In the News: Apple Silicon Macs

New Architecture

Currently, macOS devices have the following setup, based on several discrete hardware components:

Security Features

It also means the porting of several hardware-backed security measures from iOS to macOS devices, including:

Memory Protections

A standard defensive technique is to mark memory as either Read-Writable (R/W) or eXecutable (X). Memory pages are either writable or executable, but many modern Just-In Time (JIT) compilers break this model as they require memory to be both R/W and X.

Kernel Integrity Protection

Kernel Integrity Protection (KIP) means changes to how Kernel Extension (KExts) are loaded and unloaded — it will mean a reboot for any changes to KExts. This isn’t as much of an issue for KExt developers as it might have been, as last year’s driver kit enables user-level drivers. Moving drivers to run at a user-level instead of the system-level improves security and reliability, as drivers can be monitored by the kernel and other high-level security functions, and if exploited don’t grant access to the kernel.

Pointer Authentication Codes

Device Memory Isolation

All system devices will have their own Input/Output Memory Management Unit (IOMMU), which isolates them from each other. This means that devices can’t talk to each other as they can’t see outside their own memory range. This means, in theory, no more attacks from devices to other devices or the kernel.

Reality Check

Whilst it’s great to see Apple planning on improving Mac security, and we should always cheer steps forward in security, of course it doesn’t mean Macs will suddenly be perfectly secure. Everyone makes mistakes, and Apple didn’t have a great track record with iOS 13, which had the most updates of any iOS version.

Rosetta

Rosetta provides backwards-compatibility for Intel x86/64 apps. It “translates executable code” to run on the new architecture. Interestingly, all code is signed to a machine which duplicates the iOS app deployment model. It includes “hardened run-time protections”:

Startup Options

The old set of key-combination start-up options are to be replaced by a simple user interface, for example with Recovery:

Security

macOS can securely boot from external disk:

Recovery

The new recovery mechanism allows you to erase and reinstall macOS and macOS Recovery using the System Recovery partition.

SEP

iOS devices use a Secure Enclave Processor (SEP) to underpin crucial security features, which is a part of the custom processors. macOS devices have a separate T2 chip, but the coverage hasn’t mentioned whether this will stay as a discrete component or be a part of the new processor.

Bootcamp

As covered here what happens with Windows support? Spoiler: it won’t work.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
6point6

6point6

Leading with strategy, design and architecture, we connect cloud, data, and cyber to engineer and deliver large-scale, complex transformations.