In collaboration with Lookout and Google (thank you 🙏) we have been working on tearing down and building detections for DarkSword - iOS exploit chain for iOS 18.4 - 18.7. Super excited for this research 🎉. Please update your iPhones.
Mateusz Krzywicki
- 281 Followers
- 271 Following
- 153 Posts
📱 Vulnerability Researcher. Bugs 🐛 & Exploits 🤯
blacktopNEW macOS 26.3 🥫🍝 sauce! 🎉
xnu:
https://github.com/apple-oss-distributions/xnu/compare/xnu-12377.61.12...xnu-12377.81.4
dyld:
https://github.com/apple-oss-distributions/dyld/compare/dyld-1335...dyld-1340
- this post was generated by `ipsw` 🤖
Obsidian@fay59 rdar://62544038 - this would def win in category "best maintainer response" if you introduce internal pwnies. Can you comment "I told you so." for me on it?
@carrot_c4k3 all the best in 2026 fam
jiska 🦄
Apple added new mitigations to iOS: SPTM, TXM, and Exclaves. Even in the case of a kernel compromise, various components stay protected. You can read about more technical details in Moritz' thesis: https://arxiv.org/abs/2510.09272
Modern iOS Security Features -- A Deep Dive into SPTM, TXM, and Exclaves
The XNU kernel is the basis of Apple's operating systems. Although labeled as a hybrid kernel, it is found to generally operate in a monolithic manner by defining a single privileged trust zone in which all system functionality resides. This has security implications, as a kernel compromise has immediate and significant effects on the entire system. Over the past few years, Apple has taken steps towards a more compartmentalized kernel architecture and a more microkernel-like design. To date, there has been no scientific discussion of SPTM and related security mechanisms. Therefore, the understanding of the system and the underlying security mechanisms is minimal. In this paper, we provide a comprehensive analysis of new security mechanisms and their interplay, and create the first conclusive writeup considering all current mitigations. SPTM acts as the sole authority regarding memory retyping. Our analysis reveals that, through SPTM domains based on frame retyping and memory mapping rule sets, SPTM introduces domains of trust into the system, effectively gapping different functionalities from one another. Gapped functionality includes the TXM, responsible for code signing and entitlement verification. We further demonstrate how this introduction lays the groundwork for the most recent security feature of Exclaves, and conduct an in-depth analysis of its communication mechanisms. We discover multifold ways of communication, most notably xnuproxy as a secure world request handler, and the Tightbeam IPC framework. The architecture changes are found to increase system security, with key and sensitive components being moved out of XNU's direct reach. This also provides additional security guarantees in the event of a kernel compromise, which is no longer an immediate threat at the highest trust level.
GrapheneOSThis article by Nicolas Stefanski at Synacktiv provides a high quality technical overview of our hardened_malloc project used in GrapheneOS:
https://www.synacktiv.com/en/publications/exploring-grapheneos-secure-allocator-hardened-malloc
It has great coverage of the memory layout, memory tagging integration, slab quarantines and allocation approach.
Pierre H.kalloc_type was really only the fist step, of a much larger protection.
We call it Memory Integrity Enforcement.
https://security.apple.com/blog/memory-integrity-enforcement/
Memory Integrity Enforcement: A complete vision for memory safety in Apple devices - Apple Security Research
Memory Integrity Enforcement (MIE) is the culmination of an unprecedented design and engineering effort spanning half a decade that combines the unique strengths of Apple silicon hardware with our advanced operating system security to provide industry-first, always-on memory safety protection across our devices — without compromising our best-in-class device performance. We believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.
raptor 
The new Xref Tree in #IDA 9.2 in pretty useful
https://hex-rays.com/blog/mapping-relationships-in-ida-9.2-dynamic-xref-graph-and-xref-tree
