[HN Gopher] Apple Exclaves
___________________________________________________________________
Apple Exclaves
Author : todsacerdoti
Score : 425 points
Date : 2025-03-09 22:38 UTC (1 days ago)
(HTM) web link (randomaugustine.medium.com)
(TXT) w3m dump (randomaugustine.medium.com)
| transpute wrote:
| Related thread, _" Apple rearranged its XNU kernel with
| exclaves"_, https://news.ycombinator.com/item?id=43314171
| tptacek wrote:
| For what it's worth, this article is _much_ better.
| metadat wrote:
| 100% agree.
|
| The discussion has been underwhelming:
|
| I read TFA and wasn't sure what to even make of it.
| gnabgib wrote:
| That is underwhelming! (But also.. that's *this*
| discussion.. and the other discussion is already linked by
| GP.. so I'm not really sure what you're aiming for here)
| metadat wrote:
| Only attempting to share information. Is there an
| unstated next step (or next-next step) given Apple's
| moves?
|
| A gentle suggestion for a more interesting / entertaining
| article currently on the front page with a glance:
| https://news.ycombinator.com/item?id=43311696
|
| _Hatching a Conspiracy: A BIG Investigation into Egg
| Prices_
|
| https://www.thebignewsletter.com/p/hatching-a-conspiracy-
| a-b...
|
| P.s. @gnabgib thanks for all your excellent dupe
| postings! I used to do a lot but life got busier. You are
| appreciated.
|
| _Edit_ : @thrdbndndn: My bad, yes this submitted article
| is the one that sucks. Thank you! If you delete your
| reply it will make things less confusing, but no worries
| and best wishes.
| thrdbndndn wrote:
| He's saying you're posting the HN URL of this very
| discussion to.. this discussion.
| transpute wrote:
| For more detail, there's a 3-part series on iOS SPTM and TXM:
|
| Aug 2023, https://www.df-f.com/blog/ios17
|
| Nov 2023, https://www.df-f.com/blog/ios-17round2
|
| Feb 2025, https://www.df-f.com/blog/sptm3
| saagarjha wrote:
| Somewhat less detail, actually.
| transpute wrote:
| DF blog series source reference,
| https://randomaugustine.medium.com/on-apple-
| exclaves-d683a2c... I would particularly
| like to highlight the work of Dataflow Forensics and
| their much more advanced work dissecting SPTM without the
| benefit of source code. I enthusiastically await their
| promised blog post about exclaves and hope they will
| answer many of the remaining questions, provide gory
| disassembly explanations, and correct all my mistakes and
| assumptions!
| saagarjha wrote:
| They are being polite. The Dataflow blog post barely goes
| beyond running strings.
| transpute wrote:
| _> They are being polite._
|
| Are they? The article's closing paragraph advertises a
| _future_ Dataflow blog post to the reader. Their follow-
| up March correction is consistent with the Dataflow Feb
| summary, https://randomaugustine.medium.com/more-
| speculation-on-excla...
| saagarjha wrote:
| Yes, they're saying that there's some stuff they didn't
| cover, and they hope the Dataflow people will. But the
| first couple didn't really answer much so I'm not
| particularly hopeful.
| GeekyBear wrote:
| An overview from that piece:
|
| > exclaves refer to specific resources that are separated from
| the main kernel (XNU) and cannot be accessed by it, even if the
| kernel is compromise
|
| Also interesting:
|
| > It's not uncommon for mid-cycle releases of macOS to gain new
| features in preparation for the next major version. Perhaps the
| most fundamental and significant added to Sonoma 14.4, together
| with iOS 17.4, iPadOS 17.4 and watchOS 10.4, are exclaves.
|
| https://eclecticlight.co/2024/08/20/sonomas-unfinished-busin...
| saagarjha wrote:
| > In macOS 15 and later, creation of a VM running macOS 15 or
| later can configure an identity derived from the host Secure
| Enclave, enabling access to resources requiring Apple ID
| including iCloud. This is accomplished using an exclave of
| the Secure Enclave.
|
| This is not correct
| totetsu wrote:
| My crusty squinty morning eyes read that as " it can lead to a
| complete system compromise, as all the operating system's
| functions are bundled together in the kernel's single "breakfast
| of eggs"." .. now I wish this was the idiom.
| markus_zhang wrote:
| I'm not familiar with that level of knowledge, but from the look
| of it you can attack the enclave itself to escalate privilege
| higher than the kernel enjoys? Is this piece of hardware
| something like a co-processor?
| saagarjha wrote:
| An exclave isn't hardware, it's an isolated piece of software
| that deals with a certain sensitive operation that you don't
| want the kernel to have access to. So if you exploit it, then
| yes you have access to something that the kernel doesn't-but
| that's the point, because the goal is if you exploit the kernel
| you shouldn't get access to that.
| markus_zhang wrote:
| Oh thanks for the explanation!
| alfiedotwtf wrote:
| If it's all in software but the kernel has lower privileges,
| I'm curious how they'll be able to update it? And if there is
| an API to update via the kernel, what's stopping a push via a
| malicious source pretending to be Apple?
| saagarjha wrote:
| I don't think it is accurate to say that the kernel has
| lower privileges. It's just something the kernel isn't
| allowed to do, while the exclave has a list of things _it_
| isn 't allowed to do. Also exclaves are shipped with normal
| software updates (verified by the boot chain, not the
| kernel).
| brookst wrote:
| Less than entirely confident stab (someone please correct
| if I get this wrong):
|
| - Exclave exposes a small set of functions that kernel may
| call for sensitive operations - One of those is "update
| exclave". The input to this is a blob signed with Apple's
| private key. - Exclave verifies signature, so a compromised
| kernel and push a malicious update
|
| How the exclave gets Apple's public key is a little opaque
| to me. One way would be to have the exclave have its own
| (per device or per global version) private key, but client
| side private keys are very high risk.
|
| Alternatively, perhaps some elaborate set of baked-in
| public keys for Apple and a way to validate a CRL?
| vintagedave wrote:
| I'm a little confused reading the article on how exclaves are
| related to the Mach kernel. Is there a second, parallel seL4
| kernel running on the same chip? If so, how do two kernels
| execute at the same time?
|
| > To allow for execution of exclave Services while isolated
| from XNU, Apple has introduced a new kernel called the Secure
| Kernel (SK).
|
| Or do exclaves run on a separate chip, like Secure Enclaves-
| with-a-N do? (The article said not to confuse the two.)
| transpute wrote:
| _> SK runs on the same high speed application processors as XNU
| /iOS. To make this possible, additional processor privilege
| levels are required -- likely supported by virtualization
| extensions_
|
| Recent Apple phone and laptop SoCs include hardware support for
| nested virtualization, including the M4 iPad Pro where an exclave
| is used for the camera LED. Hopefully the next revision of the
| Apple Platform Security guide will cover SK exclaves and baseband
| mitigations for Wi-Fi radar sensing,
| https://help.apple.com/pdf/security/en_US/apple-platform-sec...
|
| _> Apple specific additions to SPTM_
|
| SPTM reverse engineering, https://www.df-f.com/blog/sptm3
| XNU is being refactored into a micro-kernel inspired
| architecture, aiming to reduce its code base, and move security
| sensitive operations out of it. The memory space isolation is
| performed with the help of a Secure Page Table Monitor - SPTM.
| The code signing, entitlement verification, Developer Mode,
| Restricted Execution Mode, and other security sensitive
| operations are handled by the Trusted eXecution Monitor - TXM.
