Hacker News new | past | comments | ask | show | jobs | submit login
Apple confirms iOS kernel code left unencrypted intentionally (techcrunch.com)
340 points by shritesh on June 23, 2016 | hide | past | web | favorite | 155 comments

A move like this fits with a more general ideology Apple has been advocating for the last three years. Privacy, security, and ultruism. Tim Cook has put is mark on the company. One of the first things he did was apologize, (for maps) something unheard of in Apple's culture. I haven't drank the cool-aid and Apple has a lot of issues. I do see they however are making attempts at differentiating from the general corporate behavior of the telecoms and Google. Cook is differentiating from Jobs as well.

I don't know enough about their new ethical approach to say whether it's PR, whether it's just a few well-publicized decisions, or whether it's broad-based and substantial. I'm not saying either way; I just don't know. But it could make me a loyal customer much more than cool design and fashionable cache ever would.

A couple days after Tim Cook stepped into the CEO position, he reversed a Jobs policy and announced that the company would begin matching employee donations to charities. I considered this a fairly classy and subtle way to signal that he wasn't going to lie down on the job (it had been requested many times on company mailing lists).

Source: I was on those lists.

As a French person without the culture of corporate donations, I'm both wondering why it was seen as negative that Apple didn't match? Shouldn't they redirect donations to people they prefer?

It's just another perk that's customary in large US corporations.

By comparison, it's like the ticket repas and chèques vacances in the French companies—getting subsidies for food and vacations would look quite odd to Americans.

Different cultures, different perks.

> getting subsidies for food and vacations would look quite odd to Americans

Silicon Valley companies frequently subsidize food for their employees.

Because it's a tax writeoff and the more time workers are at the office, the more work is getting done. Or so the managerial thought process goes.

In many European countries it would probably be considered a taxable benefit for the employee, and would increase the employee taxes. Just as a background why some things are different across the pond.

It's a taxable benefit in the US too, I'm not sure where the parent's "tax writeoff" comment is coming from. Google actually got in some trouble recently for not reporting their free food to the IRS.

Presumably he means that it's a cost, therefore paid with pre-tax dollars.

I'm just saying, I don't think food subsidies look "quite odd" to Americans, I think they look fairly normal.

It's very unusual outside of Silicon Valley.

I don't think so - plenty of employers offer free cafeterias, and provide dinner to people working late or weekends.

Certain teams at Apple get free dinners to boost morale when working late. This included a pretty nice catered meal once a week in my department. No doubt, this is common at industry leaders.

That's not so much a perk as it is very cheap overtime pay. It would be a perk if they gave you dinner even when you leave at 5PM.

There was nothing stopping us from eating and going home. It's not as though someone was keeping watch over us and demanding work for food. I always felt respected and appreciated.

Did people who left on time still get bonuses and promotions. Would they have continued to provide food if everyone was out the door at 5PM?

Seems incredibly self entitled to me. Why should your employer shell out money for whatever their employees decide? I don't understand it at all. What if you want to donate a controversial charity?

If you feel that strongly about a charity double your own donation.

You seem to have this notion that employees are asking for handouts. They aren't. They're saying, "Hey, I would like a $5k raise. I know you're planning on giving it to me anyway, but I wanted to point out that if you do it in the form of charitable matching, the company will only have to reduce its income by $4700 to give me that $5k raise, since the matching is tax-deductible."

The company essentially gets to offer me more money at no cost to them if they structure their compensation this way. You could be very transparent with this and simply allow employees to direct the company to put money into charity (with the tax going to the charity instead of the government) but it's probably easier for the accountants to simply do matching with a cap, which is why you see companies do it this way.

It's not everything. Usually there is a list of acceptable national charities for things like heart disease, diabetes, MS, education, poverty alleviation, etc. Chances are you'd recognize every one on the list. Sometimes employees vote on that list, sometimes it's mostly set by HR.

"Usually"? My experience with companies large and small has been that if it's a 501(3)c, they're on the "list". For instance, unless you live in western WA, I guarantee the "chances" you'd "recognize" the animal shelter to which we divert our employer match is zero. Now if your chosen charity is "Whitey Uber Alles", meh, maybe it might be an issue. Don't know from experience, who's going to say "no" to an animal shelter?

It boils down to a tax write-off that allows the company to look charitable. But there's a lot of benefit along the way, so who cares of the motivation?

I see, thanks for the insight.

