We're excited to present the #OBTS v9.0 trainings, led by some of the world's foremost Apple security researchers and instructors. These sessions cover a range of topics, including reverse engineering, malware analysis, tool development, and OS internals across both macOS and iOS.
Note:
- Trainings occur just prior to the conference. All trainings are 3 days in length, running from November 15th - 17th. All trainings are held at the conference venue (Hyatt Regency Maui).
- Important: Signing up for a training does NOT register you for the conference. You must separately purchase a conference ticket, and you must use the exact same email address for both registrations.
- Since trainings are independently owned and operated by the trainers, all questions should be directed to them.
#OBTS v9.0 Trainings:
"The Art of Mac Malware: Detection & Analysis"
(Nov. 15th - 17th)
Learn the tools & techniques used to uncover and then dissect the latest threats targeting macOS.
As macOS grows in popularity, so does the prevalence of malware targeting this platform ...including those designed to run natively on Apple Silicon.
Ever wanted to learn exactly how to tear apart these malicious creations in order to reveal their inner workings? Or how to craft tools capable of programmatically detecting even new threats? Here's your chance!
In this content-packed three-day course, Mac security expert and author Patrick Wardle will teach the tools and techniques needed to comprehensively analyze and understand malware targeting Apple's desktop OS. Moreover, we'll discuss heuristic-based approaches to programmatically detect such threats.
Patrick Wardle is the creator the non-profit Objective-See Foundation, author of the "The Art of Mac Malware" book series, and founder of the "Objective by the Sea" macOS Security conference.
Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy.
Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware, and writing both books, and free open-source security tools to protect Mac users.
Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy.
Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware, and writing both books, and free open-source security tools to protect Mac users.
"Threat Hunting macOS"
An in-depth and hands experience, for those looking for a deep dive into using macOS internals to their advantage for threat hunting.
Whether you're new to threat hunting or an experienced threat hunter this three day course will bring an in-depth and hands on experience to those looking to deep dive into using macOS internals to their advantage for threat hunting. Learn how to use the less commonly used artifacts to hunt down malicious activity in your environment.
This course uses simulated attack data collected with the Apple Endpoint Security Framework and teaches attendees how to connect the dots to determine what took place on the system.
Topics are discussed in presentation form and then applied via hands on labs. Among the different topics explored are
- Exploring the process tree and understanding process creation
- Understanding the complications of XPC
- Tracing the steps of real malware samples and determining the scope of the attack
- Hunting using the lesser explored pid values
- Hunting using macOS and Unix specific technologies
- ...and much more!
Jaron has a background in incident response and threat hunting across Unix based platforms. He currently works as the macOS detections lead for Jamf Protect.
"Practical iOS Reverse Engineering"
Figure out how iOS apps work, understand the Apple mobile ecosystem, and dive into low-level kernel and firmware internals.
This 3-day training will equip you with a toolbox of indispensable techniques and methods for diving into the world of instrumenting apps and discovering low-level system internals on Apple's mobile devices. While covering all basics to get beginner reverse-engineers started, intermediate and even advanced attendees are provided with appropriately challenging content and exercises. The course material of this training is always kept up to date with the latest version of iOS – so you'll even learn about features that will be introduced in iOS 27!
After getting started with static reverse engineering and dynamic testing iOS apps using Ghidra/IDA and Frida, we'll pivot to challenges posed by programs written in Objective-C and Swift, which use asynchronous programming using Grand Central Dispatch and Cross-Process Communication (XPC). We'll be using Frida to trace control flow, find interesting code paths, manipulate data, and finally collect code coverage – everything you'll need to get started writing custom fuzzers for vulnerability discovery. Going deeper into the internals of iOS, the user-space analysis will be followed up by a dive into the XNU kernel. Starting with a broad overview of the interactions between user- and kernel-space, we'll explore Mach messages and syscalls and IOKit. The, we'll cover the latest mitigations (SPTM, TXM, Conclaves, MTE, and more). This is followed up with a look into RTKit-based firmware and an overview of the network of Co-Processors in an iPhone.
The training will include hands-on exercises on physical iOS devices (can be borrowed!). Advanced iOS app internals are conveyed by breaking them down into small, easily comprehensible chunks and exercises building up on each other to form a general understanding of iOS concepts. Students will be guided through using free and open-source reverse-engineering software and frameworks (such as Ghidra/IDA and Frida) to understand the internals and perform security testing of closed-source apps and daemons. Students will be provided with slides, exercises, solutions including custom tooling, and cheat sheets to follow along the training.
Jiska Classen is a wireless and mobile security researcher and research group leader. The intersection of these topics means that she digs into iOS internals, reverse engineers wireless firmware, and analyzes proprietary protocols. Her practical work on public Bluetooth security analysis tooling uncovered remote code execution and cryptographic flaws in billions of mobile devices.