|
| _> or most likely via ARM's TrustZone technology. The XNU source
| code contains several references regarding transitions to and
| from TrustZone's concept of a secure world_
|
| 150+ TrustZone CVEs,
| https://www.cve.org/CVERecord/SearchResults?query=trustzone
|
| _> it's a defensive effort on a larger scale than any other end
| user device manufacturer is currently attempting_
|
| Google implemented pKVM on Pixels with hardware nested
| virtualization a few years ago, and upstreamed the code to Linux
| mainline, including cooperative de-privileging of TrustZone
| relative to pKVM L0. But they have not announced defensive
| features using pKVM/AVF, outside of Debian "Linux Terminal" VM.
| transpute wrote:
| The author published a follow-up post and revised diagram,
| https://randomaugustine.medium.com/more-speculation-on-excla...
|
| _> While I speculated that TrustZone was being used, exclaves
| may well use the existing SPTM and GXF (Guarded Execution)
| privilege levels after all. One implication may be that there
| is no hard reason they couldn 't be supported on iPhone 13 and
| higher, aside from RAM requirements and development effort.
| Make no mistake these are huge undertakings even for Apple._
| als0 wrote:
| > 150+ TrustZone CVEs,
| https://www.cve.org/CVERecord/SearchResults?query=trustzone
|
| It's important to note that most of those CVEs are to do with
| vulnerable software that manufacturers put in the TrustZone
| protected environment (many of which are garbage). There are
| very few vulnerabilities reported about the hardware itself.
| michaelt wrote:
| Personally, I've always thought the fact these
| vulnerabilities keeps happening demonstrates that TrustZone's
| secure execution environment just isn't designed well.
|
| If you're a phone designer, and you're going to put unlock
| PIN validation into a trusted execution environment? Sure,
| makes sense. If you're going to put your widevine DRM code
| into a trusted execution environment? I guess.
|
| But why did they make a design that means a vulnerability in
| the DRM code allows an attack on the PIN validation code?
| That means the attack surface is huge.
|
| You gotta keep these clowns separated if you don't want them
| spraying each other with water and throwing pies down each
| other's trousers.
| saagarjha wrote:
| > Apple may use SPTM to manage transitions between the secure and
| insecure worlds
|
| This, because they don't have TrustZone
| seventh12 wrote:
| Why Apple doesn't use TrustZone?
| saagarjha wrote:
| You'd have to ask them. My general guess is they design their
| own stuff first and then try to get it standardized.
| neom wrote:
| I think Steve truly believed at his core, very simply: your
| laptop is your diary, and they have a responsibility to that.
|
| I don't think Tim would be CEO if he didn't believe what Steve
| did. It's so weird, but I really miss Steve.
|
| https://www.youtube.com/watch?v=Ij-jlF98SzA
| musicale wrote:
| It is weird. Jobs was divisive and (not infrequently) abrasive,
| and why would you miss a tech billionaire anyway? Yet I also
| feel indebted to him and to the folks at Apple who helped to
| produce some of my favorite products like the Mac, the iPod,
| and the iPad.
|
| Jobs also said a lot of things that still resonate with me.
| Recently Apple introduced a "classic Mac" screensaver that
| shows how carefully designed the original Mac GUI was. I'm sure
| nobody misses the days when app bugs could crash the OS, but I
| wish Apple were as obsessive now about detail now as they were
| back then.
| neom wrote:
| Now that I'm becoming an old man, I've taken the time to go
| back and listen to him properly, to analize his thoughts and
| words a bit more contextually, and I've come to believe that
| Steve Jobs was quite misunderstood, both by us, and by
| himself. When I miss him I think: his thoughts were so very
| refined for his time, it is quite incredible and I wish he
| was around to hear more of them. I guess I'm a fan? Oh
| well...worse things to be.
|
| (the article is good but giving you the hn for comments too:
| https://news.ycombinator.com/item?id=2131299)
| 6stringmerc wrote:
| I still think about how he tried to cure cancer with
| crystals and then when that didn't work he used his wealth
| to get residency in a different state to jump in line for a
| transplant and still died before his yacht got completed. I
| don't misunderstand him at all. Especially the parking in
| handicap spaces part. Very easy to understand what kind of
| person he was through his actions. Perhaps we will never
| see eye to eye, and I feel posts like yours do deserve
| legitimate opposition as applicable.
| colechristensen wrote:
| Ok, but more or less everyone is going to have a few
| things about them that you're not going to like. When
| your whole life is up for scrutiny and you have unlimited
| resources, that's how it is. If you had a billion dollars
| there'd be plenty of things people would criticize about
| you. And anybody else who did too.
| pstuart wrote:
| There's plenty to not like about Jobs as a person, but
| Apple exists because of him (twice).
| al_borland wrote:
| He didn't jump the line, he just got in multiple lines.
| hansvm wrote:
| Sure. On the one hand, everything adhered to the letter
| of the law. On the other, he used his money to get served
| before other people in an otherwise similar position
| would have been able to do.
|
| I personally view that as more of a failing in the system
| itself (why are there multiple lines to begin with when
| organ transport is a solved problem?), but it's not
| unreasonable to look at somebody exploiting that broken
| system and question their character.
| auggierose wrote:
| I know very few people who would't use their wealth to
| try to save their lifes, or that of their loved ones.
| It's kind of what wealth is for.
| sapphicsnail wrote:
| You know that's still bad right?
| globular-toast wrote:
| Why do you only pay the minimum amount of tax?
| elygre wrote:
| > Why do you only pay the minimum amount of tax?
|
| You didn't pose the question to me. And yet.
|
| Very many people don't. We know there are constructs that
| would enable us to pay less, yet we choose to not pursue
| them. We are part of a society that enables us to be what
| we are, why should we strive to give as little as
| possible in return?
|
| (And yes, we also don't send extra money. This is not a
| contradiction.)
| globular-toast wrote:
| > We know there are constructs that would enable us to
| pay less, yet we choose to not pursue them.
|
| Only because you don't want to put the effort in to
| pursuing it. If I told you you could reduce your tax bill
| by 20% by spinning round in your chair one time I doubt
| you (or anyone else) would decline.
|
| Every entity generally seeks to take as much as they can
| and give back as little as they can. Individuals are
| generally a little less extreme, in my experience, with
| corporations being the worst.
| eesmith wrote:
| I would not.
|
| My taxes are not a burden on me. While on the other hand,
| the local politicians have sought tax cut after tax cut,
| causing the library to limit services, the schools to cut
| down on teaching staff, infrastructure maintenance
| delays, less funding for local social services and city
| events, and more.
|
| My paying an extra 20% wouldn't fix things, as adding to
| the general budget would end up simply reducing taxes
| further, instead of everyone sharing the load.
|
| I hate that I've starting getting involved with local
| politics. I would rather code.
|
| Or, following your self-centric analysis, I would put the
| effort into raising my taxes by 20% since the collective
| benefits give me much more than what I can do
| individually.
| 1oooqooq wrote:
| because we all live paycheck to paycheck, to fund wars
| and Tesla carbon rebates.
|
| While he could have funded a new hospital and not even
| change his tax bracket.
| auggierose wrote:
| If it is bad to use your money to legally buy yourself
| advantages that other people cannot afford to buy, then
| capitalism is bad.
|
| Do you think capitalism is bad?
| brookst wrote:
| What's the point of making a moral judgment about a bit
| of human nature that literally everyone in earth shares?
| It doesn't make you or me superior to condemn it; we
| would do the same. So... what does "bad" even mean in
| this context?