Couldn't you say the same thing about any perk? "Oh, you want more vacation time? Seems incredibly self entitled to me." "Oh, you want free coffee? Seems incredibly self entitled to me."

It shows management sharing decision-making with employees.

They just didn't donate to anybody, which looks bad when the founder of your biggest competitor is also the world's biggest-spending philanthropist.

Was there a list of what were acceptable charities for the match?

There are a number of companies set up specifically to help with matching grants. See Benevity, Double the Donation, etc.

https://www.benevity.com https://doublethedonation.com

EDIT: They generally keep lists of charities that most companies find acceptable to donate to.

The first one has certificate problems and the second doesn't provide a customer list (probably a good thing). I was specifically asking if Apple had a list of charities that it found acceptable for matching donations.

When they took on the FBI I decided that it was more than just vacuous PR.

A PR person would bristle at the idea of denying to unlock the phone of a terrorist. It took real cojones for Apple to stand up for privacy at such a time.

I supported Apple's stand against the FBI, but believing it's purely altruistic would be simplistic and optimistic thinking at best. When safety and security are your perceived selling point, it's the best PR you can have. I'm not entirely sure about the validity of this nytimes article [1], but if we believe it, Tim Cook had asked FBI to submit their request 'in private' - but FBI did it openly, so Tim Cook 'had to' become the privacy crusader.

[1] : http://www.nytimes.com/2016/02/19/technology/how-tim-cook-be...

>I supported Apple's stand against the FBI, but believing it's purely altruistic would be simplistic and optimistic thinking at best. When safety and security are your perceived selling point

Only safety and security weren't Apple's "perceived selling points".

They were mostly touted for user friendliness, it just works, being the first to bring some technologies to market in a well-thought way (e.g. as opposed to crude crap for early adopters), style, high-end ("luxury") items, etc.

Safety and security are absolutely a selling point, although not one they lean hard on in their own marketing materials. But it comes up in any comparison between iOS and Android, and not without reason.

(Incidentally, why the past tense?)

>Safety and security are absolutely a selling point, although not one they lean hard on in their own marketing materials. But it comes up in any comparison between iOS and Android, and not without reason.

I think security with regard to malware (of which Android has like 90+% of all mobile malware according to surveys) was a selling point, but not safety/security in the privacy/encryption/etc way that the FBI incident was about.

That wasn't, as you say, much on Apple's marketing materials, nor was it much of a factor for the majority of buyers.

>Incidentally, why the past tense?

Because safety and security have become something of a selling point for Apple as of late (I'd say post the FBI incident), but it's not long ago they weren't.

So the past tense was meant to convey that those other things were Apple's selling points "back then", but leave the door open for security being a selling point for them now.

Tim Cook has been taking swipes at Google and Facebook for privacy issues for at least a year, prior to the FBI issue: http://fortune.com/2015/06/03/tim-cook-attacks-facebook-goog....

Most of the other things you're talking about, can now be seen with flagship products of other major companies.

User friendliness, style, high-end luxury - all major companies flagship - check.

It just works - Apple - uncheck. :) (It's largely a myth)

They were actually touting privacy as a differentiator from Android devices.

It's perfectly compatible to comply with the law and still be known for security and privacy and there's no reason Tim Cook "had to" oppose law enforcement. The only people who don't believe this is the HN crowd. This is a fraction of the people who believe Apple was in the wrong for opposing the FBI.

Yes, it's "perfectly compatible", but that also means it's "perfectly normal". And normal is no good when it comes to advertising - that's no PR. How about a company which can fight even with the government for your privacy? Now that will make the users drool.

In general I object to the line of thinking that good things are only good if done for purely altruistic motive. I'm not sure if that's exactly your line of thinking, but your comment seemed to me like it was in that direction.

One of the reasons capitalism works is that it converts customer wishes into tangible economic benefits for a company. If Tim Cook had PR as 50% of his reason for taking on the FBI--wouldn't that still great?

It was good that he took on the FBI. And it if he was responding to his customers' wishes, isn't that good too? So why would combining those be somehow bad?

Sure, Apple is undoubtedly aware of how privacy is a marketing advantage. But since we like privacy, let's not find convoluted ways to dislike Apple for trying to please us.

Not sure whether it has a name but I believe long-term thinking + egoism are undistinguishable from altruism, maybe they are even the same.

