- Page 1 and 2:
Demystifying the Secure Enclave Pro
- Page 3 and 4:
Introduction • iPhone 5S was a te
- Page 5 and 6:
Secure (?) Enclave Processor • Ve
- Page 7 and 8:
Glossary • AP: Application Proces
- Page 9 and 10:
Demystifying the Secure Enclave Pro
- Page 11 and 12:
Dedicated Hardware Peripherals •
- Page 13 and 14:
Physical Memory • Dedicated BootR
- Page 15 and 16:
Demystifying the Secure Enclave Pro
- Page 17 and 18:
SEP Initialization - Page Tables
- Page 19 and 20:
SEP Initialization - Second Stage
- Page 21 and 22:
SEP Boot Flow SEP AP Configure TZ0
- Page 23 and 24:
Memory Encryption Setup • Use “
- Page 25 and 26:
• Mode actually used is AES-256-X
- Page 27 and 28:
SEP Boot Flow: Stage 3 SEP AP Ackno
- Page 29 and 30:
Sending SEPOS • SEPOS is sent (op
- Page 31 and 32:
Boot-loading: Img4 • SEP uses the
- Page 33 and 34:
Img4 - Manifest • The manifest (A
- Page 35 and 36:
IMG4 - Manifest Properties (2/2) He
- Page 37 and 38:
Reversing SEP’s Img4 Parser: Stag
- Page 39 and 40:
Img4 Parsing Flow SEP AP Decode Pay
- Page 41 and 42:
Demystifying the Secure Enclave Pro
- Page 43 and 44:
Secure Mailbox • Actual mailbox i
- Page 45 and 46:
Interrupt-based Message Passing •
- Page 47 and 48:
Mailbox Message Format • A single
- Page 49 and 50:
SEP Endpoint • Each endpoint is r
- Page 51 and 52:
SEP Endpoints (2/2) Index Name Driv
- Page 53 and 54:
Control Endpoint Opcodes Opcode Nam
- Page 55 and 56:
Endpoint Registration (AP) Start Cr
- Page 57 and 58:
Demystifying the Secure Enclave Pro
- Page 59 and 60: L4-embedded • Modified version of
- Page 61 and 62: SEPOS Architecture SEP Applications
- Page 63 and 64: System Calls (1/2) Num Name Descrip
- Page 65 and 66: Privileged System Calls • Some sy
- Page 67 and 68: SEPOS (INIT) • Initial process on
- Page 69 and 70: Application List • Includes infor
- Page 71 and 72: Bootstrap Server • Implements the
- Page 73 and 74: Privileged Methods • An applicati
- Page 75 and 76: proc_has_privilege( ) int proc_has_
- Page 77 and 78: Entitlement Assignment int proc_cre
- Page 79 and 80: SEP Drivers • Hosts all SEP drive
- Page 81 and 82: Driver Interaction Retrieves SEPD t
- Page 83 and 84: SEP Services • Hosts various SEP
- Page 85 and 86: Service Interaction Retrieves sepS
- Page 87 and 88: Demystifying the Secure Enclave Pro
- Page 89 and 90: Attack Surface: AKF Endpoints • E
- Page 91 and 92: Attack Surface: Endpoint Handler SE
- Page 93 and 94: Address Space Layout - Image • SE
- Page 95 and 96: Stack Corruptions • The main thre
- Page 97 and 98: Stack Corruptions • SEP applicati
- Page 99 and 100: Heap Corruptions: malloc() Free Lis
- Page 101 and 102: No-Execute Protection • SEPOS imp
- Page 103 and 104: Attack Surface: BootROM • Effecti
- Page 105 and 106: Attack Surface: Hardware • Memory
- Page 107 and 108: End Game: JTAG • Glitch the fuse
- Page 109: Conclusion • SEP(OS) was designed
- Page 113 and 114: SEPOS: System Methods Class Id Meth
- Page 115 and 116: SEPOS: Object Methods (2/2) Class I