In collaboration with Lookout and Google (thank you 🙏) we have been working on tearing down and building detections for DarkSword - iOS exploit chain for iOS 18.4 - 18.7. Super excited for this research 🎉. Please update your iPhones.
Mateusz Krzywicki
- 281 Followers
- 271 Following
- 153 Posts
📱 Vulnerability Researcher. Bugs 🐛 & Exploits 🤯
blacktopNEW macOS 26.3 🥫🍝 sauce! 🎉
xnu:
https://github.com/apple-oss-distributions/xnu/compare/xnu-12377.61.12...xnu-12377.81.4
dyld:
https://github.com/apple-oss-distributions/dyld/compare/dyld-1335...dyld-1340
- this post was generated by `ipsw` 🤖
Obsidian
jiska 🦄
Apple added new mitigations to iOS: SPTM, TXM, and Exclaves. Even in the case of a kernel compromise, various components stay protected. You can read about more technical details in Moritz' thesis: https://arxiv.org/abs/2510.09272
Modern iOS Security Features -- A Deep Dive into SPTM, TXM, and Exclaves
The XNU kernel is the basis of Apple's operating systems. Although labeled as a hybrid kernel, it is found to generally operate in a monolithic manner by defining a single privileged trust zone in which all system functionality resides. This has security implications, as a kernel compromise has immediate and significant effects on the entire system. Over the past few years, Apple has taken steps towards a more compartmentalized kernel architecture and a more microkernel-like design. To date, there has been no scientific discussion of SPTM and related security mechanisms. Therefore, the understanding of the system and the underlying security mechanisms is minimal. In this paper, we provide a comprehensive analysis of new security mechanisms and their interplay, and create the first conclusive writeup considering all current mitigations. SPTM acts as the sole authority regarding memory retyping. Our analysis reveals that, through SPTM domains based on frame retyping and memory mapping rule sets, SPTM introduces domains of trust into the system, effectively gapping different functionalities from one another. Gapped functionality includes the TXM, responsible for code signing and entitlement verification. We further demonstrate how this introduction lays the groundwork for the most recent security feature of Exclaves, and conduct an in-depth analysis of its communication mechanisms. We discover multifold ways of communication, most notably xnuproxy as a secure world request handler, and the Tightbeam IPC framework. The architecture changes are found to increase system security, with key and sensitive components being moved out of XNU's direct reach. This also provides additional security guarantees in the event of a kernel compromise, which is no longer an immediate threat at the highest trust level.
GrapheneOSThis article by Nicolas Stefanski at Synacktiv provides a high quality technical overview of our hardened_malloc project used in GrapheneOS:
https://www.synacktiv.com/en/publications/exploring-grapheneos-secure-allocator-hardened-malloc
It has great coverage of the memory layout, memory tagging integration, slab quarantines and allocation approach.
Pierre H.kalloc_type was really only the fist step, of a much larger protection.
We call it Memory Integrity Enforcement.
https://security.apple.com/blog/memory-integrity-enforcement/
Memory Integrity Enforcement: A complete vision for memory safety in Apple devices - Apple Security Research
Memory Integrity Enforcement (MIE) is the culmination of an unprecedented design and engineering effort spanning half a decade that combines the unique strengths of Apple silicon hardware with our advanced operating system security to provide industry-first, always-on memory safety protection across our devices — without compromising our best-in-class device performance. We believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.
raptor 
The new Xref Tree in #IDA 9.2 in pretty useful
https://hex-rays.com/blog/mapping-relationships-in-ida-9.2-dynamic-xref-graph-and-xref-tree
eShardOur journey with our #iOS emulator continues.
We show how we reached the home screen, enabled multitouch, unlocked network access, and started running real apps 👉 https://eshard.com/posts/emulating-ios-14-with-qemu-part2
Jan Wildeboer 😷
On the limits of LLMs (Large Language models) and LRMs (Large Reasoning Models). The TL;DR: "Our findings reveal fundamental limitations in current models: despite sophisticated self-reflection mechanisms, these models fail to develop generalizable reasoning capabilities beyond certain complexity thresholds." Meaning: accuracy collapse.
Interesting paper from Apple. https://ml-site.cdn-apple.com/papers/the-illusion-of-thinking.pdf
buheratorFine, I made my own Markdown to HTML document generator (with Blackjack and hookers):
https://github.com/v-p-b/sugardocy
It takes a single MD file, and outputs a single, self-contained HTML file without downloading the kitchen sink.
Contributions are welcome, esp. if you have better taste and frontend skills than I do.
https://github.com/v-p-b/sugardocy
It takes a single MD file, and outputs a single, self-contained HTML file without downloading the kitchen sink.
Contributions are welcome, esp. if you have better taste and frontend skills than I do.
