SPTM & TXM -- iOS 17+ Mitigations

SPTM (Secure Page Table Monitor) and TXM (Trusted Execution Monitor) are next-generation mitigations running at EL2 (hypervisor level). They replace PPL and AMFI/CoreTrust respectively. These are currently the biggest barriers to iOS exploitation.

SPTM – Secure Page Table Monitor

Architecture

Before SPTM (PPL):                After SPTM:
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”            β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ EL0: Userspace     β”‚            β”‚ EL0: Userspace     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€            β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ EL1: Kernel        β”‚            β”‚ EL1: Kernel        β”‚
β”‚  β”œβ”€β”€ Normal kernel β”‚            β”‚  └── Cannot touch  β”‚
β”‚  └── PPL (special  β”‚            β”‚      page tables   β”‚
β”‚       mode via APRRβ”‚            β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚       = page table β”‚            β”‚ EL2: SPTM          β”‚
β”‚       access)      β”‚            β”‚  └── Manages ALL   β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€            β”‚      page tables +  β”‚
β”‚ EL2: (unused)      β”‚            β”‚      page types     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€            β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ EL3: Secure Monitorβ”‚            β”‚ EL3: Secure Monitorβ”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜            β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Key Differences from PPL

Feature PPL SPTM
Execution level EL1 (special mode) EL2 (hypervisor)
Isolation mechanism APRR permission remapping True EL separation
Physical memory access Vulnerable to physrw Protected: page type tracking
Attack via kernel r/w Possible (access PPL data) Not possible (different address space)
Code location Kernel __TEXT Separate EL2 binary

Page Type Tracking

SPTM assigns a type to every physical page:

Page types:
  SPTM_PAGE_FREE        β€” Not allocated
  SPTM_PAGE_USER        β€” Mapped to userspace process
  SPTM_PAGE_KERNEL      β€” Mapped to kernel
  SPTM_PAGE_TABLE       β€” Used as page table
  SPTM_PAGE_SPTM        β€” SPTM's own memory
  SPTM_PAGE_TXM         β€” TXM's memory
  SPTM_PAGE_IOMMU       β€” I/O memory

Transition rules:
  USER β†’ FREE    : allowed (process exits, page released)
  FREE β†’ KERNEL  : allowed (kernel allocates page)
  USER β†’ KERNEL  : BLOCKED! ← This kills physical UAF escalation
  USER β†’ TABLE   : BLOCKED!
  KERNEL β†’ USER  : Requires explicit transition through SPTM

Impact on PUAF Exploitation

Pre-SPTM:
  PUAF bug β†’ physical page freed but still mapped in user process
  β†’ Kernel reallocates page for kernel object or page table
  β†’ User process reads/writes kernel data via dangling mapping
  βœ“ WORKS

Post-SPTM:
  PUAF bug β†’ physical page freed but still mapped in user process
  β†’ Page type = USER (because still mapped to user)
  β†’ SPTM REFUSES to reallocate as KERNEL or TABLE type
  β†’ Page can only be reused by OTHER user processes
  βœ— Cannot escalate to kernel access
  
  Partial: user→user PUAF still possible
  β†’ Read/write other processes' memory
  β†’ But NOT kernel memory

SPTM API (from the kernel’s perspective)

Kernel CANNOT:
  - Write to page table pages directly
  - Change page types
  - Map arbitrary physical addresses

Kernel CAN:
  - Request SPTM to create/remove mappings via API:
    sptm_map_page(pmap, va, pa, prot, ...)
    sptm_unmap_page(pmap, va)
  
  SPTM validates:
    - Source page type matches request
    - Permissions are allowed
    - No security-violating transitions

TXM – Trusted Execution Monitor

Architecture

TXM replaces AMFI/CoreTrust’s role in code signing verification:

Pre-TXM:
  Binary execution β†’ AMFI (kernel kext) β†’ amfid (userspace)
  β†’ CoreTrust (kernel kext) β†’ certificate validation
  β†’ Kernel trusts result β†’ allow/deny

Post-TXM:
  Binary execution β†’ Kernel asks TXM (EL2) to verify
  β†’ TXM independently verifies code signature
  β†’ TXM returns decision to kernel
  β†’ Kernel CANNOT override TXM decision

Impact on Jailbreaking

Pre-TXM:
  Kernel r/w β†’ patch AMFI checks β†’ bypass code signing
  Kernel r/w β†’ inject trust cache β†’ run unsigned code
  βœ“ Kernel exploit sufficient

Post-TXM:
  Kernel r/w β†’ CANNOT patch TXM (runs at EL2)
  Kernel r/w β†’ Trust cache injection BLOCKED (TXM manages trust caches)
  βœ— Kernel exploit NOT sufficient
  Need: TXM vulnerability + SPTM vulnerability + kernel vulnerability

Attacking SPTM/TXM (Theoretical)

1. SPTM Vulnerability

SPTM is software (runs at EL2) β†’ it can have bugs
  - Logic bugs in page type transition validation
  - Memory corruption in SPTM's own data structures
  - Race conditions in concurrent page operations
  
But: the SPTM codebase is very small, highly audited

2. Hardware Attacks

- Undocumented hardware features (a la Operation Triangulation)
- DMA attacks (if IOMMU is not properly configured)
- Side channels (timing, power analysis)

3. Architectural Weaknesses

- SPTM/kernel interface bugs
- Information leaks from EL2 β†’ EL1
- Boot chain attacks (compromise before SPTM initialized)

Current State (2026)

iOS 17-18 on A15+ devices:
  - No public SPTM/TXM bypass
  - No public jailbreak
  - Difficulty level: extreme
  
iOS 17-18 on A14 and older:
  - Still uses PPL (not SPTM)
  - PPL bypasses still applicable
  - Jailbreak possible if a kernel exploit exists

Resources