Introduction to the Apple Private Cloud Compute

Core Requirements

Stateless Computation and Enforceable Guarantees

End to End encryption

Direct encryption to PCC nodes

Protection of support services

Info summary - Only designited PCC nodes can access user encrypted data

Isolation and integrity

Trust Bondary ( PCC nodes are physically secure and uses Apple sillicon tech)

Secure boot & Code Signing (each nodes boots with secure boot)

Restricted Execution Mode (When user data is present this mode is active and restricts additional code)

Info summary - PCC nodes are controled, a secure environement that never run unverified code

Stateless data processing

Data Used Only for the Request

Ephemeral Data Mode

Info summary - User data is kept only as long as necessary for processing and is erased after each reboot.

Security in distributed operations and memory protection

Secure Distributed Processing

Memory Erasure

Info summary - Security is maintained even across multiple collaborating nodes, and data does not persist in memory post-processing.

Exploitation protection

Pointer Authentication Codes and Sandboxing

Swift for Memory Safety

No Privileged Runtime Access

PCC noads

Did not include remote shell

Did not include interactive debugging mechanisms

cannot enable Developer Mode and do not include the tools needed by debugging workflows.

the system doesn’t include a general-purpose logging mechanism

Management tools designed to prevent leakage of user data

did not include prefered interfaces

Non-Targetability

The goal is to make a targeted attack on a specific user impossible. Any attack attempt is designed to be large-scale, making it more difficult and more detectable.

Strengthened hardware security from manufacturing

Component Inventory and Imaging

Revalidation and External Audit

Effects - This makes a hardware attack extremely expensive and detectable thanks to the secure supply chain.

Call Target Diffusion

Limited, Anonymized Metadata

RSA Blind Signatures

Third-Party OHTTP Relay

Effects - With no identifiable data, IP, or user-linked content, it’s impossible for an attacker to route a request to a specific node based on the user.

Random Node Selection by the Load Balancer

Partial List of Nodes

Statistical Audits

Effects - Limiting each request to a random subset of nodes and performing statistical audits of node selection prevents targeting a specific user.

Verifiable Transparency

Transparency Through Public Software Images

Public Access to Production Software

Verifiable Builds

Tamper-Proof Transparency Log

Append-Only Transparency Log

Public Access for Researchers

Dedicated Tools and Security Bounty Program

Research Tools ( VRE )

Apple Security Bounty: Private Cloud Compute

Hardware-Rooted Attestation for Device Verification

Device-Only Communication with Verified Nodes

Hardware-Based Attestation

Hardware and Software Security

Hardware Root of Trust

The Hardware Root of Trust in the PCC is built upon the foundation of Apple Silicon technology. This secure hardware architecture provides a robust basis for the entire system's security. It incorporates features such as secure boot, hardware-based key management, and cryptographic acceleration to ensure the integrity and confidentiality of all operations within the PCC environment.

Software Foundations

The software foundations of the PCC are built on a minimalist, security-focused approach. At its core, the system utilizes a custom-designed operating system that prioritizes security and efficiency. This specialized OS is stripped of unnecessary components, reducing the attack surface and enhancing overall system integrity.

Software Layering

The software architecture of the PCC is designed with a layered approach, enhancing security and modularity. At the lowest level, a thin hardware abstraction layer interacts directly with the Apple Silicon, providing a secure foundation for higher-level components. Above this, a minimalist kernel manages core system resources and enforces strict isolation between processes. The application layer, which runs on top of this secure base, is highly restricted and only contains the essential components needed for PCC operations.

Request Processing and Flow

Apple Intelligence Orchestration

Routing inference requests between on-device and server-based models

rewarming on-device models and connections to server-based models

In progress….