On Sept. 9, Apple announced a cohesive and impressive approach to preventing memory safety exploits through a range of new hardware features, operating system support, compiler support, and run-time support. The hardware and software improvements built into new iPhones drastically reduce the likelihood of an attacker successfully compromising a phone using common methods.
Memory safety vulnerabilities allow attackers to access or deallocate memory in unintended ways, which can enable attackers to execute arbitrary code or to gain unauthorized access to sensitive information. And memory safety vulnerabilities are both ubiquitous and dangerous. They represent a very high fraction of zero-day (previously unknown) vulnerabilities, and are used to compromise operating systems and apps, and gain unauthorized access to data. Attackers have used them to deploy ransomware, disrupt or deny service, and harvest data, thus turning phones into adversarial surveillance tools. For example, the sophisticated commercial spyware Pegasus used three memory safety vulnerabilities known as the Trident exploit chain.
Consumer Reports sounded the alarm on the pervasive dangers of memory unsafety with a convening in October 2022 and a report in January 2023, as well as follow-up guidance for talking to managers about memory safety (in partnership with the Internet Society, a nonprofit organization that advocates for a safe and open internet). In it we called on organizations to not only improve detection of memory safety bugs but also ramp up efforts to prevent them in the first place. Our focus was on getting organizations to adopt and build software in memory-safe languages, such as Swift, which was introduced by Apple in 2014, and Rust, which originated at Mozilla nearly 20 years ago and has been used in the Android operating system since 2021.
Apple’s latest memory integrity enforcement (MIE) news unveiled something a little bit different. Apple’s move is based on hardware changes made to its own A19 chip generation. To improve the overall security of smartphones, both hardware and software changes are needed.
Importantly, Apple chose to use synchronous enforcement with MIE, meaning that the operating system immediately reacts as soon as it detects memory safety vulnerabilities by forcing the misbehaving process to terminate. Abruptly ending the process drastically reduces the opportunity for attackers to exploit such a vulnerability, even if that opportunity is measured in milliseconds. Basically, the phone slams the door shut before the attacker can get in.
Improving the Entire iOS Ecosystem
Even more importantly, Apple’s work will benefit every iOS user, even if they’re not using a new device with MIE. Apple can use MIE-related telemetry to understand broader attack patterns if a user opts in to Apple’s crash reporting system. This will provide important information to Apple developers, which will enable them to identify patterns, such as sudden increases in frequency or in specific geolocations.
Then, Apple can fix memory safety problems it finds as a result of the new hardware, and apply those bug fixes to all its software, even if it runs on hardware without MIE. Such fixes reduce the opportunity for attackers to exploit vulnerabilities even on older devices.
If app developers are also diligent about turning on the MIE feature, fixing bugs, and pushing out new versions, entire classes of memory safety bugs could be eliminated. People actively targeted via zero days, as previously unknown vulnerabilities are called, benefit from MIE hardware if those zero days are related to memory safety, since the likelihood of success for those types of attacks is drastically reduced.
Additional Improvements
In addition to the new hardware, Apple announced software improvements in the operating system and its allocator (a software component that manages memory by allocating and deallocating portions of it to different users or programs), compiler support, run-time support, and a process called gigacaging, which mitigates memory corruption exploits by letting the allocator separate different allocation types in different memory regions.
How Android Stacks Up
Google also has implemented memory-safe hardware improvements. It began by shipping memory tagging extension (MTE)-capable hardware over two years ago. MTE offers a subset of Apple’s MIE hardware features.
Despite this early start, Apple’s announced technology, implementation, and deployment appears to go beyond Google’s efforts and to far better protect consumers against memory safety exploits on Apple phones. A Google spokesperson said users of Google’s Advanced Protection Program get MTE, but did not respond to questions about whether the entire Android operating system, including Play Services, is protected with MTE, or only the apps (and which apps it would include). Therefore, it’s unclear whether Google’s memory safety features provide the same level of protective coverage as Apple’s.
As mentioned above, Apple phones with MIE will crash when an attacker attempts a memory-safety-related exploit. We don’t know if Google provides that same level of protection.
A Google spokesperson said that Android uses “assym” enforcement, a combination of asynchronous and synchronous enforcement that maximizes security against memory writes while preserving performance during memory reads. Google did not respond to questions about whether its process provides synchronous enforcement and crashes the process to deliver protection, as Apple’s does.
Recommendations for Manufacturers
Going forward, we’d like to see Google achieve parity with Apple’s memory safety approach, and increase transparency on what is covered by MTE and how its MTE enforcement works.
We’d also like to see Apple add MIE to its N-series WiFi and Bluetooth chips and C-series cellular modem chips. (Apple did not respond to questions about whether this is in the works.) Historically, exploit developers who encounter properly implemented security mechanisms look for other areas to target. In this instance, they’d likely attempt to exploit any vulnerabilities running on hardware components elsewhere in the device. For example, adding MIE to its new baseband chips would make it even more difficult for attackers to compromise its phones via cellular networks.