She also likes to work on obscure and upcoming wireless technologies, for example, she recently uncovered vulnerabilities in Ultra-wideband distance measurement and reverse engineered Apple's AirTag communication protocol. She has previously spoken at Black Hat USA, DEF CON, RECon, hardwear.io, Chaos Communication Congress, Chaos Communication Camp, Gulasch Programmier Nacht, MRMCDs, Easterhegg, Troopers, Pass the Salt, NotPinkCon, gave various lectures and trainings, and published at prestigious academic venues.
She also likes to work on obscure and upcoming wireless technologies, for example, she recently uncovered vulnerabilities in Ultra-wideband distance measurement and reverse engineered Apple's AirTag communication protocol. She has previously spoken at Black Hat USA, DEF CON, RECon, hardwear.io, Chaos Communication Congress, Chaos Communication Camp, Gulasch Programmier Nacht, MRMCDs, Easterhegg, Troopers, Pass the Salt, NotPinkCon, gave various lectures and trainings, and published at prestigious academic venues.
"iOS Threat Hunting and Malware Analysis"
(Dec. 2nd - 4th)
Learn everything you need to know to find advanced malware and threats targeting iOS.
This three-day, hands-on training teaches you how to investigate, detect, and analyze advanced threats targeting Apple's iOS platform. The course is centered around real world malware samples and the traces that are left behind. We'll start by reviewing different iOS Malware behavior and investigate which traces the malware left behind in forensic sources such as Backups, Sysdiagnoses, Unified Logs, Crashes and other Diagnostic Formats.
All practical practical exercises are built around real world cases that have been found like - NSO Group's Pegasus, Intellexa's Predator, Coruna and DarkSword.
At the end of the course participants will have an understanding how iOS Security Model work, forensics sources that are available and which traces and behavior malware leaves behind.
Heads up:
This course is focused on malicious behavior and the traces threat actors leave behind. While we sometimes take a look at Malware samples and their code - this is not a reversing class!
Matthias day to day job is to lead the research team and find new detection methods for iOS Malware at iVerify. He has plenty of experience protecting smartphones and tablets from Malware, having worked at two major German infrastructure corporations. He is a seasoned conference speaker and trainer with given talks and trainings at top conferences such as OBTS, HITB and BlackHat.
Matthias is passionate about all things related to iOS security. When he's not playing basketball or games he loves to spend his time learning new things around iOS.
Matthias is passionate about all things related to iOS security. When he's not playing basketball or games he loves to spend his time learning new things around iOS.
"AI for Mac security"
A hands-on introduction to building native machine-learning models and AI tools to protect macOS.
macOS defenders work with executable metadata, process telemetry, and investigation context that can all be turned into useful machine learning input. This three-day training shows how to use that data on Apple platforms to classify Mach-O malware, cluster and score unusual process behavior, and apply large language models with tools during triage and threat hunting. Students will build datasets, train and evaluate models, and use agent workflows to enrich alerts and investigate suspicious activity.
The course is hands-on, approachable on the math, and explicit about data quality, model evaluation, false positives, and the limits of automation.
Dr. Kimo Bumanglag is a Member of Technical Staff at OpenAI focused on threat hunting and intelligence.
He also serves as an adjunct lecturer at Johns Hopkins University, where he's committed to making complex cybersecurity topics accessible and mentoring the next generation of security professionals.
He also serves as an adjunct lecturer at Johns Hopkins University, where he's committed to making complex cybersecurity topics accessible and mentoring the next generation of security professionals.
"macOS Vulnerability Research Training"
(Nov. 15th - 17th)
TBC.
This 3-day training focuses on macOS Vulnerability Research (VR) for beginner to intermediate students. While intermediate topics will be discussed, the course focuses on bringing security researchers up to speed with macOS’s unique protections and vulnerabilities.
This training focuses mostly on logic vulnerabilities as these are hard to systemically mitigate, unlike memory corruptions. With the recent trend of Apple’s move towards shipping increasingly robust user and kernelspace memory-protection mitigations it is our belief that logic vulnerabilities are the future of VR on macOS.
Gergely is a independent security researcher working mainly on the Apple Security Bounty program, with a research focus on logic vulnerabilities. He has presented his findings at OBTSv6, and blogs at https://gergelykalman.com So far he has found multiple user to root LPEs, multiple TCC bypasses, an app sandbox escape, along with other bugs. He enjoys trying to exploit the unexploitable, as evidenced by multiple bugs of his that were hiding in plain sight for years or in one case, for decades.
Csaba is a Principal macOS Security Researcher working at Iru, focusing on vulnerability research and EDR detection development. He currently has over 100 CVEs issued by Apple for vulnerabilities ranging from simple info leaks to full macOS exploit chains bypassing all security controls. He frequently presents his findings on conferences, like BlackHat, Objective By The Sea, POC, and many others. Prior Iru Csaba worked for OffSec developing the EXP-312 training about macOS exploitation.