In a new report we learn that Apple has been working to harden the XNU kernel that powers its various operating systems, including iOS and macOS, with a feature called "exclaves." The term appears to have first surfaced in a libc file in Apple's open source software collection in 2023, and subsequently within iOS 17, released in September of that year, as later noted by Howard Oakley on his Eclectic Light Co blog.

Exclaves, Oakley observed last June, are believed to implement "domains isolated from the kernel that protect key functions in macOS even when the kernel becomes compromised. This in turn suggests that Apple is in the process of refactoring the kernel into a central microkernel with protected exclaves."

Current Apple chips have a Secure Enclave, a dedicated secure subsystem integrated into the device's system-on-chip (SoC). It's separate from the application processor kernel as a defense against compromise. It's used for operations that need strong security like the processing of encryption keys.

An enclave is defined as an area within a territorial boundary. So an exclave is an area outside of a boundary with ties to the main territory.

The XNU kernel, as Apple's documentation explains, is "a hybrid kernel combining the Mach kernel developed at Carnegie Mellon University with components from FreeBSD and a C++ API for writing drivers called IOKit."

It is hybrid in the sense that it combines the Mach microkernel with the BSD monolithic kernel.

Each architectural approach has different disadvantages. Microkernel designs face the challenge of dealing with the overhead of inter-process communication (IPC) between user-space servers and the kernel. Monolithic designs operate in a shared address space, so security compromises are potentially more damaging – once defenses have been bypassed, there's no further barrier to sensitive data.

According to a security researcher who has explored Apple's kernel fiddling under the name Random Augustine, Apple's development of exclaves represents a major shift in its security architecture. Essentially, Apple is trying to realize the security advantages of a microkernel without tossing the monolithic aspects of XNU.

Based on the references to exclaves in the XNU source for Apple's Arm-compatible M4 chips and the A18 processors used in iPhone 16, our source argues that exclaves form the basis of a significant redesign of XNU's security model.

"In iOS 18, exclaves refer to specific resources that are separated from the main iOS kernel (XNU) and cannot be accessed by it, even if the kernel is compromised," the researcher explained in a document shared with The Register.

"These resources are predefined when the OS is built, are identified by name or id, have different types, are initialized at boot time, and are organized into unique domains."

These resources include:

• Shared memory buffers that can be accessed by both the kernel and the exclave, with the option to make them read-only or read-write to XNU.
• Audio buffers and sensors that are used for securing features like the camera and microphone access indicators.
• Conclaves that group multiple resources into their own secure domains.
• Services that offer executable code within the exclave space when called upon by threads in XNU.

For more on this, read the full report by The Register.