That's a sort of faith that doing nice things will eventually pay for itself. Isn't that a bit naive?

Enlightened self-interest.

>A PR person would bristle at the idea of denying to unlock the phone of a terrorist

Not if they were any good at their job. Very publicly standing up against what many would see as heavy handed government and being seen to defend the rights of the little guy (who happen to be their customers and potential customers) got them an enormous amount of very positive press not just in the US but in many countries. It would have cost them a small fortune to pay for that kind of advertising.

I am not saying that it wasn't a good thing for them to do but I really doubt it was some sort of selfless act that happened over protests from PR.

It's not easy to decide either way. I recently advised a women's rights organization in a similar matter: they were poised to publish a scathing (and somewhat stupid) indictment of islam with regards to women's rights. It's obviously a minefield, with popular opinion divided almost equally.

You have to judge the intensity of emotions it will cause in people, the propensity of people to act on those emotions and the base desirability of the different groups.

In this case, they rightly passed on the 'opportunity' because it seemed as if the people who would agree were unlikely to donate to women's rights in the first place (and vice-versa).

(And because their employees threatened to collectively quit)

> 'with popular opinion divided almost equally.'

that's interesting. This is a factual statement, or is it opinion?

I just tried to look up statistics and the results mostly depend on the wording. "Afraid of islamic radicalization": 53:47, "Islam part of Germany":37:60, "Muslims can be German": 70:30 etc.

>Not if they were any good at their job.

That's close to the "No true scotchman" fallacy though.

Truth is, most PR persons in real life would not have gone this far against FBI in such a situation. Even if the "standing up" gave them some positive press, there would still be millions of conservative types giving them hell for not helping catch the bad guys.

In fact even progressives is not a given that they'd have applauded. Imagine if the FBI next asks Apple to help them with the phone of a rape/murder suspect, or the guy at Orlando.

Good PR is sort of like a Turing Test of being a decent human being; it cannot be differentiated from being a reasonable person.

Wow, how gullible you are. It's obviously Apple and FBI are actually best buddies and this was just a PR move to sell more iPhones. Wake up, sheeple. /s

Seriously, the cynicism in this thread is deplorable even for HN standards.

Language aside, the cynicism might not be entirely invalid too. It might be naive to believe any one side of the two (i.e., entirely PR, or entirely for 'the greater public good')

Eh you know right that TC was more thaneager to comply if FBI had issued the request privately?

All the thing was a PR show from both sides.

Your source for this allegation?

all trace back to this


"Apple had asked the F.B.I. to issue its application for the tool under seal. But the government made it public, prompting Mr. Cook to go into bunker mode to draft a response, according to people privy to the discussions, who spoke on condition of anonymity."

We don't know if he would have agreed.


>A PR person would bristle at the idea of denying to unlock the phone of a terrorist.

Why exactly? If Apple wants to make privacy and security its unique selling point, it has to deny an FBI request to unlock one of their phones. Anything else would be a PR debacle.

Does it really matter if it is PR or not? It doesn't change the result, regardless if it is a good result for you personally or anyone else. I understand that people are looking for reasons to like or dislike a brand because, I believe, most of us see a brand choice as a reflection of (a part) of our personalities – that includes company politics. But in the end we have to assume that Apple does what's best for Apple and that includes advocating for civil rights _as in_ defending one of their main selling points. However, Apple is not your buddy, it might pretend to be here and there, but after all corporations are not people.

Does it really matter if it's just PR? They're still doing it at the end of the day. Their reasoning doesn't really impact the user.

fashionable cache

Not a fan of Memcache? Personally I find it has a certain cachet about it. /jk


Then why does Apple avoid paying taxes?

Let's not kid ourselves: Apple is a company, and companies are only "altruistic" if they expect that it will help their bottom line.

Billings Learned Hand once said:

> Any one may so arrange his affairs that his taxes shall be as low as possible; he is not bound to choose that pattern which will best pay the Treasury; there is not even a patriotic duty to increase one's taxes.

If we want companies to pay more taxes (which I think we do want) we should change the laws. You can't blame anybody for only paying the legally required amount of taxes.

I do agree that the only worthwhile effort is to change the laws. It's fundamentally wrong to have a system which favor those who can afford and have the resources to do such cynical tax planning. Just really fd up regardless of any political position. But hey, as long as all that corporate money is put into the political system, nothing will change.

>You can't blame anybody for only paying the legally required amount of taxes.

