training Dates

25 - 29 March 2016



For the last few years we have taught iOS and OS X/MacOS kernel internals for security researchers to a wide variety of students. In these years our course has been under constant development, because Apple keeps adding new security mitigations into the kernel or changes how security relevant implementations like the kernel heap or the sandbox work. For 2017 we have reworked the material again to cover the latest security changes in iOS 10, the iPhone 7 and Mac OS Sierra. We have also improved the software tools that we use during our work.

During the training we will have hands on tasks for both iOS and OS X/MacOS. The iOS tasks will be performed on devices running iOS 9.x that will be borrowed to the trainings during the course. The other tasks will be performed on the Macbooks (inside VMs were recommended) that students have to bring to the course.



  • How to set up your Mac and Device for Vuln Research/Exploit Development
  • How to load own kernel modules into the iOS kernel
  • How to write Code for your iDevice
  • Damn Vulnerable iOS Kernel Extension

Low Level x86_64 / ARM / ARM64

  • Differences between x86_64, ARM and ARM64
  • Exception Handling
  • Hardware Page Tables
  • Special Registers used by iOS/MacOS
  • ...

Kernel Drivers/Extensions

  • IOKit
  • Driver attack surface
  • Kernel driver code-signing
  • ...

Kernel Internals

  • Structure of the Kernel Source Code
  • Where to look for Vulnerabilities
  • Implementation of Mitigations
  • Mach messages and IPC
  • Security: MAC Policy Hooks, Sandbox, Code Signing, Kauth, socket filter
  • Filesystems, networking stack
  • ...

iOS Kernel Reversing

  • Structure of the Kernel Binary
  • Finding Important Structures
  • Porting Symbols
  • Closed Source Kernel Parts and How to analyze them
  • ...

Kernel Debugging

  • Panic Dumps
  • Using KDP on MacOS
  • Working around the lack of KDP debugging on iOS devices
  • Kernel Heap Debugging/Visualization (new software adjusted to iOS 10/Mac OS Sierra)

Kernel Heap

  • In-Depth Explanation of How the Kernel Heap works (including all the changes in iOS 10.x)
  • Different techniques to control the kernel heap layout (including non-public ones)
  • About the heap randomness in iOS >= 9.2
  • All the changes to the heap with iOS 10/MacOS

Kernel Exploit Mitigations

  • Discussion of all the iOS Kernel Exploit Mitigations introduced
  • Discussion of various weaknesses in these protections

Kernel Patches and Patch Protection

  • Full walkthrough through the Kernel Patch Protection as leaked by Apple
  • Discussion of all the Kernel Patches applied by recent iOS Jailbreaks
  • Discussion of differences between 32 bit and 64 bit patches

Course Requirements

Student Requirements

  • Students must be capable of understanding/programming code in C
  • Students will get an introduction to low level CPU features (AMR/ARM64/x86_64) as part of the course

Software Requirements

  • IDA Pro
  • OS X El Capitan/Mac OS
  • Xcode with iOS 10 SDK
  • VMWare Fusion with Mac OS VM

Hardware Requirements

  • Macbook capable of running latest OS X/MacOS in a VM
  • Students can optionally bring an iOS device jailbroken on iOS 10.x (iOS 9.x devices will be provided)