Apple Launches New Security Research Hub

  /     /     /  
Publicated : 23/11/2024   Category : security


Apple Launches New Security Research Hub


Apple engineers share technical details about the teams work on memory safety features on the new Apple Security Research site.



Apples work on hardening the memory allocator has made it harder for attackers to exploit certain classes of software vulnerabilities on iOS and Mac devices, the companys security engineers wrote on a new website Apple launched to share technical details behind iOS and MacOS security technologies.
The new initiative,
Apple Security Research
, also offers tools to help security researchers report issues to Apple, get real-time status updates for submitted reports, communicate securely with Apple engineers investigating the issue, and provides information about the
Apple Security Bounty program
. The intent behind the new security hub is to share with the research community how Apple engineers approach security challenges, and also to invite researcher contributions and feedback.
Memory safety is a key area of focus, especially since memory safety violations are the
most widely exploited class of software vulnerabilities
. On Apple platforms, improving memory safety includes finding and fixing vulnerabilities, developing with safe languages, and deploying mitigations at scale, the engineers wrote in a technical post on
XNU memory safety
.
XNU is the kernel at the core of iPhones, iPads, and Macs.
Much of the code running on the iPhone, iPad, and Mac were written using memory-unsafe programming languages, which means they don’t prevent memory safety violations and developers can inadvertently and unknowingly violate memory safety rules while writing code, the researchers wrote. Those issues can be exploited by attackers to crash software, execute unauthorized command, and harvest sensitive information.
It is infeasible to rewrite large amounts of existing code using memory-safe languages, so improving memory safety is an important objective for engineering teams across the industry,” the engineers wrote.
Apple laid the groundwork for the hardened memory allocator
kalloc_type
back in iOS 14 when it introduced
kheaps
, the data split, and virtual memory sequestering. Apple added randomized bucketed type isolation to the zone allocator when it introduced
kalloc_type
in iOS 15. With the release of iOS 16 and macOS Ventura, the hardened allocator is now available on all the systems using the XNU kernel.
Our fundamental strategy is to design an allocator that makes exploiting most memory corruption vulnerabilities inherently unreliable, the researchers wrote. This limits the impact of many memory safety bugs even before we learn about them, which improves security for all users.
In Apples update on its bounty program, the company said it has awarded close to $20 million to security researchers over the past two-and-a-half years since the program was launched. While average payouts are around $40,000 in the product category, the company has paid 20 separate rewards over $100,000 for high-impact issues. Evaluation criteria researchers need to meet in order to collect bounties are available on Apple Security Research.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Apple Launches New Security Research Hub