Antid0te

Deep dive into SPTM, TXM, SK and Exclaves of macOS and iOS

Posted: by Stefan Esser   |  More posts about Blog Training iOS SPTM TXM SK Exclaves Tightbeam Security Internals MacOS Tahoe
/images/sptm-txm-sk-exclaves.jpg
Instructor: Stefan Esser (Antid0te UG/Antid0te SG)
Dates: 15th December - 19th December 2025 (EU/North America Timezone)
Alternative Dates: 26th January - 30th January 2026 (EU/North America Timezone)
Venue: Online, Zoom
Availability: 20 Seats
Language: English

With the release of MacOS Tahoe and iOS 26 Apple continues their never ending quest to enhance the security of their operating systems. New ARM64 hardware assisted security mitigations and security boundaries like SPTM and TXM have been rolled out to even more devices with this release and on iOS we have an additional Secure Kernel and Exclaves. Unlike our kernel internals course this course will dive deep into these components that exist on newer platforms outside of the XNU kernel.

This brand new training will premier for the first time in December 2025 and will be repeated in January 2026 (for people who cannot make the December run). The course will be a virtual course that is held on the Zoom platform. Additionally there will be support available via a Discord server. The trainings spans 5 days with daily live training sessions around 5h in length (with an additional 15min break in the middle). This course is targeted at security researchers that already have basic knowledge about MacOS or iOS kernel security topics and want to get a deep dive into the newer non kernel security components.

The course will use ARM64 MacOS as base platform which means a ARM64 macOS device is required. We are currently working on the means to run parts of the SK and Exclaves on macOS at least partially in an emulated or virtualised fashion. The toolset required for this is still under heavy development.

PLEASE BE ADVISED: This course is advanced. We strongly recommend that you only sign up if you previously learned about macOS and iOS kernel internals either from us or via another third party. If you are new to this topic and want the complete package we offer another training in November that you can use to gain the recommended knowledge. Please check it out. If you are interested in both training courses contact us for a special bundle pricing.

Topics

The following list of topics is a DRAFT outline of what will be covered within the course. Please understand that this course will be under active development until the day it will be run for the first time in middle of December. So if you are missing certain topics please check with us by email or come back to this page every two weeks to see if we have meanwhile added more points to the list.

  • Introduction
    • ARM64 Hardware Details (System Registers, Page Tables, Exception Handling, ...)
    • Apple ARM64 Proprietary Security Features (SPRR, CTRR, GLx, ...)
    • Birdseye view of SPTM, TXM, SK and Exclaves (and XNU)
  • Tightbeam
    • Messages
    • Endpoints
    • Transports
  • XNU
    • Communication between XNU and SPTM / TXM / Exclaves
  • SPTM
    • Reverse Engineering of SPTM
    • Internal structure and data types
    • "Debugging" SPTM
  • TXM
    • Reverse Engineering of TXM
    • Internal structure and data types
    • "Debugging" TXM
  • SK
    • Reverse Engineering of SK
    • Internal structure and data types
    • Systemcalls
    • "Debugging" SK
  • Exclaves
    • Reverse Engineering of ExclaveOS, ExclaveKit, ...
    • Internal structure and data types
    • "Debugging" Exclave APPs

NOTE: "Debugging" is short for trying to get the specific component to run at lease partially in either an emulated, virtualised or otherwise instrumented fashion that allows for introspection. We are currently in the process of developing these methods.

Training Takeaways

  • The whole training material (multiple hundred slides) will be handed to the students in digital form.
  • For up to 5 days after the training students can rewatch video recordings of all sessions.
  • Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software.

Training Requirements

  • Student Requirements
    • Basic understanding of exploitation (REMEMBER not an exploitation training)
    • C and Python Programming knowledge
    • Basic Knowledge of ARM64 assembly (just to be able to understand)
  • Hardware Requirements
    • Apple Mac Notebook capable of running latest MacOS within a virtual machine (need to be able to boot in recovery mode)
    • Enough hard disk space to run VMs
  • Software Requirements
    • Disassembler capable of understanding ARM64 MacOS/iOS binaries
      • IDA Pro (ARM64 support required)
      • Ghidra
      • Binary Ninja
    • MacOS Sequoia/Tahoe, with latest XCode and iOS SDK (or newer)
    • VirtualBuddy (ARM64)
    • Additional Software will be made available during the training

Virtual Venue

The training sessions will be held via Zoom video conferencing. Training sessions will be around 5 hours per training day plus a 15 minute break around the middle.

Furthermore trainees get access to a Discord server that will be used to post information regarding the training and will be used to discuss exercises and their solution, unless those will be covered via Zoom.

All training sessions will be recorded and made available as videos until 5 days after the training. During that time trainees can rewatch sessions as often as they want.

Timezones

We offer this training in an EU/North America edition. For other timezones please enquire. Unlike in person training courses when all attendees are present and share the same timezone the execution of online training courses requires some adjustments to be made to allow attendees accross different timezones to attend.

The following are the timings of the live lectures. In addition to that trainees need to have extra time to perfom hands on training exercises after the live lectures on their own.

EU / North America Edition

17:00 - 22:00 Berlin
16:00 - 21:00 London
08:00am - 01:00pm Seattle / Vancouver
11:00am - 04:00pm New York / Montreal
12:00am+1 - 05:00am+1 Singapore
03:00am+1 - 08:00am+1 Sydney

Pricing

We offer the following rates for this training.

EUR 4500,- EUR
SGD 6500,- SGD
USD 5000,- USD

Payment will be possible via international bank transfer or via credit card featured by STRIPE. Please note that we will usually charge EU customers in EUR and the rest of the world in SGD. On request we can charge in USD.

Register

If you have further questions or want to register for this training please contact us by e-mail training@antid0te.com. Please notice that signup, billing and execution of the training is handled by Antid0te SG Pte. Ltd..

In-House Training / Conferences / Additional Trainings

If you are interested in this training, but want us to perform the training for your people, want to feature our training at your online conference or would just like to know if we provide the training again at a later time please contact us by e-mail training@antid0te.com.