Habemus Securitas - Exploring Apple's Hidden Territories
With the Secure Page Table Monitor (SPTM) and Exclaves, Apple has introduced a broad spectrum of new memory protection mechanisms over the past few years, realized through their Guarded Execution Feature (GXF). Currently, there is little public discussion on piecing these mechanisms together and exploring the broader implications of XNU compartmentalization.
In this talk, we will delve into the inner workings of SPTM, exploring how its services are utilized by XNU and other secure world clients, namely the Secure Kernel (SK), Trusted Execution Monitor (TXM), and Exclaves, and the contributions they make to system and memory security. To achieve this, we analyze the underlying SPTM functionality, with a focus on memory frame typing, page mapping, and the implemented rulesets governing iOS memory mapping across newly introduced SPTM security domains.
Speakers
Moritz Steffin
Master's Student, Hasso Plattner Institute, University of Posdam
Moritz was a Master's student at the Hasso Plattner Institute, University of Potsdam, Germany, and is now working in digital forensics and incident response at HiSolutions AG in Berlin. Throughout his studies, he delved into mobile reverse engineering under the guidance of his supervisor, Prof. Dr. Jiska Classen, head of the Mobile Security research group, which resulted in a thesis on reverse engineering Apple's low-level firmware.