| dlivingston wrote:
| > Do I contradict myself?
|
| > Very well then I contradict myself,
|
| > (I am large, I contain multitudes.)
|
| When you speak ill of Jobs you are speaking on his moral
| character. When others (incl. myself) speak positively on
| Jobs, they are speaking on his design, business, and life
| philosophies, which are quite profound. [0]
|
| How you want to weigh the two is up to you, but it is not
| a contradiction to say someone contains both good and
| bad.
|
| [0]: https://youtu.be/cHuqhQmc4ok
| brookst wrote:
| The worst part of internet culture is the conflation of
| simplicity and reductionism. Comments are short, people
| have different contexts, so there's an instinct to reduce
| everything to binary and fight to the death over the
| binary value.
|
| Worst of all is the false good person / bad person
| dichotomy that leads to great offense at any slight
| praise for someone the reader has decided is a _bad
| person_ , or any slight criticism of someone the reader
| has decided is a _good person_.
|
| I can't think of anything less fruitful than arguing over
| whether a public figure's personal plus professional life
| makes them a 100% good person or 100% bad person. It's
| strange the conversation ever happens, and yet it's so
| incredibly common.
| orangepanda wrote:
| Pancreatic cancer is known for being incurable, even in
| the best of circumstances, early diagnose or not. Having
| witnessed a family member go through the same thing, I
| understand Jobs's reaction of trying literally anything
| else.
| eecc wrote:
| Sorry for your loss.
|
| Though SJ "He was diagnosed with insulinoma, which unlike
| other pancreatic cancers, is curable and can be treated
| with surgery."
|
| see: https://www.bbc.com/news/technology-16157142#:~:text
| =He%20wa...
| neom wrote:
| Well, given apparently the posts in this thread reveal me
| to be an "manic crazy person" (or such I inferred) - I
| suppose I'll add to it then by saying: I too have read
| and understood Yogacarabhumi-Sastra. I hadn't thought
| much about it till today, but, I suspect, will do as
| Steve did. :) :)
| astrange wrote:
| He's definitely misunderstood. If you read his biography
| it's incredible how much the author of it misunderstands,
| but if you read between the lines you can see through them.
| In particular you should note how he changes before and
| after getting married.
|
| The biography is really awful though. It constantly
| misquotes people - Bill Gates is directly quoted as saying
| something so technically inaccurate he can't possibly have
| said it.
|
| I also remember that every time his son is quoted it's
| because he was telling a dick joke. At one point the book
| claims this is why Apple Park is a circle. Why the author
| did this is not clear to me.
|
| (Btw, I have an unreported Jobs story about this myself.
| Actually two. I'm not going to tell them, so feel free to
| just imagine.)
| al_borland wrote:
| I don't remember many details from the biography at this
| point, but I remember not liking it either. It seemed
| like it was written with the assumption the reader
| already knew the about Steve's more public life and
| career, and skipped over much of it. It didn't feel like
| it would be a good source for future generations to learn
| about Steve, as it seemed to largely ignore the entire
| reason a book was being written about him. I also
| remembering it seeming largely negative, trumpeting the
| views of critics, and while downplaying the good to
| balance it out. Though this could also be my memory
| fading, feel free correct me if I'm wrong.
|
| It was my first Isaacson biography, and didn't leave me
| excited for another one.
| alpaca128 wrote:
| > I also remembering it seeming largely negative
|
| It definitely was, but at least parts of that must have
| been warranted given Jobs refused to read it, saying
| something along the lines of "I know I wouldn't like what
| it says"
| al_borland wrote:
| I think that was him trusting the author to be fair and
| show a balanced view of who he was; maybe that trust was
| misplaced.
| KerrAvon wrote:
| I second "Becoming Steve Jobs." It actually gives insight
| into him, rather than just regurgitating what Isaacson
| thinks are the facts.
| al_borland wrote:
| Thanks, I'll check it out.
| miki123211 wrote:
| I think "becoming Steve Jobs" is a far better book.
|
| I feel like the official Isaacson biography was trying to
| tell a story, and would twist facts and reality to fit
| that story. This certainly makes for entertaining
| reading, but is not a great way to study history.
|
| Meanwhile "Becoming Steve Jobs" gives the reader glimpses
| into Jobs's life, often very contradictory glimpses, ones
| that don't really tell you what to think. It shows you
| how complex of a person he really was.
| baggy_trough wrote:
| > why would you miss a tech billionaire anyway
|
| Because we miss new instances of the great products they
| created to earn all that money.
| astrange wrote:
| I could easily be wrong about this but I don't believe Jobs
| or anyone else at Jobs-era Apple became a billionaire
| because of it. Because of early infighting/getting fired,
| ownership was too dispersed for that.
|
| He became a billionaire because Disney bought Pixar.
| perfmode wrote:
| Jobs was more than a tech billionaire. He was someone who had
| refined personal taste and stood on values and was willing to
| do what it took to see them through, despite the friction.
|
| And the outcome was a computing company that was waaaay less
| mediocre than 99% of these other memetic, mediocre gradient-
| descent chasing privacy-abusing, ad-supported companies.
|
| Apple has raised the bar so high. And the DNA of what is
| manifesting is Steve's insistence and vision followed by
| Tim's clarity of execution.
|
| Look at the Apple Architecture moves. They got Intel's hot,
| slow CPUs out of the device. And replaced them with
| excellent, quiet, fast, efficient CPUs, with UMA and great
| features.
|
| It's hard to nail every detail when you have the surface area
| of Apple 2025. A huge huge company with billions of users and
| dozens of device families and services. But the bar is high
| for most of what they do.
| dlivingston wrote:
| I think of Apple like I think of Disney: _consistently
| good_ products. Maybe not the best in all the things all
| the times, and some duds from time to time, but if you
| blindly hit "play" on a Disney movie you're going to be
| watching something at least pretty good.
| eleveriven wrote:
| It's not just about the products themselves, but the
| philosophy behind them. He had this relentless obsession with
| making technology feel right (it is all from my perspective)
| lern_too_spel wrote:
| Steve believed at his core that locking down devices was the
| best way to extract business value from users. That's why you
| can't install any apps without telling Apple or get your
| location without sending it to Apple. He also believed very
| strongly in good marketing, and he jumped on privacy marketing
| very quickly after the Facebook - Google privacy spat that
| coincided with the failure of iTunes Ping.
| IncreasePosts wrote:
| That seems very unlikely since nothing of that sort was ever
| attempted by Jobs on their desktops.
| rat87 wrote:
| I'm not sure it's so much about extracting value exactly
| but Jobs long believed in making sealed appliances that
| people couldn't and wouldn't have to tinker with as opposed
| to more easily modify able computers sold by competitors
|
| https://folklore.org/Diagnostic_Port.html
|
| > Expandability, or the lack thereof, was far and away the
| most controversial aspect of the original Macintosh
| hardware design. Apple co-founder Steve Wozniak was a
| strong believer in hardware expandability, and he endowed
| the Apple II with luxurious expandability in the form of
| seven built-in slots for peripheral cards ... >This
| flexibility allowed the Apple II to be adapted to a wider
| range of applications, and quickly spawned a thriving
| third-party hardware industry.
|
| ...
|
| > Apple's other co-founder, Steve Jobs, didn't agree with
| Jef about many things, but they both felt the same way
| about hardware expandability: it was a bug instead of a
| feature. Steve was reportedly against having slots in the
| Apple II back in the days of yore, and felt even stronger
| about slots for the Mac. He decreed that the Macintosh
| would remain perpetually bereft of slots, enclosed in a
| tightly sealed case, with only the limited expandability of
| the two serial ports.
