The XNU kernel is the basis of Apple's operating systems. Although labeled as a hybrid kernel, it is found to generally operate in a monolithic manner by defining a single privileged trust zone in which all system functionality resides. This has security implications, as a kernel compromise has immediate and significant effects on the entire system. Over the past few years, Apple has taken steps towards a more compartmentalized kernel architecture and a more microkernel-like design. To date, there has been no scientific discussion of SPTM and related security mechanisms. Therefore, the understanding of the system and the underlying security mechanisms is minimal. In this paper, we provide a comprehensive analysis of new security mechanisms and their interplay, and create the first conclusive writeup considering all current mitigations. SPTM acts as the sole authority regarding memory retyping. Our analysis reveals that, through SPTM domains based on frame retyping and memory mapping rule sets, SPTM introduces domains of trust into the system, effectively gapping different functionalities from one another. Gapped functionality includes the TXM, responsible for code signing and entitlement verification. We further demonstrate how this introduction lays the groundwork for the most recent security feature of Exclaves, and conduct an in-depth analysis of its communication mechanisms. We discover multifold ways of communication, most notably xnuproxy as a secure world request handler, and the Tightbeam IPC framework. The architecture changes are found to increase system security, with key and sensitive components being moved out of XNU's direct reach. This also provides additional security guarantees in the event of a kernel compromise, which is no longer an immediate threat at the highest trust level.

翻译：XNU内核是苹果操作系统的基础。尽管被归类为混合内核，但研究发现其通常以单体方式运行，即定义单一特权信任区域，所有系统功能均驻留其中。这种架构存在安全隐患，因为内核一旦被攻破，将立即对整个系统产生严重影响。过去数年间，苹果已逐步向更模块化的内核架构和更接近微内核的设计方向演进。迄今为止，学术界尚未对SPTM及相关安全机制进行系统性探讨，导致对系统及其底层安全机制的理解极为有限。本文对这些新型安全机制及其相互作用进行全面分析，并首次整合所有现有防护措施形成结论性论述。SPTM作为内存类型转换的唯一权限机构，我们的分析表明：通过基于帧重类型化和内存映射规则集的SPTM域，该系统引入了信任域机制，有效实现了不同功能模块间的隔离。被隔离的功能包括负责代码签名和权限验证的TXM。我们进一步论证了该机制如何为最新的Exclaves安全特性奠定基础，并深入剖析其通信机制。研究发现存在多种通信方式，其中最显著的是作为安全世界请求处理器的xnuproxy，以及Tightbeam进程间通信框架。这些架构变革提升了系统安全性，关键敏感组件已移出XNU的直接管控范围。即使发生内核级安全事件，也不再构成最高信任级别的直接威胁，从而提供了额外的安全保障。