News: 0179242126

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Apple Claims 'Most Significant Upgrade to Memory Safety' in OS History (apple.com)

(Sunday September 14, 2025 @10:34PM (EditorDavid) from the thinking-different dept.)


"There has never been a successful, widespread malware attack against iPhone," [1]notes Apple's security blog , pointing out that "The only system-level iOS attacks we observe in the wild come from mercenary spyware... historically associated with state actors and [using] exploit chains that cost millions of dollars..."

But they're doing something about it — this week announcing a new always-on memory-safety protection in the iPhone 17 lineup and iPhone Air (including the kernel and over 70 userland processes)...

> Known mercenary spyware chains used against iOS share a common denominator with those targeting Windows and Android: they exploit memory safety vulnerabilities, which are interchangeable, powerful, and exist throughout the industry... For Apple, improving memory safety is a [2]broad effort that includes developing with safe languages and deploying mitigations at scale...

>

> Our analysis found that, when employed as a real-time defensive measure, the original Arm [3]Memory Tagging Extension (MTE) release exhibited weaknesses that were unacceptable to us, and we worked with Arm to address these shortcomings in the new [4]Enhanced Memory Tagging Extension (EMTE) specification, released in 2022. More importantly, our analysis showed that while EMTE had great potential as specified, a rigorous implementation with deep hardware and operating system support could be a breakthrough that produces an extraordinary new security mechanism.... Ultimately, we determined that to deliver truly best-in-class memory safety, we would carry out a massive engineering effort spanning all of Apple — including updates to Apple silicon, our operating systems, and our software frameworks. This effort, together with our highly successful secure memory allocator work, would transform MTE from a helpful debugging tool into a groundbreaking new security feature.

>

> Today we're introducing the culmination of this effort: Memory Integrity Enforcement (MIE), our comprehensive memory safety defense for Apple platforms. Memory Integrity Enforcement is built on the robust foundation provided by our secure memory allocators, coupled with Enhanced Memory Tagging Extension (EMTE) in synchronous mode, and supported by extensive Tag Confidentiality Enforcement policies. MIE is built right into Apple hardware and software in all models of iPhone 17 and iPhone Air and offers unparalleled, always-on memory safety protection for our key attack surfaces including the kernel, while maintaining the power and performance that users expect. In addition, we're making EMTE available to all Apple developers in Xcode as part of the new [5]Enhanced Security feature that we released earlier this year during WWDC...

>

> Based on our evaluations pitting Memory Integrity Enforcement against exceptionally sophisticated mercenary spyware attacks from the last three years, we believe MIE will make exploit chains significantly more expensive and difficult to develop and maintain, disrupt many of the most effective exploitation techniques from the last 25 years, and completely redefine the landscape of memory safety for Apple products. Because of how dramatically it reduces an attacker's ability to exploit memory corruption vulnerabilities on our devices, we believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.



[1] https://security.apple.com/blog/memory-integrity-enforcement/

[2] https://security.apple.com/blog/towards-the-next-generation-of-xnu-memory-safety#memorysafety

[3] https://www.usenix.org/system/files/login/articles/login_summer19_03_serebryany.pdf

[4] https://developer.arm.com/documentation/109697/0100/Feature-descriptions/The-Armv8-9-architecture-extension?lang=en#md454-the-armv89-architecture-extension__FEAT_MTE4

[5] https://developer.apple.com/documentation/xcode/enabling-enhanced-security-for-your-app#Adopt-hardware-memory-tagging


"exploit chains that cost millions of dollars..." (Score:1)

by SeaFox ( 739806 )

The exploit chain does not cost millions of dollars to execute. It's simply the cost to buy the information from the right people. That's like spending four figures for a set of build plans for a coffee table, making the table, and then claiming the coffee table is worth thousands of dollars.

Information can be leaked or "rediscovered" by anyone not trying to run a spyware business and lower that barrier to entry significantly.

Re: "exploit chains that cost millions of dollars. (Score:3)

by unami ( 1042872 )

I guess the weakness in that analogy is that the real coffee table is a different thing than it's plan, whereas software is both the plan and the thing it describes.

Re: (Score:2)

by alvinrod ( 889928 )

I think the point is that making exploits near impossible for an individual actor to discover means only well funded organizations or nations will be able to afford being in the business. State actors are a lot less likely to make vulnerabilities widespread like mercenary actors. That doesn't save everyone from exploits, but it does make the average user less likely to be the target.