|
| > Mac hardware designer Burrell Smith and his assistant
| Brian Howard understood Steve's rationale, but they felt
| differently about the proper course of action. Burrell had
| already watched the Macintosh's hopelessly optimistic
| schedule start to slip indefinitely, and he was unable to
| predict when the Mac's pioneering software would be
| finished, if ever. He was afraid that Moore's Law would
| make his delayed hardware obsolete before it ever came to
| market. He thought it was prudent to build in as much
| flexibility as possible, as long as it didn't cost too
| much.
|
| > Burrell decided to add a single, simple slot to his
| Macintosh design, which made the processor's bus accessible
| to peripherals, that wouldn't cost very much, especially if
| it wasn't used. He worked out the details and proposed it
| at the weekly staff meeting, but Steve immediately nixed
| his proposal, stating that there was no way that the Mac
| would even have a single slot.
|
| > But Burrell was not that easily thwarted. He realized
| that the Mac was never going to have something called a
| slot, but perhaps the same functionality could be called
| something else. After talking it over with Brian, they
| decided to start calling it the "diagnostic port" instead
| of a slot, arguing that it would save money during
| manufacturing if testing devices could access the processor
| bus to diagnose manufacturing errors. They didn't mention
| that the same port would also provide the functionality of
| a slot.
|
| >This was received positively at first, but after a couple
| weeks, engineering manager Rod Holt caught on to what was
| happening, probably aided by occasional giggles when the
| diagnostic port was mentioned. "That things really a slot,
| right? You're trying to sneak in a slot!", Rod finally
| accused us at the next engineering meeting. "Well, that's
| not going to happen!"
|
| > Even though the diagnostic port was scuttled, it wasn't
| the last attempt at surreptitious hardware expandability.
| When the Mac digital board was redesigned for the last time
| in August 1982, the next generation of RAM chips was
| already on the horizon. The Mac used 16 64Kbit RAM chips,
| giving it 128K of memory. The next generation chip was
| 256Kbits, giving us 512K bytes instead, which made a huge
| difference.
|
| > Burrell was afraid the 128Kbyte Mac would seem inadequate
| soon after launch, and there were no slots for the user to
| add RAM. He realized that he could support 256Kbit RAM
| chips simply by routing a few extra lines on the PC board,
| allowing adventurous people who knew how to wield a
| soldering gun to replace their RAM chips with the newer
| generation. The extra lines would only cost pennies to add.
|
| > But once again, Steve Jobs objected, because he didn't
| like the idea of customers mucking with the innards of
| their computer. He would also rather have them buy a new
| 512K Mac instead of them buying more RAM from a third-
| party. But this time Burrell prevailed, because the change
| was so minimal. He just left it in there and no one
| bothered to mention it to Steve, much to the eventual
| benefit of customers, who didn't have to buy a whole new
| Mac to expand their memory.
| vlovich123 wrote:
| The company shift to privacy was more about getting pulled in
| front of Congress over the location data being accessible via
| USB as part of iTunes backup:
|
| Source: people who were at Apple during that time period.
|
| Example: https://www.nbcnews.com/news/world/government-
| officials-want...
|
| I think people underestimate how traumatic it was culturally
| to Apple and how Apple generally experiences comparatively
| little turnover vs their other major tech peers, so the
| responses to those traumas linger. Same with the brouhaha
| over the CSAM tech that they attempted to bundle into the
| iPhone that ostensibly was trying to preserve your privacy
| and they instantly got smacked down over it.
| astrange wrote:
| > He also believed very strongly in good marketing, and he
| jumped on privacy marketing very quickly after the Facebook -
| Google privacy spat that coincided with the failure of iTunes
| Ping.
|
| I have two thoughts about this.
|
| One, if you tell yourself a story strongly enough, it becomes
| real. Especially when you can structure the company to force
| it to become real.
|
| Two, "marketing" is usually used disparagingly to mean
| something like "advertising that brainwashes customers into
| wanting something", but it's more like "knowing what people
| are going to want by the time it's ready to ship". It doesn't
| necessarily even include advertising. So in this case people
| do want privacy.
| Kudos wrote:
| > "knowing what people are going to want by the time it's
| ready to ship"
|
| Isn't that Product rather than Marketing?
| astrange wrote:
| Same function at Apple. There isn't a separate "product"
| division and there aren't "PMs" with power (though there
| are some job site postings for them... in the marketing
| division.) That doesn't make sense at a functionally
| organized company where the execs and designers decide
| everything - Jobs and Ive were the "product" people.
|
| IIRC the advertising people are called Marcom or
| "marketing communications".
| brookst wrote:
| Some companies run this as "inbound marketing"
| (collecting needs, understanding market size) versus
| "outbound marketing" (advertising, conferences).
| nedt wrote:
| The first iPhone didn't have an app store and the idea was to
| just use websites and later install webapps. On that there is
| no control whatsoever, so no I don't think the original idea
| was to lock down the devices for business value.
| lern_too_spel wrote:
| The two examples I gave are where locking a device down to
| extract value from customers conflict with privacy for
| those same customers. The former won years ago, and there
| has been no change since.
|
| The iPhone had to add an app store because there were some
| apps that users couldn't build on the web at the time. They
| since allowed apps, but those apps are restricted to a
| proper subset of the APIs that first party apps get.
| yalogin wrote:
| Sorry I am sure the article about enclaves triggered this
| thought about Steve for you. I cannot how one led to the other,
| can you may be tell us?
| neom wrote:
| hehe, it's a good question. When you get to scale, you
| realize you got there because a lot of humans put you there.
| It's part of why scaling is hard, business is an art and
| science that juggles the value exchange between us in
| society. People still here on hackernews are angry at me
| personally for decisions at digitalocean, in retrospect, I
| wish I'd handled the wipe disk thing that happened better,
| for example. It's both very easy and very difficult at the
| same time to build a business while trying super hard to love
| (really actually love as humans love!!!) your customer
| because many many things want to prevent you from loving your
| customer (I have government stories too, many of us do). At
| the end of the day, they are doing the real work, like, the
| real real stuff, they don't have to, I mean, they don't
| right? But they will, because it's the right thing to do,
| because Steve said so. apple here, have taken extraordinary
| engineering effort to say even if you compel us, we
| physically can't give you access to their diary. That is to
| be commended, and that, is Steve Jobs.
| transpute wrote:
| Thanks for the Steve Jobs clip and this valiant comment on
| complex subjects.
| eleveriven wrote:
| Tim definitely carries that torch in his own way, but there was
| something about Steve's presence that made everything feel
| more... human? Less corporate? Hard to put into words, but
| yeah, I miss him too. Thanks for sharing that video.
| ChrisMarshallNY wrote:
| One of the things about Tim Cook, that people don't really
| talk about (which, IMO, is appropriate), is that he's openly
| gay.
|
| Most times, this doesn't mean anything, but there's very few
| demographics that understand the need for privacy and data
| protection, better than gay folks.
|
| Of course, he's still at the whim of the Board, and he's no
| spring chicken, so there's no guarantee that his successor
| would feel the same, but I do believe that he, himself, is
| legitimately serious about privacy.
| lordofgibbons wrote:
| > Of course, he's still at the whim of the Board, and he's
| no spring chicken, so there's no guarantee that his
| successor would feel the same
|
| At the risk of sounding like Richard Stallman, that exactly
| is the problem with buying into such walled-prison
| ecosystem of devices. You're at the mercy of Apple pushing
| an update that can unilaterally take away your privacy and
| rights.
