Redazione RHC : 15 September 2025 07:26
Apple officially introduced Memory Integrity Enforcement, a new memory protection system that the company calls the most significant advancement ever made in consumer operating system security. It took five years to develop and combine the hardware capabilities of Apple Silicon with the software capabilities of iOS and macOS.
According to engineers, iPhone 17 and iPhone Air users now have the industry’s first always-on memory protection, which works without any significant impact on performance. The company emphasizes that, so far, no mass-market malware has managed to penetrate iOS defenses. The only recorded systemic attacks come from the arsenal of commercial spyware used by government agencies and costing millions of dollars.
The common element of all these hacking chains is memory management vulnerabilities.These remain the primary target of attackers, and Memory Integrity Enforcement is designed to block this attack vector.
CALL FOR SPONSOR - Sponsorizza l'ottavo episodio della serie Betti-RHCSei un'azienda innovativa, che crede nella diffusione di concetti attraverso metodi "non convenzionali"? Conosci il nostro corso sul cybersecurity awareness a fumetti? Red Hot Cyber sta ricercando un nuovo sponsor per una nuova puntata del fumetto Betti-RHC mentre il team è impegnato a realizzare 3 nuovi episodi che ci sono stati commissionati. Contattaci tramite WhatsApp al numero 375 593 1011 per richiedere ulteriori informazioni oppure alla casella di posta [email protected] 
Se ti piacciono le novità e gli articoli riportati su di Red Hot Cyber, iscriviti immediatamente alla newsletter settimanale per non perdere nessun articolo. La newsletter generalmente viene inviata ai nostri lettori ad inizio settimana, indicativamente di lunedì. |
The new mechanism is based on several layers. The first step was to implement secure memory allocators: kalloc_type for the kernel, xzone malloc at the userland level, and libpas in WebKit. These allocators use type information to organize memory blocks so that attackers cannot overlap different objects. This makes attacks like Buffer Overflow and Use-After-Free impossible.
However, allocators alone are not enough: they work with large 16 KB blocks and do not always protect against attacks within a single type. To achieve this goal, Apple, together with Arm, has reworked the Memory Tagging Extension specification and implemented an improved version: Enhanced MTE. Now, each memory area is marked with a secret tag, and access is only possible if there is a match. Any attempt to access beyond the allocated buffer or to use an already freed area is blocked at the processor level, and the system terminates the process.
To strengthen protection, Apple has introduced the Tag Confidentiality Enforcement mechanism. It prevents data leakage through third-party channels and also protects against attacks that use speculative execution. Specifically, engineers have eliminated three scenarios in which service data could be extracted via differences in instruction processing times or vulnerabilities such as Spectre V1. The iPhone 17 features a unique optimization: the kernel limits pointer offsets using a special 0x2BAD pattern, virtually eliminating the possibility of reliable attacks with arbitrary memory overruns.
An important step was the synchronous and continuous operation of MIE. Unlike the classic MTE, where developers can enable deferred error handling, Apple has essentially abandoned this model, as it leaves a window for attacks. Hardware support is provided by the new A19 and A19 Pro chips, which allocate additional resources for storing tags and performing checks.
Particular attention has been paid to third-party applications. Protection extends not only to system processes and the kernel, but also to the programs through which specific users are most frequently attacked: instant messaging, social networks, and email clients. Developers can already test EMTE in Xcode as part of the Enhanced Security package.
Apple’s Red Team spent five years trying to circumvent MIE by simulating old and new exploit chains. The conclusion was clear: the old techniques no longer work. Most vulnerabilities become unusable, and the remaining ones rarely allow the creation of a fully functional exploit. Even if they successfully catch a bug, the rest of the chain collapses, and attackers must start over.
Apple says that Memory Integrity Enforcement dramatically increases the cost and complexity of creating commercial spyware. Internal audits have shown that many techniques used over the past 25 years are no longer applicable. The company calls this technology the most significant advance in memory protection in the history of consumer operating systems.
Redazione