9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
Private Cloud Compute (PCC), the computational powerhouse behind Apple Intelligence, was unveiled months back at WWDC24 as Apple’s new privacy-focused cloud infrastructure. At the same time, the company stated it would periodically release subsets of PCC source code for independent review. After some wait, 9to5Mac reported last week that many of its resources are now available to everyone. Here’s what’s included.
In a push to its GitHub repository, Apple has released many of PCC’s core computational infrastructure, security models, cryptographic verification mechanisms, policies, and more available to the public. The move is aimed at allowing security researchers, privacy advocates, and experts to inspect, audit, and validate Apple’s security and privacy claims.
Public Private Cloud Compute resources:
- AppleComputeEnsembler: This appears to refer to the overall compute infrastructure and resource management
- CloudAttestation: Mechanisms and services responsible for attesting and verifying the integrity of the servers and software stack
- CloudBoard: Handles secure and private clipboard operations across devices; also appears to be responsible for interfacing requests with OpenAI
- CloudMetrics: Contains functionality for monitoring and analyzing the performance and security of applications using PCC services
- CloudRemoteDiagnostics: Responsible for remote diagnostics on Apple devices over the cloud, particularly for secure, asynchronous communication and data handling
- SecurityMonitorLite: Implements Apple’s Endpoint Security (ES) framework for monitoring system activities, such as process executions, exits, I/O Kit interactions, and SSH login/logout events
- Thimble: Potentially related to cryptographic key management or secure enclaves
- darwinOSBits: References security mechanisms and enforces privacy policies
- srd_tools: Contains tools and resources for the Security Research Device (SRD) program
- Other documentation and legal
By releasing these components, Apple is enabling the security community to do what they do best. It’s great to see the company take a collaborative approach to strengthening the security of Private Cloud Compute (PCC) rather than relying solely on its internal teams. This not only bolsters PCC, but hopefully the entire market as it encourages other firms to embrace this level of transparency and security.
It’s also not a coincidence that at the same time the resources were released, Apple expanded its security bounty program to include rewards related to PCC. A remote arbitrary code execution vulnerability can now pay up to $1,000,000, Apple’s highest reward in the program’s Services category.
Incentivizing security researchers to uncover and report sophisticated vulnerabilities around PCC is a great step in ensuring airtight privacy.
Craig Federighi, Apple’s senior vice president of software engineering, told WIRED during the launch of iPhone 16 “…we needed to make sure that that [PCC] processing was hermetically sealed inside of a privacy bubble with your phone.”
Apple says it’s able to maintain this “bubble” between PCC and devices like iPhone, Mac, and iPad by running a carefully controlled software stack that verifies its own integrity, ensuring no unauthorized changes can occur. Any processing happens in an isolated environment with strict privacy controls. Each computation is treated as a temporary event as well – once the task is complete, all data is immediately deleted, leaving no trace of the individual user’s interaction.
So far, there haven’t been any reported vulnerabilities related to Private Cloud Compute.
Apple has indicated that making PCC resources available to everyone is just the first step. The company plans to continue its commitment to transparency, setting a new industry standard for responsible AI development—a rather unique and anomalous approach compared to others in the space.
If you can provide more insight into the new resources Apple has made public, comment below or email me arin@9to5mac.com.
FTC: We use income earning auto affiliate links. More.
Comments