|
| They already do that with sending hashes of your photos on
| your iPhone and implement dark patterns to trick you to
| upload your data to iCloud. Just 1 CEO change away from
| having them from being a privacy advocate to a privacy
| nightmare.
| brookst wrote:
| Sure, and every time you eat at a restaurant they could
| poison you.
|
| This is mainly a concern if you are a high value target
| likely to be the _first_ person poisoned. For most of us,
| that's not true, and a formerly good actor turning evil
| would be noticed long before it came our turn.
|
| So there's the idealist "I can't be sure my favorite
| restaurant won't poison me today, so I'm never eating
| there again", and the pragmatic "the benefits I get
| outweigh the slim chance that today is the day they
| decide to attack boring people like me" outlook.
|
| I'll never fault someone for being the idealist; the
| concerns are unfalsifiable. But to me it looks like a
| rough way to live. Maybe just because I really am that
| boring so it's hard to relate to having any _super secret
| stuff_ that would put me among the first to be attacked.
| lukifer wrote:
| The better analogy might be, "when the morality police
| call the restaurant, they divulge which table you sit at
| every day during lunch". And it's also not clear that it
| would be noticed: national security letters, gag orders,
| parallel construction, etc.
|
| It's just another principal-agent problem, and I agree
| that a fully self-sovereign life, with no dependence on
| trust or agents, is an unrealizable ideal; and, that a
| decent solution (while not perfect) is reputation stake
| and aligned incentives, check and check in Apple's case.
| I too think Cook is sincere, and I trust them as far as I
| can throw their products, which is to say, _a little_.
| (The Apple Tax is so they don 't have to rely on a
| sketchy big-data business model.)
|
| That said, computing and InfoSec have some unique
| contours, in a way that trusting a mechanic or a lawyer
| does not. Those can have catastrophic failure modes as
| well (crashing from a shoddy repair, getting sued based
| on bad legal advice), but they aren't systemic to
| society, and have lower switching costs.
|
| And I ultimately think it's a false choice. When it comes
| to meatspace security, it's possible to have trusted and
| accountable public institutions, _and_ allow citizens to
| have some means for self-sovereignty (2A, locked doors).
| It would be foolish to rely only on one or the other,
| either as a society or an individual.
|
| So I'm deeply grateful for the Stallman types, pushing
| forward the capacity for self-sovereignty. Even if it
| doesn't currently meet my needs from a risk/benefit
| tradeoff, I still benefit from the ecosystem, and its
| BATNA, and I look forward to the day I sever my
| dependence on Apple's ecosystem, whether or not they
| betray my trust.
| alwayslikethis wrote:
| > a fully self-sovereign life, with no dependence on
| trust or agents, is an unrealizable ideal
|
| I agree with this part, but relying Apple is quite far
| from self-sovereignty compared to many other practical
| alternatives: not relying on external clouds, GrapheneOS,
| Linux. By relying on Apple, you not only pay a tax to
| essentially bribe them to not attack you (perhaps a
| viable strategy, not too different from taxes to
| governments), but more importantly you give up the
| ability to resist without serious compromises (can't have
| E2EE backups on your own cloud if they said so). This is
| akin to trying to be paying taxes to the government to
| get better police coverage, and they decide to ban locks,
| security cameras, and leaving the walled garden.
|
| The problem with the current computing security paradigm
| is that it puts too much trust in entities that do not
| deserve it, because the entities are simply too powerful
| and do not suffer consequences when they break that
| trust.
| alwayslikethis wrote:
| Your analogy doesn't really work because a food poisoning
| attack is hard to scale (across restaurants, locations)
| without being detected, whereas one backdoor can
| compromise everyone all at once if they all have the same
| software.
|
| If Apple adds a backdoor to their E2EE (by sending their
| servers the key) via a software update, and they don't do
| anything with the secrets exposed, they can compromise a
| large proportion of users over just a few weeks and there
| is a big chance you'll be among the "first", because the
| "first" is now a large set.
| ChrisMarshallNY wrote:
| Stallman is a brilliant and passionate chap, but he's
| also a lifelong academic, and has very different life
| priorities than people that need to make a living at
| shipping things.
|
| He's one end of the spectrum, and NSO is at the other
| end. The best place is somewhere in the middle.
| JadeNB wrote:
| > NSO is at the other end.
|
| I thought I was familiar with the really big players in
| the privacy/anti-privacy space, but I don't know this
| one. What is NSO? These guys https://www.nsogroup.com/ ?
| ChrisMarshallNY wrote:
| Yeah. They are about as far away from "freedom" and
| "privacy" as you can get.
| reaperducer wrote:
| _One of the things about Tim Cook, that people don't really
| talk about (which, IMO, is appropriate), is that he's
| openly gay.
|
| Most times, this doesn't mean anything, but there's very
| few demographics that understand the need for privacy and
| data protection, better than gay folks._
|
| I used to think this, too. His recent ring-kissing antics
| have changed my mind. He, too, can be bought for a price.
|
| You don't write a check for a million dollars to a person
| who is actively trying to decimate the gay community and
| still get to wear the rainbow flag.
| KerrAvon wrote:
| Genuine question: what would you have him do at that
| point instead? It's notable that he did that after all
| the other billionaires did it. Apple can't go alone on
| this, they'd be taken apart by a right wing smear
| campaign (and possibly violence against Apple stores --
| how many thousands of Apple employees would be
| affected?).
|
| Collective action, even in corporate America, is required
| to beat these people. The failure here is that like-
| minded execs didn't preemptively gather to prevent this
| outcome in the first place. If you want to be unhappy
| with Tim Cook, be unhappy that he was too politically
| naive for too long.
| reaperducer wrote:
| _Genuine question: what would you have him do at that
| point instead?_
|
| He's a leader. He should lead.
| 9dev wrote:
| This is the exact mindset the Germans put forth when
| questioned after the war: What should we have done
| anyway? We were just following orders. We didn't know
| what would happen. They would only have taken us, too, if
| we resisted.
|
| If a few more of us would have stood up at the time, the
| world could look very differently today.
| jjtheblunt wrote:
| who is actively trying to decimate the gay community?
| honest question!
| amelius wrote:
| As someone who builds industrial/scientific machines, the
| consumer oriented devices that Apple makes are completely
| unusable for me. Locking down completely capable computing
| devices seems like such a waste. I'm also not a fan of how
| Apple controls devices and the market of software after the
| device has changed owner. I'm staying the hell away from this
| ecosystem. Not sure why many so-called "hackers" are so
| enthusiastic about these "hood-welded-shut" systems.
| intrasight wrote:
| "The worse system except for all the others that have been
| tried."
|
| Many hackers think that about Apple computers. Many others
| have no choice because they develop iOS apps.
| rollcat wrote:
| I'm a self-branded hacker so I'll share my motivation:
|
| Shit. Works.
|
| This is critical. I can focus on my actual task at hand,
| rather than fiddling with the system.
|
| Some perspective: I've been on Debian for 15 years, and I
| still hold it in very high regard for servers. I'm also an
| occasional Alpine & OpenBSD user; and Windows for games. I've
| tried Ubuntu, couldn't stop it from getting in my way. Before
| you suggest Fedora, Arch, NixOS, whatever: I'm done distro-
| hopping. The experience is about equal everywhere. No amount
| of "choice" beats thoughtful design, accessibility, and
| vertical integration.
