blog-banner-apple-sliced.jpg

blog-thumb-apple-sliced.jpg

Mac system extensions for threat detection: Part 3

Mac system extensions for threat detection: Part 2

When it comes to having visibility and detecting threats on macOS, one of the best sources of information for file system events, process events, and network events is the kernel. MacOS kernel extensions provide the ability to receive data about these events in real time with great detail. This is good for providing quick visibility into detecting anomalies and identifying possible threats. MacOS kernel extensions also provide the ability to block malicious behaviors that a piece of malware is attempting to carry out.
The kernel extension framework provided by macOS, however, is changing. Starting with macOS 10.15, a new framework has been added to assist those who want to have visibility into file system, process, and network events in real time. These new frameworks are called the SystemExtension framework, the EndpointSecurity framework, and the NetworkExtension framework, respectively. These new frameworks will be the new base from which endpoint security products must build on top of starting in macOS 10.16.
Before going into the new frameworks, it is important to understand what is currently offered by the legacy kernel extension framework, including the information that can be retrieved for events and the capabilities provided for stopping malicious behavior.
In part 1 of this series, we’ll go over some of the frameworks accessible by kernel extensions that provide information about file system, process, and network events. These frameworks include the Mandatory Access Control Framework, the KAuth framework, and the IP/socket filter frameworks.
We won't do a deep dive into each one of these frameworks specifically, as there have been many other posts and guides [<a href="https://www.synack.com/blog/monitoring-process-creation-via-the-kernel-part-i/">0</a>][<a href="https://www.apriorit.com/dev-blog/411-mac-os-x-kauth-listeners">1</a>][<a href="https://reverse.put.as/2014/10/03/can-i-suid-a-trustedbsd-policy-module-to-control-suid-binaries-execution/">2</a>][<a href="https://developer.apple.com/library/archive/technotes/tn2127/_index.html">3</a>][<a href="https://developer.apple.com/library/archive/technotes/tn2459/_index.html">4</a>] regarding how to use these frameworks. Instead, we’ll recap and review each of these frameworks, then in <a href="https://www.elastic.co/blog/mac-system-extensions-for-threat-detection-part-2">part 2</a> we’ll cover some valuable tips and tricks we can use inside the kernel extensions framework that will no longer be available in the new SystemExtensions framework starting in macOS 10.15. And finally, in <a href="https://www.elastic.co/blog/mac-system-extensions-for-threat-detection-part-3">part 3</a> of the series, we’ll cover the new SystemExtensions framework and the features it provides to third-party developers.
<h2>What are Kernel extensions?</h2>A quick primer on kernel extensions for those unfamiliar with them: Kernel extensions are compiled binaries that allow third-party developers, as well as Apple, to extend the functionality of the XNU kernel. This means that macOS has the ability to extend the functionality of its kernel by dynamically loading new binaries that run inside the kernel space. This is similar to how Windows can load drivers to extend the functionality of its kernel.
MacOS kernel extensions can be loaded via a <code>kextload</code> and unloaded via <code>kextunload</code>. MacOS kernel extensions, by nature, run with kernel privileges since they run in the context of the kernel process. Because of this, Apple requires that all kernel extensions be signed with a special kernel extension certificate. Apple provides this certificate and allows kernel extensions to run on SIP-protected systems.
Still, the user must allow the kernel extension to load manually on macOS 10.14+ via the Security Preference Pane. This can be worked around using <code>spctl</code> to allow a kernel extension to load without user consent.
<h2>KAuth framework</h2>The Kernel Authorization subsystem, introduced in Mac OS X 10.4, allows third-party kernel developers to "authorize" actions within the kernel (e.g., process events, file system events). According to Apple’s technical documentation [<a href="https://developer.apple.com/library/archive/technotes/tn2127/_index.html">3</a>] on this framework, there are several components that provide functionality to the developers who want to leverage this subsystem. The main concepts that will be reviewed are listeners, scopes, and actions.
Listeners are the callbacks defined by the user that are called into by the kernel in order to “authorize” some action for a particular scope.
Scopes are considered areas of interest, and we will focus on three:
<ul>
 <li>process scope</li>
 <li>file operation scope</li>
 <li>vnode scope</li>
</ul>Actions are the operations the kernel attempts to carry out on behalf of a process. Depending on the scope, these actions can be denied from occurring by a listener.
The process scope, vnode scope, and file operation scope provide the ability to introspect into process events (i.e., trace attempts and signal attempts) or events such as file modifications or even process executions. This is important for security products that wish to monitor process/file activity to detect and prevent malicious behavior.
