Exclaves -- iOS 18+

Exclaves are Apple’s newest isolated execution environments. Combined with SPTM + TXM, they create the strongest defense-in-depth to date.

Concept

Before Exclaves:
  Security-critical code runs in the kernel (EL1)
  β†’ Kernel compromise = everything lost

Exclaves:
  Security-critical code runs in isolated environments
  β†’ Kernel compromise β‰  access to exclave data
  β†’ Each exclave must be compromised separately

Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ EL0: Userspace apps                  β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ EL1: XNU Kernel                     β”‚
β”‚   - Reduced trust boundary           β”‚
β”‚   - Cannot access exclave memory     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ EL2: SPTM + TXM                     β”‚
β”‚   - Page table management            β”‚
β”‚   - Code signing verification        β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Exclaves:                            β”‚
β”‚   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”         β”‚
β”‚   β”‚ Exclave Aβ”‚ β”‚ Exclave Bβ”‚  ...    β”‚
β”‚   β”‚ (crypto) β”‚ β”‚ (biometrcβ”‚         β”‚
β”‚   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜         β”‚
β”‚   - Isolated memory                  β”‚
β”‚   - Separate code                    β”‚
β”‚   - Minimal interface to kernel      β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Secure Enclave (SEP)                 β”‚
β”‚   - Keys, biometrics, Secure Boot    β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Exclaves vs Secure Enclave

Feature Secure Enclave Exclaves
Hardware Separate processor Same CPU, isolated context
Use case Keys, biometrics, boot Various security-critical tasks
Interface Mailbox (very limited) Structured API
Isolation Physical (separate chip) Logical (SPTM-enforced)
Performance High latency Lower latency

Impact on Exploitation

iOS 18+ exploit chain requirements:
  1. Vulnerability in kernel (EL1) β†’ kernel r/w
  2. SPTM bypass (EL2) β†’ page table control
  3. TXM bypass (EL2) β†’ code signing bypass
  4. Exclave bypass β†’ access to sensitive operations
  5. Possibly: SEP bypass β†’ access to keys

Each step requires a separate vulnerability.
Full chain complexity: extreme.

Current Knowledge

Exclaves are very new (iOS 18, late 2024). Public research is still very limited:

  • Apple has introduced them in the Platform Security Guide
  • Conference presentations are starting to appear (Recon, OffensiveCon, BlackHat)
  • No public exploit or bypass yet

This is the frontier of iOS security research.