Of course I can (and I do). Apple and various other companies go to great lengths to pay the least amount of taxes they can get away with.

Why would anyone - individual or corporation - pay more taxes than they are legally obligated to pay?

Don't get me wrong: I believe that corporations should be obligated to pay much more in taxes than most currently do, but I'm going to assume that you don't knowingly pay more in taxes than you owe. If I'm wrong about that, then I'm interested in hearing your reasoning as to why you feel like the government is entitled to money to which they have explicitly stated that you aren't required to pay if you meet certain conditions.

> Why would anyone - individual or corporation - pay more taxes than they are legally obligated to pay?

Because they can't afford the accountants and lawyers required to pull of the funneling of funds through various bodies and countries to get said reduction in tax burden?

This is dogmatism. The FBI situation clearly demonstrates that Apple does not only act in the interest of the bottom line.

It would have cost apple time and money to do what the FBI requested. This wasn't simply 'send us a file', they asked them to make a custom version of the software.

And if they did it, the FBI would have made more future requests for apple to spend time and money.

And if the custom software somehow got out into the wild, that would threaten apple's bottom line as well.

The FBI situation was just another example of apple taking care of themselves.

>The FBI situation clearly demonstrates that Apple does not only act in the interest of the bottom line.

I don't think it does as I've explained in https://news.ycombinator.com/item?id=11959074

I agree with you. They're not altruistic at all and the FBI thing was likely a PR campaign. They already have a number of behaviors that hurt users, app developers, and people in the supply chain. Far as security, the hardware engineers know there were attacks all the way through the stack that can be mitigated with certain tech that would probably cost them a few million or tens of million one-time development. They used a weak, 3rd-party approach instead. They never brought up these weaknesses, which all commercial smartphones have, during the debate. They still don't.

So, let's recap. Tim Cook, already hit due to privacy issue, might have a personal stake in improving privacy in tech. They knew their products weren't secure. I knew third parties that could've cracked it as they cracked IC's designed for security w/ obfuscation & tamper-resistance. As I predicted, the FBI ended up finding a group that cracked it for a low, six digits. That means the attack was easy with much of that probably profit.

That Apple knowingly leaves their devices insecure despite having money and incentive to knock out low-hanging fruit means all this talk is mostly branding. They're just differentiating themselves with appearance of greater security/privacy. Like they did when they said Mac's were immune to malware back in the day. Except this time, they actually deliver a good chunk of what they claim at least. I'll give them that. :)

This completely ignores the potential financial downsides of multiple vectors of consequences in the FBI case. For example:

- non-technical (i.e. most) people interpreting the situation as "Apple protects terrorists"

- provoking the creation of legislation that would impose backdoor requirements on their software

- potentially extreme financial consequences if the court were to take a hard-line pro-FBI stance (https://www.theguardian.com/world/2014/sep/11/yahoo-nsa-laws...)

Again, the refusal to admit that it is possible for a company to behave altruistically in the face of clear evidence is simply dogmatism.

I'm not rejecting that the act itself might have been altruistic. It may have been. I've merely suggested it might not be, that there's no proof it is except incidentally, and certainly doesn't support them being altruistic as a company. The evidence I offer is all the selfish or abusive practices they do at various levels for maximizing their bottom line. That's for them not being altruistic. Far as acts appearing altruistic, image management and public relations are huge, money-making fields. The reason is that big companies often do something altruistic (or seemingly so) to get people to buy their stuff. Apple has a history of doing that, including with fake security ("Macs can't get viruses!"), to get people to buy their stuff. Given that history & insecurity of their phones, it's right to question whether them championing secure, private phones is a move to create or continue demand for their products given main competition is backed by a surveillance-oriented company. Clear differentiator available that might make them billions.

So, your claim is that a company with many selfish, damaging behaviors fought a legal battle over a case whose consequences might cost or make their shareholders billions depending on outcome and press. That... is consistent with rational, corporate self-interest. Their position also had social value to many & maybe the CEO even paused to do the greater good. That's dogma or speculation at this point given they usually don't focus on public benefit plus are still misleading people about their security & privacy for profit that continues to be hoarded also with few or no investments benefiting the public.

Apple's not altruistic: they're a company that schemed and sued their way into billions in profits. Taking a privacy stance might make them billions more. Or maybe they're just a good citizen on one topic on a few occasions. I'm leaning toward the former but still glad their self-interest and the publics' aligned with them following through on it. All I'm saying on this topic.

