Apple Neural Engine Internal: From ML Algorithm to HW Registers

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 10:20 a.m. (40 minutes).

<div><span>I am curious why the SEP (Secure Enclave Processor) firmware decryption key of the iPhone XR has been leaked for more than a year and no one has disclosed the machine learning model of FaceID. After I reverse engineered SEP, I found that SEP does include all the FaceID software logic including facial feature comparison. Even the iv and key used to decrypt the parameters of the FaceID neural network are stored in the SEP firmware in plaintext. However, the neural network structure and hyperparameter information needed to reconstruct the FaceID model are hidden behind a series of register operations.</span></div><div><span><br><br></span></div><div><span>Since there is no public ANE (Apple Neural Engine) hardware datasheet, I cannot interpret the functions of these registers directly. Since the A12 processor, Apple has opened the ANE API to the APP, which gave me the opportunity to obtain register functions by reversing the ANE framework.</span></div><div><span><br><br></span></div><div><span>According to Apple's public documents, neural network models of other frameworks need to be converted into mlmodel compressed file and then compiled into mlmodelc folder before they can be used. But the "compilation" in the document is different from the compilation of ANE. ANE will compile the neural network into a mach-o format file called ANEProgram. This ANEProgram file will be loaded and analyzed by the kernel ANE driver, and finally handed over to the ANE firmware to run.</span></div><div><span><br><br></span></div><div><span>I have written a set of command line tools that can compile the model in mlmodelc into a ANEProgram file that can be loaded by the ANE driver, and can use all the internal undocumented ANE compiler options. There are a lot of internal undocumented debugging and test codes in the ANE framework that are not used by the system, which can be used to analyze and reverse-engineer the ANEProgram.</span></div><div><span><br><br></span></div><div><span>According to the different permissions obtained by the attacker, ANE can be divided into APP cloud, APP, ANE daemon, ANE compilation process, ANE kernel driver, and ANE firmware. Since the implementation of ANE involves a large number of files in different formats, and the complexity of the ANE system is very high, there may be many security vulnerabilities in ANE. I just did byte flipping on the ANEProgram, and an iOS kernel OOB read was issued.</span></div>

Presenters:

  • Wish Wu - Security Expert, Tian Qiong Security Lab of Ant Group
    Wish Wu is a security expert who specializes in researching AI, Android and iOS related vulnerabilities. Most of the severities of the CVEs on the Android Security Bulletin he found were HIGH or CRITICAL. He is also the very first recipient of Google's Android Security Rewards. In 2015 he found the bug to root Google Nexus 6 from app and exploited it successfully. He previously worked for Trend Micro and now works for Ant Group. He bypassed iPhone X FaceID by his research of AI.

Links:

Similar Presentations: