undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointszitterbewegung7y ago0 comments

Take for example the secure enclave on an iPhone. If the FaceID / TouchID was implemented in software then you could read it from memory if you compromise the A11 chip. Instead you have to now compromise both the secure enclave and the A11 since it is isolated from the A11.

0 comments

5 comments · 1 top-level

tomp7y ago· 4 in thread

Why would that be any more than 2x harder?

General-purpose processors have to be secure while executing untrusted code, providing a large number of features, and providing good performance.

The secure enclave isn't subject to these constraints, allowing for more conservative design decisions.

You've found a privilege-escalation attack that can let sandboxed apps escape their sandbox? Still secure if the chip can't run apps in the first place. You've found a bug in the USB disk mode emulation code? Still secure if the chip doesn't have any USB code on it. You've found a bug in branch prediction? Still secure if your chip didn't use it. You've found a way to abuse the third party developers' debugging interface? Still secure if your chip provides no such interface...

Yes, it absolutely is more than 2x harder. The attack surface of the secure enclave is considerably smaller than the attack surface of the AXX chip as a whole, and you need a significant jailbreak/compromise before you could even target the SE.

zitterbewegungOP7y ago

Because you need two compromises and hacking the secure enclave is a much harder proposition than finding a exploit that allows you to read the memory of an iPhone. Public information about how the secure enclave really works has been hard to come by.

ygra7y ago

The secure enclave would have a much smaller attack surface, due to only handling a much smaller set of features, I guess.

j / k navigate · click thread line to collapse