Last Week on My Mac: Agatha Christie, dendrites and West Berlin

If you were one of the many who thought macOS Sonoma had little to offer, then last week’s update to 14.4 repays close attention. This isn’t for the new emoji, however Apple might think we’re crying out for more, or even for its 64 fixed security vulnerabilities, compared with just 33 in Ventura (including Safari 17.4), but for its more fundamental changes.

Agatha Christie

For the first of these, I go back to classic Mac OS 8, when the Finder’s original Find File was extended to include the indexed content of some files in what was named Sherlock, after Sir Arthur Conan Doyle’s fictional detective. Four years later, Karelia Software released its first version of a competitor to Sherlock, named after Holmes’ companion, Watson. When Apple improved Sherlock in version 3 the following year, Karelia claimed that Apple had copied Watson’s features, and the term sherlocked entered the English language to describe what was claimed. As Wictionary describes it:
“To obsolete a unique feature in third-party software by introducing a similar or identical feature to the OS or a first-party program/app.”

When Apple came to replace Sherlock in Mac OS X Tiger, it steered well clear of fictional detectives, and chose Spotlight instead. It thus came as a surprise to see the return of the genre in 14.4, with four new Private Frameworks named PoirotBlocks, PoirotSchematizer, PoirotSQLite and PoirotUDFs. Those are named after Agatha Christie’s Hercule Poirot, who in over fifty years of novels became so well known that he merited a front page obituary in The New York Times.

Those framework names give little away, but I wonder whether Poirot might be a forthcoming visual search feature.

Dendrites

For this I take you to neurohistology, where dendrites are those branched protrusions from nerve cells that have synapses to connect to other nerve cells, forming neural networks. Painstaking studies by a succession of scientists have pieced together some of the simpler networks for controlling functions such as breathing long before they were proposed as tools in computing.

In 14.4, two new Private Frameworks named Dendrite and DendriteIngest must be concerned with neural networks in some way, probably in Apple’s rapidly expanding Machine Learning and AI support.

West Berlin

Until the reunification of Germany in 1990, Berlin, its former capital city, was divided into two, with West Berlin a part of West Germany in isolation in East Germany, then a satellite of the Soviet Union. In the summer of 1948, this isolation was exploited by the Soviet Union when it imposed a blockade on all forms of ground transport between West Germany and West Berlin, resulting in the Berlin Airlift that supported the city with over a quarter of a million flights, and broke the blockade.

The geographical term for such isolated fragments of states that exist separately is exclave, a relative of enclave, a term that should be familiar from the Secure Enclaves that contain our deepest secrets, and SEP, the Secure Enclave Processor.

Exclave isn’t a term that has been used previously in computing or macOS, but new in 14.4 are three kernel extensions ExclaveKextClient, ExclavesAudioKext and ExclaveSEPManagerProxy, and yet another Private Framework libmalloc_exclaves_introspector. The greatest concentration of exclaves I’ve found so far is in the source code of xnu-10002.1.13, in /iokit/IOKit/IOService.h and /osfmk/kern/exclaves.c, where there are references to exclave endpoints, proxies and drivers, and even to conclaves, more familiar as the meeting of cardinals to elect the next Pope.

Back in August last year, when developers were testing betas of Sonoma and iOS 17, researchers at DataFlow Forensics first came across exclaves in the new kernel of iOS 17. In a detailed analysis, they proposed that exclaves are code domains isolated from the kernel itself, so that should the kernel become compromised in any way, components in exclaves should remain protected. Thus, Apple appears to be engaged in refactoring the XNU kernel into a central micro-kernel with its protected exclaves.

If this reading of the changes in the kernel of iOS and macOS proves correct, this could be the start of its most substantial architectural change since the introduction of the 64-bit kernel K64 in Snow Leopard, if not its first version at the end of 1996.

macOS 14.4

March updates to macOS often herald major changes preparing the ground for the beta-releases of the next major versions of Apple’s operating systems in June. It was macOS Monterey 12.3, released on 14 March 2022, that brought the first version of XProtect Remediator, for instance. There are plenty of other new kernel extensions and frameworks both public and private that are novel in Sonoma, many of which didn’t appear until 14.4 last week. I suspect that we’ll be seeing more of them and their capabilities over the coming year or two.