| Vendan wrote:
| I'm a software engineer at a company that does all
| macbooks. I hate my M1 macbook because it's way less
| reliable then my desktop, both software and hardware. I
| have to hold the power button to force it off roughly twice
| a month, it absolutely refuses to play nice with my KVM
| (that my desktop has no issues with), and the "keyboard
| secure input" feature regularly goes on the fritz and
| breaks anything that taps into the keyboard, including
| stuff that I've specifically installed.
| supriyo-biswas wrote:
| Much of these complaints are usually better directed at
| Crowdstrike and other EDRs. The performance difference
| between my employer-provided Macbook and my personal one
| are like night and day.
| alabastervlog wrote:
| Hell, half (but only half...) the reason I try to get
| MacBooks anywhere I work is because they're usually _not
| quite_ as shitted up with broken surveillance software
| eating half the company 's potential productivity, as the
| Windows ones.
| rollcat wrote:
| > I have to hold the power button to force it off roughly
| twice a month [...]
|
| Hmm... $ last | grep reboot
| reboot time Sun Feb 16
| 14:10 reboot time
| Fri Feb 14 19:40 reboot time
| Thu Jan 30 09:52 reboot time
| Fri Dec 13 16:20 reboot time
| Tue Oct 29 15:32 reboot time
| Tue Sep 17 12:19 [...]
|
| I guess most of these are from macOS updates. I don't
| think I've used the power button at all in the past year
| or so? FWIW I'm using a Mac mini (also M1) rather than a
| Macbook, but "it works for me" was the entire point of my
| original comment.
|
| > it absolutely refuses to play nice with my KVM (that my
| desktop has no issues with)
|
| Honestly I'm with you here, but I'm pretty sure KVMs are
| just pure lottery. I plug the mini via USB-C/DP to a
| screen that has a simple built-in USB hub (which in turn
| handles mouse/KB/audio interface); this also works
| perfectly fine with my Thinkpad T495. However an
| expensive TB3 dock with a dozen ports doesn't work with
| either, but it's just fine with a 2017 MBP. TBH I
| wouldn't blame any of the involved parties; USB-C/TB
| always came off as a finicky mess to me.
|
| > I'm a software engineer at a company that does all
| macbooks.
|
| I can't say anything but extend my sympathy. In an ideal
| world, companies prioritise employee satisfaction and
| productivity. There's an argument that this is a trade-
| off vs increased IT support cost/workload, but I guess
| SWEs don't need much support to begin with?
|
| You could at least appeal on the basis that the HW you've
| been provided with is clearly unreliable. Come up with
| some numbers about lost productivity. Bosses love
| numbers.
| RussianCow wrote:
| > There's an argument that this is a trade-off vs
| increased IT support cost/workload, but I guess SWEs
| don't need much support to begin with?
|
| IME, it's also about being able to ensure that everyone
| has access to the same software. I worked at a company
| that used macOS-specific software for development (I
| think it was Sketch?) so I _had_ to have a MacBook
| around, even though I primarily used a Linux desktop for
| work. Anecdotally, I don 't think this is uncommon.
| spyke112 wrote:
| Fedora is really good though. I've daily driven Windows,
| MacOS and Linux, Fedora is by far the best developer
| experience I've had so far. But then again, I tend to setup
| my devbox quite spartan, so that it just works.
| fc417fc802 wrote:
| I'm also confused when I see threads like this. For dev
| work I've yet to try a distro that didn't "just work".
| The only real friction I've run into is the tradeoff
| between stability versus package freshness but that's
| going to be a tradeoff with _any_ software environment.
| devmor wrote:
| Personally, I do not like MacOS, and I do not like using a
| Macbook for work, because I am a developer and a hacker. It
| is harder to do my job and harder to be efficient at my work.
|
| That being said, I love iOS on my phone and tablet. I used to
| prefer android, because of how much I could customize it, but
| it slowly became less reliable and more centered around
| selling me products and services sponsored by Google or my
| carrier. I switched to an iPhone and iPad about 7 years ago
| and am much happier with a reliable set of mobile devices
| that I know are relatively secure and wont get in the way of
| what I want to do.
|
| Point being, the OS you want on, and ecosystem you want
| around your devices absolutely depends entirely on what you
| want your devices to do (or not do against your will).
| kavok wrote:
| Out of curiosity would you prefer Windows or Linux instead
| of Mac?
| alabastervlog wrote:
| What's excessively locked down on MacBooks?
|
| There are some security features that (for good reason) get
| in the way of e.g. dtrace, but I'm not aware of any of those
| that you can't turn off.
|
| > I'm also not a fan of how Apple controls devices and the
| market of software after the device has changed owner.
|
| What's this about?
| m463 wrote:
| I totally agree. I think the best time was when they switched
| to the intel architecture, and their machines were good at
| interoperating with the rest of the world.
|
| But I think they're regressed. I think sj was good at getting
| apple to interface with the rest of the world, and make
| course corrections. But now they've forgotten how.
|
| Everything apple does is more apple ecosystem, ignore
| everyone else.
|
| Sort of like the 7-habits dependent, independent,
| interdependent. Now they're back to independent.
|
| so... they ignore the rest of the world. their own hardware,
| their own languages, everything else comes from their store.
| admittedly macos still allows people to run their own
| software, but ios doesn't let you run software or even access
| your own filesystem.
| adamtaylor_13 wrote:
| I'm one of the most technically-inclined people I know in my
| personal social circle (not true in my professional circle.)
| I'd even probably go so far as to label myself a "hacker".
| But I do care about UX (which Apple nails). I do care about
| convenience (which Apple nails.) And I do care about privacy
| (which, and I know I'll get flak for this, Apple _also nails_
| when compared to any other device on the market that isn't
| explicitly marketed to developers.)
|
| However, despite being an actual software engineer, I'm no
| security researcher. I don't understand kernels or privilege
| elevation or anything deeper than the UNIX shell I work in.
| So it's nice to have a system that's 99% safe by default, but
| still allows me to run crons, or programmatically open/modify
| things, and generally script my machine to look and behave
| the way I want.
|
| Apple is the perfect middle-ground for people like me. Just
| because you can't fiddle with a kernel hardly makes this a
| "hood-welded-shut" machine. There are processes on my Windows
| machine that I'm not allowed to kill even as an
| administrator. I can `kill -9` whatever the hell I want on my
| Mac.
|
| There's a very large group of people who operate like me, and
| are even less technical than I am, but love things like
| Keyboard Maestro or Apple scripts which allow them to tweak
| little things. Windows has no comparison and as far as I've
| witnessed it's one of the most frustrating operating systems
| in existence. Most people do not have the time or desire to
| run Linux. So, you are left with Apple which nails several of
| selling points that no other ecosystem nails.
|
| That's why people, including "hackers", are enthusiastic
| about this "hood-welded-shut" system.
| -__---____-ZXyw wrote:
| > It's so weird, but I really miss Steve.
|
| When I see the sincere sentiment sometimes expressed towards
| Jobs, I wonder if something similar is being tapped into when
| people - often tech people - use and experience LLMs.
|
| To put it a bit bluntly, it almost feels like there's a
| mystical or religious element to it. As if we desperately want
| there to be miracles, and oracles, and god-like, caring men who
| can provide us with beautiful products, and rituals, and a
| future where everything is sleek and bountiful and timeless. As
| if some spiritual "hole" were being filled.
|
| I don't mean to disparage anyone who feels fondly towards Jobs
| or LLMs, I'm merely sharing an observation of mine.