Let's not forget that in the US your shareholders can sue you, if they think you are not acting in their best interest.

Let's also remember that this is basically a myth, judges give wide latitude to management, and every company ever has (often consciously) acted against their self-interest.

Because there's no reason to do that.

They need and are investing in other countries besides USA. Their mapping sucks completely in Europe.

Apple does not do anything. Apple is not a person. Person do things. In this case, Tim Cook deciding "hey let's start paying a lot more taxes" will probably not be received very well by the shareholders.

> Then why does Apple avoid paying taxes?

Because they're a publicly traded company who act in the best financial interests of their shareholders. They're not breaking any laws. They're playing the game by following the rules as best they can while maximizing their profits. Any for-profit company that does not do so is suicidal.

If you think what they do is wrong - campaign to fix the laws they are following.

So they are not altruistic. That was all I was saying with my rhetorical question.

Your unstated assumption is deeply troubling.

Being profit-seeking and altruistic to their users are not mutually exclusive.

How does not encrypting the kernel translate into a narrative worthy of such admiration? I feel like Apple has spent a lot of money and research into how to do brand marketing so that you would write this comment. I don't see how technically this move means any such thing, and instead people are primed to fall into such a belief because they want that feel-good story about Apple being their privacy hero in scary times when big brother is prying more than ever. It's just an unencrypted kernel, which was decrypted in memory anyways. It isn't even source code.

Yes, exactly. Remember how everyone jumped on those "apple recycles all the metal" stories, which proved to be almost entirely false? People just love feeling good about apple, even when those good feelings are based on falsehoods.

Cook apologizing for Maps was a subtle way of sticking it to Scott Forestall even further.

Tim Cook is an excellent CEO, but Forestall was Steve Jobs 2.0. The company isn't the same without him.

"Privacy, security, and altruism"

Hmm, the cynic in me thinks that they will play up those aspects of their offerings that make hurt their competitors. They sell hardware after all. Google sells "people".

Is there any modern kernel in widespread use that runs while encrypted in RAM?

What kind of attacks would encrypting a running kernel prevent? The kernel and hardware work together to enforce memory safety, so it can't be to prevent a rogue process from reading kernel memory...

Edit: Is this talking about encrypting the kernel image in permanent storage, or encrypting a running kernel in RAM? When booting Linux for example, the boot loader will load the Linux kernel image into memory as a gzip-compressed blob. The kernel's first instructions are a small decompressor program that unpack the rest of the kernel image into memory and then jumps into the uncompressed kernel. Did previous iOS versions do something similar to their saved kernel image?

Permanent storage. The kernelcache is lzss compressed and encrypted with AES. I forget the details of signature verification at the moment, but that is done using RSA. The iBoot bootloader handles all of the decompression, decryption, and signature verification.

> encrypting a running kernel in RAM

How is that supposed to work? Ok, the CPU can fetch an encrypted instruction, decrypt it and execute it, but when it needs to jump, how is it supposed to know where to jump? Also encrypting each instruction separately and independently would be trivial to reverse.

Is there any system that really runs encrypted code from RAM? Any papers describing such a system?

A company that Facebook acquired a couple of years ago (PrivateCore) realized that the L1 cache had grown large enough that you could run a hypervisor out of it. You use a TPM secure boot chain to ensure you are booting the code you need into the hardware you expect, load up the hypervisor and its keys, and then this hypervisor is used to encrypt _everything_. Now you have encrypted RAM, so physical possession of a running device gets you nothing at all.

L1 had grown large enough? What do you mean? L1 was 32KB in the Pentium II days, and for the last ten years of Intel chips it's been an unchanging 64KB. Why would it have to fit into L1 specifically, rather than L2/L3? (If you do use L2/L3, that's also been big enough to spare the space for a hypervisor since the Pentium II, which had 512KB.)

Looks like they do use L3, alongside an number of other intel x86 features (not surprisingly things like AES-NI)


Sorry couldn't copy/paste relevant section; formatting went horrible.

Typo on my part, it was L3.

What does it do with the encrypted RAM? The only possibility I see is to take an sufficiently large block, decrypt it into the cache an run it there. But then again if you need to jump out of the block how does the CPU know which block to decrypt next?

page faults.... the hypervisor encrypts/decrypts on-demand. Much the same as virtual memory works (just that the plain-text data is only ever in the internal cache).

