Dice Question Streamline Icon: https://streamlinehq.com

Secure-world handling path in xnuproxy

Investigate the secure-world-side handling and scheduling performed by xnuproxy and related GL0 components when servicing calls entered via sk_enter, including how requests are retrieved from shared buffers and forwarded to endpoints.

Information Square Streamline Icon: https://streamlinehq.com

Background

The paper shows that xnuproxy manages Exclave calls and forwarding but does not reverse engineer the secure-world handling after SPTM dispatches to Secure Kernel and returns via ERET to GL0.

Understanding this path would clarify how the system orchestrates downcalls, scheduling, and endpoint forwarding inside the secure world.

References

The exact inner workings of this secure world side handling have not yet been reverse-engineered by us and are left as future work.

Modern iOS Security Features -- A Deep Dive into SPTM, TXM, and Exclaves (2510.09272 - Steffin et al., 10 Oct 2025) in Section Xnuproxy Communication — Direct Calls into xnuproxy