| 9dev wrote:
| If you haven't, I recommend reading Harari, specifically
| _Homo Deus_ and _Nexus_. He writes at length about what he
| calls dataism, a new kind of religion filling the void
| liberalism and enlightenment left in us. Good reads.
| kazinator wrote:
| If most of the stuff the user cares about is inside the "Insecure
| World" bubble of the diagram, then this whole business is, like,
| for shit.
|
| It serves only the platform provider, who can decide which
| programs may or may not be installed based on whether they are
| aligned with or against their competitive interests.
| vermilingua wrote:
| This is just plainly false. Passkeys, biometrics, app
| permissions, and a suite of other user-centric privacy features
| have clear benefit from strong isolation from an "insecure
| world" kernel.
| hedora wrote:
| How so? Isn't this just the xkcd authorization model?
|
| https://xkcd.com/1200/
|
| I tried to read the article, and know what all the words mean
| (sel4, enclaves, virtualization primitives, etc.).
|
| It all seems very complicated and error prone, but I couldn't
| figure out what the attack model is, or what the security
| objectives are.
|
| Eg, what sorts of things run in exclaves, and under what
| circumstances will a persistent kernel level compromise on my
| laptop protect those things?
| timewizard wrote:
| What he misses is "tamper evidence."
|
| In order to do those things I have to actually steal his
| laptop. Which would be obvious to him. It also implicates
| me.
|
| If I could just remotely install a driver I don't need to
| worry about any of that and I can steal remotely and
| anonymously.
| hedora wrote:
| Can't you just remotely install a keylogger (e.g. a
| modified version of zoom)?
| timewizard wrote:
| If it's running as their user account then they can see
| it and remove it. The point of the admin account is to
| prevent this by obfuscation and permission hijack.
| vlovich123 wrote:
| The most likely attack model I can imagine is that a
| jailbroken phone still won't be able to violate certain
| functionality (eg a recording LED remains lit, various
| supervisor functionality can't be disabled, etc)
| hedora wrote:
| Oh; so the camera LED and camera data path would run a
| remote attestation protocol with the exclave, and the
| exclave would make sure the led is on whenever it's
| forwarding on data from the camera?
|
| (Though I'm not convinced that will actually work on
| modern apple devices, where the led is pixels that run
| through the compositor -- I guess the video driver stack
| and window managers are also exclaves in this world?)
| lxgr wrote:
| I'm not sure how complex modern display controllers are,
| but I could imagine a simple priority hardware overlay
| functionality that an exclave has access to (similar to
| the dedicated "cursor overlay" functionality some older
| GPUs had, as far as I understand).
|
| Once you have that, you can take the idea further:
| Displaying an indicator that confirms that all your
| keystrokes are going to an exclave validating your
| password, for example.
|
| The much-hated touch bar actually enabled just that, for
| Apple Pay payments, as far as I remember: It could
| display something like "touch to confirm payment of $x"
| on its own screen in a way that was impossible to
| manipulate from macOS - now here's an opportunity to
| bring that level of security back without requiring a
| dedicated display or taking away people's beloved
| function keys.
| sroussey wrote:
| They should have done half height function keys and kept
| the Touch Bar. Best of both worlds.
| grahamj wrote:
| The article mentions the display controller runs an Apple
| OS so I could see there being a secure way for an exclave
| to call into it for the onscreen indicators.
|
| I would expect that to mean they're not included in
| screenshots so I'm curious now whether that's true for
| the iPhone 16.
| lxgr wrote:
| Delegating key derivation and/or password validation,
| combined with secure UI state indication, to a more secure
| execution environment can be a big win for security, for
| example.
|
| I could imagine a passkey implementation with some
| extensions that allow securely presenting what the user is
| consenting to and how ("enter your payments PIN or password
| now to confirm a payment of $x to merchant y").
|
| It's of course even better to do that in tamper-proof
| security coprocessors such as Apple's secure enclave, but
| TEEs have the big advantage of having access to much more
| memory and faster processing, which allows doing more
| complicated things there more easily.
|
| They can also always lean on the secure hardware for actual
| key management, but handle more complex user interface
| operations in an environment that's still more secure than
| the main OS.
|
| Android has supported something just like that years ago
| with "protected confirmation" [1], but unfortunately it's
| only available on Pixel phones and hasn't really been
| picked up by app developers as a result; the situation for
| Apple is of course very different, so I have some hopes
| that if they launch something comparable it could actually
| see some adoption.
|
| [1] https://android-
| developers.googleblog.com/2018/10/android-pr...
| saagarjha wrote:
| This is apparently already a thing
| lxgr wrote:
| Which part?
|
| Apple is already using the secure enclave for key
| derivation, PIN/password rate limiting etc. (that's what
| it's for), but my point is that there's currently a gap
| in that you can often not really know if you are actually
| talking to the secure enclave or OS-level malware.
| sollewitt wrote:
| This is about process privilege. Apps and services are a layer
| above.
| akyuu wrote:
| I wonder how this will affect macOS security, since SPTM is not
| used according to Apple documentation:
| https://support.apple.com/guide/security/operating-system-in...
|
| For now, I think existing exclaves such as the one that displays
| the camera indicator do not really apply to macOS (since MacBooks
| have dedicated hardware for that), but in the future there might
| be exclaves that do.
| wtallis wrote:
| > since SPTM is not used according to Apple documentation:
|
| Try reading that footnote again:
|
| > Note 2: Page Protection Layer (PPL) and Secure Page Table
| Monitor (SPTM) enforce the execution of signed and trusted code
| on all platforms with the exception of macOS (because macOS is
| designed to run any code). All of the other security
| properties, including the protection of page tables, are
| present across all supported platforms.
|
| It doesn't say macOS doesn't use SPTM. It says macOS doesn't
| use SPTM _to prevent running unsigned code_ , since macOS is
| _supposed_ to allow unsigned code (after the user jumps through
| some hoops).
| saagarjha wrote:
| That document is wrong and has been wrong for years
| (FB13803014)
| brcmthrowaway wrote:
| What impact does this have in the user
| saagarjha wrote:
| It makes your device more secure.
| yalogin wrote:
| Who is this author? It's a very elaborately, well written post.
| Great job. Having followed exclaves myself this is well done
| eleveriven wrote:
| This was an incredibly well-researched and well-written deep
| dive. It's rare to see such a thorough breakdown of something
| as technical as exclaves while still making it engaging to
| read.
| ZebraDude wrote:
| Very interesting
| teknologist wrote:
| I wonder if it's possible for app devs to use Exclaves. The thing
| that irks me about Apple is that they invent this new amazing
| internal stuff but then completely wall it off from devs, leaving
| everyone else (banking apps, wallets, secure messaging, etc.) to
| continue running in unsecured user space.
| saagarjha wrote:
| Currently no.
| dwaite wrote:
| My understanding is no with the current design - exclaves are
| built into the overall OS and started as part of the boot
| process, so they are relatively static. I suspect these
| components have static relationships for security reasons.
|
| They are also kernel-to-kernel currently, so third party
| support would likely be limited to implementing things like
| secure device drivers. However, Apple has been trying to push
| third party drivers to user space, not to the hypervisor. Based
| on that migration happening in parallel with this development,
| I do not suspect they plan to pivot and have third party driver
| developers use exclaves.
|
| It is pretty common for Apple to do significantly more
| stabilization of kernel-imposed platform features like this
| internally before exposing to third parties (see also pointer
| authentication a la arm64e).
| mike_hearn wrote:
| They don't do that. Apple userspace has continually got more
| secure too.
|
| One simple example: recent versions of macOS run all apps
| inside a sandbox, even those that don't opt in. One thing the
| sandbox blocks is apps modifying each others files, which up
| until then had been a major weakness of the security system
| (signatures of a bundle were checked at first-run, but not on
| every execution).
| hello_computer wrote:
| Apple works wonders protecting their plantation, but what
| protects you from them? Have any of you pondered the prospect of
| " _the last geohot_ "?
| vintagedave wrote:
| I had to google. There's a hacker called geohot, is that what
| this comment is referring to?
|
| Could you explain what you mean more please?
| hello_computer wrote:
| he was the first to jailbreak the iphone. where do you see
| things going when they release an un-jailbreakable iphone?
| vintagedave wrote:
| They're pretty close now, and I'm increasingly dissatisfied
| with software on both iOS and macOS.
|
| The privacy features for messaging and cloud storage, plus
| not having to worry (as much) about security as I might
| with Linux, are the only reason I still use Apple. Every
| year I get more and more disappointed though. More and more
| nostalgic for the Apple software I used to enjoy using.
| kennysoona wrote:
| I wonder how this compares to Linux Virtualization based
| Security?
|
| From the page[1] with the video: a security feature that can a)
| harden the kernel and b) ensure that critical kernel resources
| remain untampered, even if the kernel gets compromised. VBS uses
| hardware virtualization and the hypervisor (Hyper-V) to create an
| isolated virtual environment that runs as a higher trust level,
| called Virtual Trust Level 1 (VTL1). VTL1 has its own kernel,
| separate from the Guest kernel, referred to as the Secure Kernel.
|
| [1] https://lssna24.sched.com/event/1aIeD/linux-
| virtualization-b...
| saagarjha wrote:
| Exclaves run at a parallel trust level.
| lambdaone wrote:
| I'm quite surprised that they use a secure exclave to control the
| physical camera LED - this is absolutely massive overengineering
| to do something very simple.
|
| A tiny bit of hardwired dedicated logic integrated into the
| camera module would be more than adequate to do this - just
| gating of either the digital I/O or the power to the camera, and
| a pulse-stretcher so the LED goes on for at least a few seconds
| each time to prevent an attack by rapidly flicking the camera
| logic on and off.
|
| A similar circuit for the microphone with a different-coloured
| physical LED - not just a software-controlled dot on the screen -
| would be a good idea too.
| brookst wrote:
| It gets complicated. "The camera" is a bunch of parts. You'd
| probably want to key off of the CMOS sensor power, but that has
| several power levels for standby, sleep, idle. So your hardware
| circuit would likely to know current, not just voltage. Or
| maybe go upstream and parse the I2C (or whatever) messages
| signaling power mode changes?
|
| And then your LED driver would need to know screen brightness
| (or connect to the ambient light sensor) because you want to be
| bright enough to see in direct sunlight, but that level of
| brightness would be unpleasant (and maybe screw up legit camera
| use) in low light.
|
| So if you believe your SK is secure, you can do a better job
| more simply by using it. And if you don't think SK is secure,
| all bets are off anyway.
| jjtheblunt wrote:
| You can't just add circuits and discrete components like an
| extra led without screwing up RF sensitivity. Cf. "Rf desense",
| for example.
| andrewcl wrote:
| You have to wonder if it is over engineering, or a resolution
| for something they've discovered from shipping so many phones.
| I wouldn't think of the camera as a security vector, but maybe
| Apple thinks it is?
| TheNewsIsHere wrote:
| The camera and mic are generally regarded as security
| sensitive because of the possibility that they can be used to
| surveil. That's why it's a selling point to have physical
| hardware or hardware-bound controls or indicators that can't
| be bypassed by the OS.
| api wrote:
| What if they want to add Face ID to the Mac but have the camera
| light _not_ illuminate for that internal function, since that
| can also be developed securely so that nothing in user space
| can access the camera during that query.
| mrud wrote:
| https://news.ycombinator.com/item?id=42260379 has more details
| on some of the history.
| linux2647 wrote:
| I think it's not just the camera LED, but the indicators that
| appear on screen, like the amber, green, or blue dots that
| appear in the menu bar when the microphone, camera, or screen
| recording are accessed by apps.
| supriyo-biswas wrote:
| > just gating of either the digital I/O or the power to the
| camera, and a pulse-stretcher so the LED goes on for at least a
| few seconds each time to prevent an attack by rapidly flicking
| the camera logic on and off.
|
| They'd be unable to roll out the feature to older iPhones if
| they did this.
|
| I guess for newer iPhones this is not as big of a deal since
| they have a big-ass notch anyway, however Apple also has a
| large customer base that only buys their older products (like
| me), and saying that their older products have worse security
| than their newer ones is probably not the kind of message they
| want to send, even if it might potentially get them some new
| sales.
| 0cf8612b2e1e wrote:
| What product line anywhere says, "Buy our old models, just as
| good as the latest!"
| runjake wrote:
| It's not over engineering. It's because of research like this,
| along with other researchers like Charlie Miller.
|
| Apple generally isn't out to make things willfully
| overcomplicated without good reason.
|
| https://news.ycombinator.com/item?id=42260379
| lambdaone wrote:
| All of which is fantastic, until you can't trust Apple
| because they are under a secret obligation to disable that
| feature. Non-programmable hardware gating the I/O lines or
| power isn't hackable in the same way.
| talkingtab wrote:
| Reference to Mach for historical reasons. Using IPC instead of
| traps.
|
| https://en.wikipedia.org/wiki/Mach_(kernel)
| api wrote:
| We could have avoided so much hardware and OS complexity if we'd
| instead (mostly) discarded the idea of shipping and running
| compiled code directly on the hardware.
|
| TL;DR: we are doing things in hardware that ought to be done in
| software, and we're giving software too close to metal access.
|
| User mode should be something like the JVM, but more language-
| neutral, something based around WASM for example. The runtime for
| this should ideally be written in a memory safe language and very
| extensively tested. User mode code should not have access to raw
| pointers, raw CPU, etc.
|
| If we'd done this we also could have elevated things like the
| common API beyond the lowest common denominator of C. We used to
| have a ton of research and some fielded systems like this:
| Smalltalk, LISP machines, the JVM, the CLR, etc. The JVM and the
| CLR are still quite alive and well but the HN world seems to hate
| them for some reason. Smalltalk and efforts like the LISP
| machines died out.
| jandrewrogers wrote:
| So your solution is to nerf the computer in terms of both
| performance and functionality? There is a lot of software that
| cannot be properly written without being very close to the
| metal e.g. database kernels.
| api wrote:
| There would almost certainly be an escape hatch, but it would
| require user approval to run native code. It would probably
| be in the form of libraries that could be 'blessed' to run
| native. The vast majority of software does not need this.
| sroussey wrote:
| MS had a research project that built an OS from CLR.
|
| One of the great things about it (in my opinion) was the lack
| of context switching. It broke a fundamental assumption about
| how an OS should work. It could also do global optimizations.
| api wrote:
| Oh yeah, forgot about that: you can do profile guided
| optimization on the entire running image of code in the
| machine.
|
| I wonder how much of a boost you'd get for that? I'm sure it
| would depend on the work load.
| cantrecallmypwd wrote:
| seL4 is awesome for its formal engineering. One of the main
| gotchas though with purer (less hybrid) microkernel architectures
| is the coordination of transactions that touch multiple services,
| i.e., a system call or event that touches multiple hardware areas
| and must execute rollback code should any one of them fail.
___________________________________________________________________
(page generated 2025-03-10 23:01 UTC)