Comment by foltik

23 days ago

Afaik this isn’t quite correct either. From what I could gather from the CCC talk and forum posts:

The Apple specific instructions to talk to the SPTM are only usable in the GL2 privilege level, not EL2 where you end up after booting non-Apple code.

The problem is the macOS kernel uses these custom instructions to manage its own page table mappings, and when being virtualized in EL2 it just crashes since these instructions are now invalid.

The solution is indeed to emulate the SPTM interface and instructions just enough for macOS to not crash, that way it can be virtualized for reverse engineering. The emulated SPTM could just pass through the mappings, ignoring all of the security checks the real one would normally do.

I was able to find quite a bit of existing SPTM analysis online (I believe from iOS security research) so this issue isn’t insurmountable by any means.

2 comments

foltik

Reply
saagarjha  23 days ago

Knowing how it works does not mean it can be emulated perfectly.

  • foltik  23 days ago

    From our knowing how it works [0] it’s just a mechanism for the kernel to give up some privileges and add extra security checks when modifying page tables. Sounds easy to emulate to me: just don’t do the checks and modify the page tables directly. Do you have some reason to believe it can’t be emulated?

    If for some reason it’s difficult, the relevant kernel code could also be hooked or patched.

    [0] https://arxiv.org/abs/2510.09272