My point is that it is impossible to know where the next code chunk is if it is properly encrypted. How does the page fault handler know which block to decrypt next without first decrypting the whole code module, where module is a closed piece of code without jumps outside.

In my opinion every scheme to enable that will cripple the encryption.

the code is decrypted into internal SRAM. executed normally. then an entirely normal page-fault happens at which point the hypervisor catches the trap and decrypts the data again into internal SRAM and maps it appropriately then allows the access to continue.

Will SGX help this feature?

I suppose this is the only way to definitively stop any three-letter agencies from asking you to backdoor your kernel.

Also, all you need is one insider kernel developer to get all the source code anyways. I always find these kinds of initiatives silly -- A lot of companies think that an insider is a side-channel attack when really it's the main vector.

Yah, I've had this discussion numerous times. Especially with regard to hiring people from a competitor. Often you wonder how much information is traveling via unintentional side channels (not just employees that are also on the payroll of a 3 letter agency).

OTOH, there does seem to be a fair amount of competence where it matters though. In the couple companies I worked for the private keys used for signing things were very quietly kept hidden from the vast majority of the engineering teams/etc. AKA, it was possible to create an development/test builds all day long, but creating valid license keys/firmware updates/etc for the builds given to customers was limited to a formal process which contained the keys. The private keys were only available to a couple people tasked with maintaining the automation from which the builds/keys/etc came from. Those people rarely had a need to move/etc them either, and such activities were done in the open.

Also, all you need is one insider kernel developer to get all the source code anyways.

You mean this source code? http://opensource.apple.com/source/xnu/

That is, unfortunately, by no means "all the source code" of the kernel-level code that is running on your Mac, iPhone, iPad, iPod, Apple TV, or Apple Watch.

Also, given enough money available, why ask people to build vulnerabilities in ? Does anyone seriously think Apple's (or anyone's) kernel team doesn't have a single guy/girl that made at least one mistake ?

Of course there are bugs, but they are hugely expensive to find.

And Apple, as well as Microsoft, Intel, and other companies have already voluntarily agreed to give the NSA and other agencies "early notice" of a vulnerability which can be exploited by the time it's fixed anyway. CISA also pretty much mandated it into law as well.

Or perhaps the three-letter-agencies demanded they do such a backdoor (i.e. a deliberate but obscure security hole), so they are open-sourcing it so hackers can find it.

Nitpick: they are not open-sourcing it; they are just leaving the compiled binary unencrypted.

The OS X and iOS kernel are descendants of the nextStep kernel which is open source.


I know that. But who knows how much secret sauce they have in the iOS build?

Also, even on OS X, it takes a while after new versions of the OS are released for new kernel source bundles to drop. So sometimes poking around with IDA is your only recourse.

A non-trivial amount of the iOS platform has been rev-eng'd (incidentally, largely with IDA and those kernel sources to create binaries with intact symbols + binary comparison heuristics[1]). XNU is largely based on FreeBSD so I'd be surprised if that wasn't an additional vehicle people were using (In a similar vein, fail0verflow used the syscode table information from FreeBSD with WebKit and ROPgadgets to fully compromise the PS3.)

RE: this specific exploit, here's the POC making it around the security sphere (thanks @heisecode!) https://github.com/heisecode/Bug_POCs

[1] https://static.googleusercontent.com/media/www.zynamics.com/...


XNU == MACH + BSD Personality.

And there are non-trivial bits of OS X which are open sourced http://opensource.apple.com/release/os-x-10112/

Right, but how much code does the last open-source xnu have in common with the latest?

Apple continues to open source their version of XNU, although there has been an increasing lag between the release of each OS version and the corresponding sources. The latest available sources are from 10.11.2, three minor versions behind.

Apple has also shifted to pushing a lot of sensitive/proprietary code into kernel extensions (the new Apple File System being one example), for which they don't release source code (generally speaking).

Filesystems, by and large, are supposed to be pushed into the kernel (via extension, or direct compilation). I'd hardly say that they've "shifted" into pushing code into their kernel, but that much of what differentiates Apple's XNU kernel vs FreeBSD's Kernel or Linux is what they choose the exclude.

I believe the grandparent post is referring to the fact that HFS+ is available in the open source release of xnu [1] while the question of whether Apple will open source APFS kext, especially given their recent trend of moving functionality from xnu into closed source kexts.

