Estimated reading time: 5 minutes
Re: Public Statements by Craig Federighi in WSJ
Friday, August 27, 2021
To: Craig Federighi
Senior Vice President,
1 Apple Park Way
Cupertino, California, 95014
The 2021 Apple Security Research Device Cohort [SRDC] is an independent, authoritative source for Best Practice & Transparency. The 2021 SRDC works Independently & Collaboratively to improve the User Experience & Security of Internet Products & Services. We are outliers offering a data point that differs significantly from other observations.
I am David Hoyt, a Publisher of Best Practices, Vulnerability Management, Security Measurement & Compliance Reporting. A part of the Apple Security Research Device Cohort and former Internet Service Provider [ISP] writing with respect to the Apple Security Research Device Program.
I read your quote “Security researchers are constantly able to introspect what’s happening in Apple’s [phone] software,” in an interview with the Wall Street Journal.
I contrast your Quote with the following Console Log output from the Apple Security Research Device clearly documenting the inability of debugserver to execute Business Logic for such introspection. See Apple Feedback Case FB9436327 titled:
SRD | debugserver | KERN_INVALID_ADDRESS | (Data Abort) byte read Translation fault.
The Issue was identified the last week of January 2021.
To the best of my knowledge and personal User Experience [UX] we do not have such introspection capabilities with the Apple Security Research Device due to Entitlement Restrictions, for example:
mach_memory_info: unknown error code (entitlement required or rate-limit exceeded)
I report to you the status of the Apple Security Research Device from the UX Point of View (PoV).
Today is Day 221 of the 2021 SRD Cohort. I have attempted to Verify, Validate & Report all points of engagement for the Apple Security Research Device Program with significant emphasis on Introspection. I Report that the Apple Security Research Device does not yet support the introspect Claim you have made in the WSJ article due to the inability of Apple to deliver a Proof of Work & Audit Trail for debugserver Installation, Configuration & Operation with Unit Test Suite for Validation & Audit of the Apple Security Research Device.
The statement “Security researchers are constantly able to introspect what’s happening in Apple’s [phone] software,” by Apple vice president Craig Federighi in an interview with the Wall Street Journal is unproven by the Apple Security Research Device Cohort as of the Close of Business, Friday, August 27, 2021, when using an Apple Security Research Device prototype iPhone 12,1 provided.
My Proof of Work and Audit Trail for debugserver is available at URL https://github.com/xsscx/srd/.
No Audit Trail
Apple has not offered a Proof of Work & Audit Trail for debugserver on the Apple Security Research Device. The Company has been unable to deliver Introspection for the Apple Security Research Device despite Claims that are Published in the Wall Street Journal.
With an Apple provided Security Research Device 12,1 prototype in my physical possession for more than 7 months I report a UX that debugserver has never worked. None of the typical introspection tooling for the Apple Security Research Device, such as debugserver, zprint, dtrace as of this date function as designed or for the intended use by Security Researchers and Software Assurance Auditors. Here are the current Results as of October 22, 2021:
Subsequently I Reported myriad Issues to the Feedback System [feedback.apple.com] and gained a positive, accretive dialogue. But not a working debugserver.
Apple not working together synchronously on the Apple Security Research Device Program is causing significant disfunction expressed as the Apple Security Research Device for the past 7 months. The left hand does not know what the right hand is doing.
On what date will Apple provide a Deliverable in the form of Introspection Software Tooling [example: debugserver, zprint, dtrace [and more] plus all necessary entitlements] with all necessary support Documentation, Frameworks, Libraries & Applications for the Audit of the Apple Security Research Device by the Apple Security Research Device Cohort?
The expectation of the Apple Security Research Device Cohort is that a Statement of Claim(s), Proof of Work & Audit Trail will be provided for the Apple Security Research Device to be Validated, Audited & Reported for all Introspection Tools.
The Apple Security Research Device Cohort have a substantial Time Investment in the SRD Program that is experiencing massive Time Decay & Depreciation of Intangible Value due to a lack of introspection on the Apple Security Research Device.
Please investigate & report on your findings of the status of delivering the capability to introspect on the Apple Security Research Device and err on the side of transparency in Public Interest.
May I hear from you.
October 25, 2021: In iOS 15.1 Apple added a new entitlement called research.com.apple.license-to-operate to support Frida and other research tools for the Apple Security Research Device. This entitlement allows tools to bypass the PPL codesigning protections and the usual task-port policies to inject code into any process running on the system (platform and non-platform).
Entitlement Failures on the Apple SRD
The Debugging Entitlements do not work as of MON 28 FEB 2022
UPPDATED MON 28 FEB 2022: Debugging Tools like Frida and debugserver need the correct Entitlements from Apple to work as expected and provide provable data.