Hacker Neue

Preferences
strcat parent
The side channel fixes and new MTE instruction features are not specific to Apple. Apple's blog post has some significant misleading claims and omissions. It's marketing material, not a true technical post without massive bias. It's aimed at putting down the existing deployments of MTE, hyping up what they've done and even downplaying the factually widespread exploits of Apple devices which are proven to be happening. If they're not aware of how widespread the exploits of their devices are including by low level law enforcement with widely available tools, that's quite strange.
tptacek
I think you have to read "widespread malware attack" in Apple lit as a term of art; it's a part of the corporate identity dating back to the inception of the iPhone and (I think maybe) ties into some policy stuff that is very salient to them right now. I think SEAR is extremely aware of what real-world exploitation of iPhones looks like. You were never going to get their unfiltered take in a public blog post like this, though.
strcat OP
> I think you have to read "widespread malware attack" in Apple lit as a term of art

There's widespread exploitation of Apple devices around the world by many governments, companies, etc. Apple and Google downplay it. The attacks are often not at all targeted but rather you visit a web page involving a specific political movement such as Catalan independence and get exploited via Safari or Chrome. That's not a highly targeted attack and is a typical example of how those exploits get deployed. The idea that they're solely used against specific individuals targeted by governments is simply not true. Apple and Google know that's the case but lead people to believe otherwise to promote their products as more safe than they are.

> I think SEAR is extremely aware of what real-world exploitation of iPhones looks like.

Doesn't seem that way based on their interactions with Citizen Lab and others.

tptacek
I understood the point you were making previously and was not pushing back on it. I think you're wrong about SEAR's situational awareness, though. Do you know many people there? I'd be surprised if not. Platform security is kind of an incestuous scene.
strcat OP
We have regular contact with many people at Google in that space and nearly no contact with anyone at Apple as a whole. Sometimes people we know go to work at Apple and become nearly radio silent about anything technical.

It's often external parties finding exploits being used in the wild and reporting it to Apple and Google. Citizen Lab, Amnesty International, etc.

We regularly receive info from people working at or previously working at companies developing exploits and especially from people at organization using those exploits. A lot of our perspective on it is based on having documentation on capabilities, technical documents, etc. from this over a long period of time. Sometimes we even get access to outdated exploit code. It's major releases bringing lots of code churn, replaced components and new mitigations which seem to regularly break exploits rather than security patches. A lot of the vulnerabilities keep working for years and then suddenly the component they exploited was rewritten so it doesn't work anymore. There's not as much pressure on them to develop new exploits regularly as people seem to think.

saagarjha
Disclaimer: I have never worked with the team on the Apple side.

My impression is that Apple's threat intelligence effort is similar in quality to Google's. Of course external parties also help but Apple also independently finds chains sometimes.

2 More Comments →
saagarjha
The choices they made are novel to my understanding.
strcat OP
There's a difference between Apple doing good integration of MTE and the work they're doing being truly novel. ARM MTE is not the only memory tagging implementation. Apple getting ARM to add something many people have wanted from elsewhere is useful, but it doesn't make it their idea. The fact is that they're not at all the first to deploy MTE to production and MTE was not the first deployment of hardware memory tagging to production. Their integration is better than what Google offers in Android 16 themselves. Unlike Apple, Google's mobile OS is open source and not limited to what Google does themselves. There are ways their integration is better than what's implemented elsewhere and also ways that it's worse. For one thing, it's deployed for a narrower set of components. What's implemented elsewhere is not static and will improve. MTE has been deployed in production in GrapheneOS for 2 years without significant hardware changes yet, but those are coming.
saagarjha
Apple did not just “get ARM to add something” they got dozens if not hundreds of engineers to think really hard about how to roll out MTE with no performance impact on all their critical attack surface in a way that actually targets specific exploit strategies rather than just going “oh ok our allocator has tags now”. Google (and Android) took a very different approach. Of course it’s very possible Apple messed up and their implementation is not as secure as it was designed to be but they did put significant effort in many areas that I feel are novel.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal