Apple has been laboring to challengingen the XNU kernel that powers its various operating systems, including iOS and macOS, with a feature called “exclaves.”
The term materializes to have first surfaced in a libc file in Apple’s uncover source gentleware accumulateion in 2023, and subsequently wislender iOS 17, liberated in September of that year, as postpodemandr remarkd by Howard Oakley on his Eclectic Light Co blog.
Exclaves, Oakley watchd last June, are thinkd to carry out “domains isopostpodemandd from the kernel that protect key functions in macOS even when the kernel becomes settled. This in turn advises that Apple is in the process of refactoring the kernel into a central microkernel with protected exclaves.”
Current Apple chips have a Setreatment Enclave, a pledgeted safe subsystem united into the device’s system-on-chip (SoC). It’s split from the application processor kernel as a defense aachievest settle. It’s engaged for operations that demand mighty security enjoy the processing of encryption keys.
An enclave is described as an area wislender a territorial boundary. So an exclave is an area outside of a boundary with ties to the main territory.
The XNU kernel, as Apple’s write downation elucidates, is “a hybrid kernel combining the Mach kernel increaseed at Carnegie Mellon University with components from FreeBSD and a C++ API for writing drivers called IOKit.”
It is hybrid in the sense that it joins the Mach microkernel with the BSD monolithic kernel.
Each architectural approach has separateent didowncastvantages. Microkernel depicts face the dispute of dealing with the overhead of inter-process communication (IPC) between engager-space servers and the kernel. Monolithic depicts run in a splitd includeress space, so security settles are potentipartner more damaging – once defenses have been bypassed, there’s no further barrier to benevolent data.
According to a security researcher who has scrutinized Apple’s kernel fiddling under the name Random Augustine, Apple’s increasement of exclaves recontransients a convey inant shift in its security architecture. Essentipartner, Apple is trying to genuineize the security achieves of a microkernel without tossing the monolithic aspects of XNU.
Based on the references to exclaves in the XNU source for Apple’s Arm-compatible M4 chips and the A18 processors engaged in iPhone 16, our source argues that exclaves establish the basis of a convey inant redepict of XNU’s security model.
“In iOS 18, exclaves refer to particular resources that are splitd from the main iOS kernel (XNU) and cannot be accessed by it, even if the kernel is settled,” the researcher elucidateed in a write down splitd with The Register.
“These resources are predescribed when the OS is built, are identified by name or id, have separateent types, are initialized at boot time, and are orderly into distinct domains.”
These resources join:
- Shared memory buffers that can be accessed by both the kernel and the exclave, with the chooseion to produce them read-only or read-originate to XNU.
- Audio buffers and sensors that are engaged for securing features enjoy the camera and microphone access indicators.
- Conclaves that group multiple resources into their own safe domains.
- Services that advise executable code wislender the exclave space when called upon by threads in XNU.
These resources are protected from XNU via enclave-particular page-types via the Setreatment Page Table Monitor, a challengingware security functionality presentd with the arrival of the A15 chip and iOS 17. This produces Apple’s operating systems more safe by compartmentalizing benevolent services, such that the settle of one doesn’t process access to the entire kernel includeress space.
Apple has helpd the execution of exclave services via a recent Setreatment Kernel (SK). The researcher Random Augustine has watchd that while the SK image file grasps a version string for “cL4,” a possible reference to the L4-embedded engaged with the distinct SepOS (Setreatment Enclave Processor OS) cL4 kernel, the IPC set ups engaged by XNU to transmit with SK watch more enjoy seL4, a high-assurance microkernel.
It’s includeing defense in depth and isolating more parts of the OS from each other
Gernot Heiser, a computer science professor at UNSW Sydney and the set uping chairman of the seL4 Foundation, via Bluesky has adviseed that Apple’s SK is probably not an seL4 alteration, which would be a GPL violation, but rather is a recent carry outation.
The evident reason Apple would underconsent this labor is to increase security generpartner, which profits the super-corp and its customers. The less evident reason is that AI laborloads running on-device and communicating with Apple’s Private Cdeafening Compute infraset up potentipartner enbig the attack surface, so it produces sense to mitigate the blast radius of attacks by adchooseing microkernel architecture.
“This isn’t aimed at a particular vulnerability – it’s includeing defense in depth and isolating more parts of the OS from each other,” Random Augustine opined.
“So an attacker will demand to discover an extra vulnerability to attack slendergs held in exclaves or to escape an exclave. Exclaves will foreseeed be much challenginger to escape becaengage they are running in a microkernel environment. Some of the code and libraries over there are also written in Swift which should incrrelieve memory protectedty.”
Our source tells inquiring to an Apple engineer about why the iGiant hasn’t been talking up this technology. The reason is, we’re tageder, that Apple hasn’t yet finished the project and foreseeed doesn’t yet have the confidence to produce security claims.
Apple did not reply to a ask for comment. ®