I think it would be smart for them to open source it, if not simply for the interoperability use cases.

[1]: http://opensource.apple.com//source/xnu/xnu-2050.18.24/bsd/h...

Yep. So far, they've committed to publishing "the APFS volume format" [1]. It'll be interesting if they fold it back (into the kernel proper) as part of making APFS bootable.

[1] https://developer.apple.com/library/prerelease/content/docum...

Sorry, I wasn't totally clear. I was talking about shifting functionality _from_the_kernel_ into kernel extensions, not functionality from user space.

I get down voted for sharing some knowledge. What is the point of even posting?

Early downvotes often get corrected and are probably worth ignoring. They might even be accidental votes from phone users, so don't sweat it.

It's definitely not -- or shouldn't be, at least -- fake Internet points.

That's an interesting point of view that I hadn't considered before. Apple (or any company) doesn't have infinite eyeballs and can't possibly inspect every nuance to their systems. So, you release it to the world and have them surface any issues. If there are no trade secrets and everyone is honest and reliable, then it is a great way to increase your security footprint. :)

"The kernel cache doesn’t contain any user info, and by unencrypting it we’re able to optimize the operating system’s performance without compromising security," an Apple spokesperson told TechCrunch.

"Apple confirms iOS kernel code left unencrypted intentionally"

Which is it, cache (of what?) or code?

Cache of code. OS X and iOS maintain a cache containing the kernel and prelinked kernel extensions as a performance optimization-- this allows the system to avoid scanning the actual directory containing kernel extensions at boot.

See: http://osxbook.com/book/bonus/misc/optimizations/#TWO and https://developer.apple.com/library/mac/documentation/Darwin...

The spokesperson is talking out of their ass regarding performance. The kernel is decrypted by iBoot once at boot, using the hardware AES engine. It remains decrypted until the device is shutdown/rebooted. Decompressing and decrypting the kernel takes less than a second at boot.

Also, TechCrunch fails to note that the kernelcache keys for most 32-bit kernels (and all iOS versions) are publicly available. Private individuals have dumped the keys for 64-bit kernels but they are not available publicly. Even without the keys, any jailbreak allows for dumping of the kernel. However, a kernel dump is missing very helpful MachO headers (handy for kloading) and, for 64-bit kernels, the EL3 TrustZone Watchtower module aka Kernel Patch Protection.

Down further in the thread, BillinghamJ is seeing their iPhone 6S Plus boot in 5 seconds with iOS 10, as opposed to the 25 seconds for my iPhone 6S.

How certain are you that it's only 1 second of processing that's been removed - that's a HUGE increase in speed, that I haven't seen written up anywhere else.

Anybody else with iOS 10 on their phone able to confirm the new 5 second boot time?

I'm very nearly certain because I benchmarked decrypting the iOS 10 beta kernel using the code at [0]. The kernelcache is about 13 MB compressed and takes about 60 milliseconds to decrypt. Previous iOS versions encrypted the compressed kernelcache so benchmarking decryption of the compressed kernelcache should be correct. Unless Apple was doing something very stupid, kernelcache decryption should never have been much of a bottleneck in the first place. It is nice to see that they have found other ways to improve the boot time.

[0]: https://gist.github.com/jevinskie/40df60e3e9d76ad05304be9bd5...

> The spokesperson is talking out of their ass regarding performance.

I'm fairly certain that this statement was vetted by Craig Federighi himself or, at minimum, a high-level engineering manager.

Both statements could be true - I wouldn't be too surprised to see Apple stretch the truth; yes, it's true, performance on a 25 second boot (my iphone 6s) from cold was improved to 24 seconds. Doesn't really move the needle, but still true, to some degree. A second here, and a second there - starts to add up though, particularly on boot up, for those of us who end up doing that multiple times a day.

Also, in general, any time you can remove code from a system, that isn't contributing in any meaningful way, is just a good thing to do - both from reducing attack surfaces, as well as general reduction in code size, and the advantages that come along with that.

iOS 10 running on my iPhone 6S Plus is currently booting in about 5 seconds. Not sure how though...

Also that's when I hold down the home and lock buttons, in order to force-reboot. Perhaps now that doesn't fully reboot the phone.

