Secure Page Table Monitor

Secure Page Table Monitor (also known as SPTM) is an hardware-based security protocol introduced in Apple's A15 and subsequent processors, significantly improving memory management and access control in iOS 17 onwards. It replaces the Page Protection Layer (PPL) to provide a more robust approach to system security, making unauthorised modifications to protected page tables challenging.

SPTM operates within the Guest Level 1 (GL1) or Guest Level 2 (GL2) of the system architecture, overseeing page tables. These tables are essential data structures that map virtual memory addresses to physical ones.

SPTM functions at the hardware level, providing direct oversight of memory management operations and access permissions. This hardware-based approach enhances security by reducing vulnerabilities associated with software-based methods.

System Calls
SPTM introduces three system calls for the kernel and privileged processes, enhancing control and responsiveness:

1. SVC #0 (To Be Determined): The purpose of this system call is undisclosed, potentially reserved for future functionalities or specific security operations, adding adaptability to the system.

2. SVC #37: Enable All Interrupts: This call enables all interrupts, aiding system responsiveness for handling asynchronous events and maintaining stability.

3. SVC #38: Disable All Interrupts: Conversely, this call deactivates all interrupts, ensuring uninterrupted execution of critical operations to prevent potential disruptions.

Unfortunately, SPTM significantly raises the bar for jailbreaking on iOS devices equipped with A15 and later processors starting from iOS 17. This is due to tighter control over system calls; as explained above, SPTM introduces specific system calls (such as SVC #0) with undisclosed purposes. These syscalls could be utilised for future security enhancements.

By keeping these functionalities hidden or restricted, Apple can effectively limit the options available for potential jailbreak exploits. Additionally, the system calls provided by SPTM (such as enabling or disabling interrupts) can further strengthen system resilience against unauthorised tampering.

SPTM behaviour and error handling
As explained in this amazing article by DFF, SPTM operates with what seems to be a code of honour, prioritising integrity above all else. In the face of any unexpected circumstances or problems, SPTM responds with a kernel panic, using func_0xffff00708e570 for error handling. These panics inadvertently reveal critical information about the inner workings.

During a panic, SPTM exposes a slew of function names stored on the stack pointer, which sheds light on the nature of the encountered issues. This information aids in debugging and understanding the underlying causes.

Furthermore, several functions within the ..570 area exhibit similar panic-handling behaviors, all directing their operations to the central func_0xfffffff00708e408. This centralised function likely serves as a control point for managing panic responses and/or coordinating error recovery processes within SPTM.

Bypassing SPTM
An attacker could potentially attempt to intercept communication channels between user land processes and kernel components to manipulate data or commands exchanged between them. By intercepting sensitive information or injecting malicious commands, they could potentially bypass security checks enforced by the SPTM protocol.

However, this is all from a theoretical standpoint due to the fact that there has been very little public research or documentation available on the specifics of how SPTM operates and the mechanisms it uses for error handling and security enforcement.