Explainer: xART and nonces

If you read Apple’s Platform Security Guide, you’ll come across sentences like: “On supported devices, the Secure Enclave is paired with a Secure Storage Component for anti-replay nonce storage.” You’ll also no doubt have come across a whole volume on the internal storage of an M1 Mac named xART, and the mysterious command tool xartutil, which is apparently an xART recovery utility. This article delves into what these are about, and why they’re so important to modern Macs.

xART is an abbreviation for eXtended Anti-Replay Technology, services which are built into the Secure Enclave of Macs with T1, T2 and M1 chips. If your Intel Mac doesn’t have a T1 or T2 chip, then I’m afraid that none of this applies. The purpose of xART is to block a class of attacks which could be used to gain access to encrypted storage and other protected features of the Mac.

In a Replay Attack, what happens is that the malicious code or operator acquires details of a legitimate transaction involving the security system, here exchanges which are used to give access. They then use those same details in a subsequent attempt to obtain access.

This is most commonly known in third-party interception of network credentials. A has to authenticate to B to gain access to a network service. A does so by entering a password, which is then transmitted to B as a secure hash. If C intercepts that message and acquires that hash, they could then use that to gain access themselves to the same network service in a replay of the transactions between A and B. When you’re using robust passwords which are securely encrypted, this is one of very few methods which can be used to break into an otherwise secure system, hence its importance in Mac security.

The Secure Enclave needs to store data in the Mac’s memory. To ensure that remains secure, there are multiple levels of protection which include an authentication tag for each of those encrypted blocks of memory. When that memory is accessed, those tags are checked to ensure that the memory hasn’t been tampered with before it’s decrypted. However, an attacker could use a replay technique using those tags, so instead of just verifying the tags, the Memory Protection Engine uses special one-off numbers called nonces.

The word nonce has unfortunate slang meanings, but a nonce word is one which is coined specially for a single occasion – a one-off – and that’s just what a nonce in computer security is. Nonces are powerful tools in tackling replay attacks, as by definition they only work once, so if an attacker tries using them in a replay they invariably fail on that second attempt. They’re normally long random, or pseudo-random, numbers specially generated for the occasion.

In addition to their use in verifying memory used by the Secure Enclave, nonces are also used to check that LocalPolicy for boot and runtime security policies hasn’t been tampered with, for example by substituting an old LocalPolicy with lower security. For good measure, LocalPolicy contains the hashes of several different nonces, including that for the LocalPolicy itself.

As to that xART or xarts volume on the internal storage of a Mac running Big Sur, it’s there to provide trusted storage for xART. It might look like little or nothing, but it’s crucial to the security of the modern Mac.