I was curious so I benchmarked "decrypting" kernelcache.release.n66 on an iPhone 6S and it took about 60 milliseconds to decrypt. It wasn't encrypted in the first place so the decryption results in garbage, but it should be a valid benchmark. The quick boot time with iOS 10 sure is nice, but it isn't because the kernel isn't encrypted.


Have you tried powering down (Hold down Lock Button). And then Powering up?

Or the guy in the marketing department that "knows about the techy stuff".

thanks for the confirmation.

Could this be an invitation for researchers to find a backdoor the NSA required Apple to put in there? Or are they just utilizing the crowd to help secure against NSA attacks?

That would make sense. They have been on the offensive for protecting their customers.

Trouble is auditing TrueCrypt cost $25k and it took massive rumors of a backdoor to raise that. I'm not sold that auditing this will happen anytime soon.

Slightly off topic; but does anyone have any resources that go into a higher level detail (I'm not very knowledgable of low-level programming type stuff) of how an audit like the one done on TrueCrypt or a hypothetical security audit on the iOS kernel works? How can anyone know with that degree of certainty that software is secure and someone else won't find some exploitable bit?

Is there any way to use this information to confirm that the current kernel on a phone is legit?

Or could this be an invitation to make it possible for the XXX to hack the kernel? Seems it could go either way.

The kernel and the root FS are now unencrypted - but not other things, such as the bootloaders (iBoot, LLB) and the firmware for the SEP (Secure Enclave Processor, used to handle things like Touch ID).

“The kernel cache doesn’t contain any user info, and by unencrypting it we’re able to optimize the operating system’s performance without compromising security,”

This is probably the only true part of the article, it means that they disabled a kernel feature of cache encryption to speed-up performances.

It has nothing to do with source code nor binaries of the kernel.

Does the same count for the watchOS kernel? I mean, the performance enhancements they claim to have realized have to come from somewhere.

> the performance enhancements they claim to have realized have to come from somewhere

Even in the first beta, the performance enhancements are real. Numerous Apple folks, including Craig Federighi, have said that with WatchOS1 and 2 they 'overshot' how conservative they needed to be with RAM and CPU (out of respect for battery life), and with WatchOS 3 they have rebalanced that.

Time will tell how much of a hit battery life will take from this, but for a beta things look good so far.

This, and they also realized they had leftover RAM.

by disabling encryption as said?

Hopefully they didn't tie their integrity/authenticity enforcement to their encryption...

Although I'm guessing the whole segment is loaded into ram and verified by the bootloader at boot then never touched again.

In other news: Google admits source code used in Android kernel can be accessed by hackers

I do not think they are talking about source code, rather about some compiled code cache. I am not completely certain that the author of the article knows what they are talking about (but I am quite confused myself and I will appreciate an explanation).

Also, I thought a lot of the Darwin MacOS kernel had already publicly available source code.

Some of the kernel is released months/years later as open source. You are correct about the releases being macOS only, iOS xnu has never been open sourced but it is, for the most part, identical. Apple has also been moving code out of the open source kernel releases and into private, closed source kexts. Kernel extensions like Sandbox have never been released.

I forgot to mention launchd. It was open source then was closed and split into launchd/libxpc. It has always been a critical security component of macOS/iOS. Many CVEs have been written about it even after it was closed via binary reversing and fuzzing. Having the source again would be nice.

> This would have been an incredibly glaring oversight, like forgetting to put doors on an elevator

You mean a paternoster? :)

For the not familiar/lazy: https://en.wikipedia.org/wiki/Paternoster

> The kernel manages security and limits the ways applications on an iPhone or iPad can access the hardware of the device, making it a crucial part of the operating system.

The kernel technically is the OS, TC! Come on... :)

This is stupid. Anyone interested in writing jailbreaks for iOS would have already had access to these binaries. People are blowing this way out of proportion.

not true. 64-bit kernel was previously not possible to examine.

additionally: we now know what Watchtower looks like, something that was previously a mystery and even incorrectly thought to be something that ran on SEP instead of the AP.

If Stefan says it will you believe me?


You just used a kernel privesc that you probably already had to read it. NOT A BIG DEAL.

That gets you a kernel dump, a decrypted kernelcache gives you very handy MachO headers. And as Will said, the well known kernel dumping methods do not dump Watchtower. I'm not sure if anyone has privately been able to dump Watchtower with a kernel privsec or if it has only been possible with the kernelcache keys.

Must be a revolutionary new feature called "jailbreak bait"...

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact