Thursday, May 9, 2024

Apple Platform Security Guide (May 2024)

Apple (PDF, via Ivan Krstić):

Unless otherwise noted, this documentation covers the following operating system versions: iOS 17.3, iPadOS 17.3, macOS 14.3, tvOS 17.3, and watchOS 10.3.


Topics added:

I thought I must have missed last year’s update, but it looks like the previous revision was in December 2022.


Certain instructions on ARM64, including but not limited to those described in Arm Architecture Registers for Future Architecture Technologies, may take a different amount of time to run depending on the data values on which they operate. Malicious code running on the device might use this property to infer information about the data the CPU processes, such as cryptographic keys, or other sensitive data.

Apple silicon provides data-independent timing (DIT), in which the processor completes certain instructions in a constant amount of time. With DIT enabled, the processor uses the longer, worst-case amount of time to complete the instruction, regardless of the input data. When you write software specifically to avoid leaking internal information and to run code in constant time, enabling DIT — and restricting your code to instructions that support DIT — before loading cryptographic key material, performing cryptographic operations, or processing sensitive data ensures the timing of specific instructions doesn’t reveal information about the data being processed.


Should malware make its way onto a Mac, XProtect also includes technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). This system removes malware upon receiving updated information, and it continues to periodically check for infections; however, XProtect doesn’t automatically restart the Mac. In addition, XProtect contains an advanced engine to detect unknown malware based on behavioral analysis. Information about malware detected by this engine, including what software was ultimately responsible for downloading it, is used to improve XProtect signatures and macOS security.

Via tsunekoh:

The latest Apple Platform Security documentation includes a description of XProtectBehaviorService.

Phil Stokes:

So Apple…what they don’t say there is that this behavior “service” just logs “information” back to Apple, doesn’t report what it finds to the user (so no investigation, triage or root cause analysis) nor does it actually block or remediate anything.


Update (2024-05-10): Howard Oakley:

On the other hand, XProtectRemediator “continues to periodically check for infections” in background scans run every 24 hours or so. When it detects what it considers to be malicious software, it automatically tries to remove or ‘remediate’ it without informing the user, and “doesnʼt automatically reboot the Mac.”

This was made clearer with the recent release of XProtect Remediator version 132, which took a dislike to some of the optional components in Xcode. A recent amendment to Apple’s release notes for Xcode 15.3 makes it clear that XProtect Remediator’s false positive did change Xcode without informing the user in any way. The only indication that a remediation was taking place was an authentication dialog for the change to be made to the Xcode app, and there was no indication given to the user that this was part of any malware remediation.

Update (2024-05-15): Gui Rambo:

It looks like iPadOS running on M4 has a “Secure Exclave” running an “ExclaveOS” 👀 Where’s the updated Apple platform security PDF? 😅

Comments RSS · Twitter · Mastodon

Leave a Comment