Modern iOS Security Features -- A Deep Dive into SPTM, TXM, and Exclaves
Moritz Steffin, Jiska Classen
TL;DR
This work provides a comprehensive, reverse-engineering–driven analysis of Apple’s modern iOS security stack, focusing on SPTM, TXM, and Exclaves. It shows how SPTM introduces domains and frame retyping to compartmentalize memory management and harden critical subsystems, while TXM enforces code signing and entitlements within its own guarded domain. Exclaves extend this compartmentalization by isolating sensitive services and enabling cross-boundary communication through Tightbeam and xnuproxy, effectively moving security-relevant code away from XNU. The findings suggest a shift toward a microkernel-inspired architecture that improves resilience against kernel-level compromises, though many inner workings remain opaque due to limited public information. The work also highlights real-world implications, such as the potential for indicator manipulation, and suggests directions for further research into performance trade-offs and broader Exclave ecosystem analysis.
Abstract
The XNU kernel is the basis of Apple's operating systems. Although labeled as a hybrid kernel, it is found to generally operate in a monolithic manner by defining a single privileged trust zone in which all system functionality resides. This has security implications, as a kernel compromise has immediate and significant effects on the entire system. Over the past few years, Apple has taken steps towards a more compartmentalized kernel architecture and a more microkernel-like design. To date, there has been no scientific discussion of SPTM and related security mechanisms. Therefore, the understanding of the system and the underlying security mechanisms is minimal. In this paper, we provide a comprehensive analysis of new security mechanisms and their interplay, and create the first conclusive writeup considering all current mitigations. SPTM acts as the sole authority regarding memory retyping. Our analysis reveals that, through SPTM domains based on frame retyping and memory mapping rule sets, SPTM introduces domains of trust into the system, effectively gapping different functionalities from one another. Gapped functionality includes the TXM, responsible for code signing and entitlement verification. We further demonstrate how this introduction lays the groundwork for the most recent security feature of Exclaves, and conduct an in-depth analysis of its communication mechanisms. We discover multifold ways of communication, most notably xnuproxy as a secure world request handler, and the Tightbeam IPC framework. The architecture changes are found to increase system security, with key and sensitive components being moved out of XNU's direct reach. This also provides additional security guarantees in the event of a kernel compromise, which is no longer an immediate threat at the highest trust level.