Apple held their annual iPhone event this week and the headline announcement for security pros is a new security feature designed to protect against advanced spyware attacks: Memory Integrity Enforcement (MIE).
Ivan Krstić, Apple’s Head of Security Engineering and Architecture, described MIE as “the most significant upgrade to memory safety in the history of consumer operating systems.”
Memory Integrity Enforcement is an always-on memory-safety protection feature which covers key attack surfaces, including the kernel and over 70 userland processes, built on the Enhanced Memory Tagging Extension (EMTE).
MIE is designed to protect against “mercenary spyware,” typically associated with state-backed actors targeting specific individuals.
Memory attacks typically work by corrupting how a program stores or accesses data in memory to hijack execution or steal information. MIE stops these attacks by tagging every memory block with a secret and instantly aborting execution if an access uses the wrong tag.
Apple also introduced a novel mitigation for Spectre variant 1 attacks, which prevents attackers from using speculative execution to leak memory tags.
Apple says this “vastly reduces exploitation strategies,” making it extremely difficult for attackers to rebuild exploit chains using new bugs.
“Though memory corruption bugs are usually interchangeable, MIE cut off so many exploit steps at a fundamental level that it was not possible to restore the chains by swapping in new bugs. Even with substantial effort, we could not rebuild any of these chains to work around MIE. The few memory corruption effects that remained are unreliable and don’t give attackers sufficient momentum to successfully exploit these bugs” – Apple Security Engineering and Architecture
The MIE principle is not new – Arm first published the Memory Tagging Extension (MTE) specification in 2019 and, working with Apple, released an improved Enhanced Memory Tagging Extension (EMTE) specification in 2022.
Both Microsoft and Google have already implemented some form of memory integrity security into their operating systems, designed to block spyware. Google’s Advanced Protection uses optional memory tagging on supported devices, while Microsoft uses control-flow and memory safety mitigations.
The A19 chips have also been specifically designed for memory security, the team says and have minimal impact on device performance: “Our secure allocators set a new high-water mark of software protection against memory corruption, while preserving the same or better performance as the allocators they replaced.”
MIE controls also extend to third-party apps that are commonly used as entry points for attackers, including social networks and messaging apps. “We’re making EMTE available to all Apple developers in Xcode as part of the new Enhanced Security feature that we released earlier this year,” Apple said.
Why This Matters
While widespread malware campaigns targeting iPhone devices are rare, there have been many high-profile cases of spyware targeting Apple users.
Just last week, Expert Insights reported on a WhatsApp exploit used alongside an Apple vulnerability to execute a targeted attack. This was likely to have been conducted by a state-sponsored spyware actor.
“The only system-level iOS attacks we observe in the wild come from mercenary spyware,” Apple’s security engineering team said. “Mercenary spyware is historically associated with state actors and uses exploit chains that cost millions of dollars to target a very small number of specific individuals and their devices.”
Apple’s team say they have spent the past five years working on this new approach to combat these advanced spyware capabilities. They argue it makes exploit chains more expensive to maintain and easier to disrupt.
“Prolonged engagement from our offensive research team allowed us to identify and eradicate entire attack strategies and techniques before attackers could ever discover them, leading to a stronger, more mature feature from the outset.”
“Starting immediately with the launch of MIE, any developer can begin testing this powerful protection for their app, including EMTE on hardware that supports it, using the Enhanced Security settings in Xcode,” Apple’s team said.
Reception has been largely positive, though some question whether these features are truly new compared to the current offerings from other vendors.
Nonetheless, these new features should go a long way to increasing security on iPhone devices. No doubt security researchers will dig into the real-world performance when the new devices release next month.
Read more