The real question is how much of a performance tradeoff is this or if there's some other catch.

Re: (Score:2)

by test321 ( 8891681 )

The Malaysian bot farm hacking your phone can result in dumping private pictures, message history, browser history, political opinions or party affiliations, your kids' school address, work documents, all of which can have real-life consequences. You're AC on this site for a reason, I imagine you don't want your opinions to be tracked to an identity, even if only a pseudonym. Imagine everything you have said, written or done with a phone suddenly published with your name and address.

Re: (Score:2)

by registrations_suck ( 1075251 )

I wonder what data are on my phone that the police could and would use against me. I am guessing not very much.

What I would be a lot more concerned about that the police using their access to PLANT data that they could use against me. That's a much more likely problem for me.

I try to mitigate that by not pissing off the police enough for them to bother with effort.

Re:"exploit chains that cost millions of dollars.. (Score:4, Interesting)

by tlhIngan ( 30335 )

Some companies don't sell you the information. They actually make you buy access to the exploit.

Think companies like Cellebrite - their most advanced hacks cost millions per use - you provide them with the details on how to get at the victim (e.g., phone number) and they deploy their attack on that phone and provide a gateway to access it.

They also sell a box you can use to break in via the USB port, and they charge anywhere from $100K to a million dollars to break into one unit - you buy the license to break into one phone.

They're not selling their exploit chain to anyone - they're keeping it a secret and selling you the effects of that for millions of dollars. Once it's sold it's worthless because like a secret once you tell someone else, it's likely to leak out.

Pay no attention to the man behind the curtain. (Score:1)

by irreverentdiscourse ( 1922968 )

If you ignore *those* exploits, we're perfectly secure!

Bet on the hackers (Score:3)

by seichert ( 8292 ) *

How long until they crack this new thing? 6 months? 1 year?

Re: (Score:2)

by Petersko ( 564140 )

Well, I suppose in the abstract that "someday" is probably correct. But the hackers have had 18 years, to very limited success.

History (Score:5, Interesting)

by cstacy ( 534252 )

The Lisp Machine operating system, ca 1977, was memory safe. It was written in Lisp, and all memory accesses were run-time type checked. Incorrect accesses, such as data type mismatch, or array bounds, were not possible on the system. However, this was implemented in hardware: it was a tagged architecture where the CPU did the type checking on every instruction in conjunction with the hardware type bits in the memory cells. (Low level software in the implementation refined the type check/dispatch on hardware traps, outside the most primitive types defined in the hardware.)

People should be wary of "IN HISTORY" claims, as they are usually ignorant, especially when unqualified.

Re: (Score:3)

by david.emery ( 127135 )

Capability machines and tagged architectures have an interesting history. The first I know of is the Burroughs 6600 from the mid to late '60s: [1]https://en.wikipedia.org/wiki/... [wikipedia.org] Then there's the Intel 432 [2]https://en.wikipedia.org/wiki/... [wikipedia.org] and the short-lived BiiN system that was a successor to the 432: [3]https://en.wikipedia.org/wiki/... [wikipedia.org] But a lot of this dates back (like so much of computing) to Multics and its mandatory access control mechanisms.

[1] https://en.wikipedia.org/wiki/Burroughs_B6x00-7x00_instruction_set

[2] https://en.wikipedia.org/wiki/Intel_iAPX_432

[3] https://en.wikipedia.org/wiki/BiiN

All that without the need for a new programming la (Score:3)

by devslash0 ( 4203435 )

Eat that, Rust.

Re: (Score:2)

by sonofusion82 ( 1038268 )

Perhaps you should try to read the article and learn Rust before commenting? Rust and CPU level memory exploits targets different class of vulnerabilities. Rust make it easy to write system level safely especially for temporal and spacial memory safety at code level. It not just help in security but also make your programs much more stable by avoid the issues in the first place. Those Apple/ARM CPU level enhancement are more like detecting and stopping the attack when it happens, it doesn't avoid/prevent

The seem to not know Return Oriented Programming (Score:2)

by gweihir ( 88907 )

It is only about 20 years old now...

If he should ever change his faith, it'll be because he no longer thinks
he's God.