A good example of how to implement listeners for each scope is Apple's sample code project "KauthORama" [<a href="https://developer.apple.com/library/archive/samplecode/KauthORama/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003633">5</a>] along with Patrick Wardle's series, "Monitoring Process Creation via the Kernel" [<a href="https://www.synack.com/blog/monitoring-process-creation-via-the-kernel-part-i/">0</a>]. While KAuth is powerful in providing information about system events, there are caveats to some of these scopes. For example, the return value of listeners that handle actions from the file operation scope are ignored, which makes this scope unsuitable for stopping malicious activity before it happens.
The vnode scope listeners also have strict efficiency requirements to prevent noticeable delays to the system. In order to introspect deeper into system events and retrieve even more information than what is provided by KAuth, Apple has developed the mandatory access control framework.
<h2>Mandatory access control framework (AKA TrustedBSD, MACF)</h2>The mandatory access control framework provides a variety of callbacks for monitoring various events that occur on the system. It is worth emphasizing how powerful this framework is for security vendors. The MAC framework provides insight into nearly every single system event — ranging from file modification, process execution, memory protection changes, codesign checks, and others. In fact, this framework is so powerful that Apple themselves leverage MAC framework to implement features for AppleMobileFileIntegrity, which in turn enforces codesign checks and mach port protections.
A subset of these callbacks are related to file system events and process events. These callbacks provide different information than the KAuth scopes and can be useful for denying certain file system and process operations based on the information passed to the callback. This particular framework, however, is not considered a supported kernel programming interface, and compiling code with it results in an ominous warning <code>"error: "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in the next version"</code>.
Unfortunately, Apple has followed through on their promise and have pulled the MAC headers as of the 10.13 SDK. That being said, they are still available through the 10.12 and older SDKs. But more importantly, the kernel linker and loader, <code>KXLD</code>, will still load and link any kernel extensions that leverage the MAC framework. This allows developers to use older SDKs and, for the most part, the kernel extensions will work on newer macOS versions. There are still caveats associated with this, though, as certain callbacks are removed/rearranged between SDKs.
All the different available callbacks can be viewed in <code>mac_policy.h</code>[<a href="https://github.com/apple/darwin-xnu/blob/xnu-4903.221.2/security/mac_policy.h">6</a>] in the XNU source. Inside <code>struct mac_policy_ops</code>, there will be a large number of function pointers that can be configured during setup that will provide the MAC subsystem a means to call out to any kernel extension that is plugging into the MAC framework. For a good example of how this framework can be used, take a look at @osxreverser's <code>"can_I_suid"</code>[<a href="https://reverse.put.as/2014/10/03/can-i-suid-a-trustedbsd-policy-module-to-control-suid-binaries-execution/">2</a>], which has a simple, straightforward implementation of a kernel extension using the MAC framework.
We will touch on this subject in more actionable detail in part 2, where we’ll highlight the interesting callbacks and what information we can get from them.
<h2>IP/Socket filters</h2>Alongside the ability to monitor file system events and process events, XNU provides a way to receive network events via the socket filter framework. This framework provides a way for other kernel extensions to register their interests — in the form of callbacks — for any subset of network events the framework supports (such as TCP/UDP flows) over both ipv4 and ipv6. Inside <code>kpi_socketfilter.h</code> there is a <code>struct sflt_filter</code> declaration which provides the available callbacks.
Some interesting callbacks for network activities are <code>sf_attach_func, sf_detach_func</code> for attaching/detaching a filter from a socket, or <code>sf_data_in/sf_data_out</code> for filtering on data that is being sent to and from a socket. Apple has some sample code in the <code>tcplognke</code>[<a href="https://developer.apple.com/library/archive/samplecode/tcplognke/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003669">7</a>] that shows how to plug in and use this framework.
The other framework used for filtering on network events is the IP filter framework. This framework provides the ability to filter on IP packets in a method similar to how the socket filter works. There is a structure defined in <code>kpi_ipfilter.h, struct ipf_filter</code> that is filled out with the desired callbacks, much like the socket filter. More detailed information about how these filters work can be found by reading Apple's Network Kernel Extension guide[<a href="https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/NKEConceptual/intro/intro.html#//apple_ref/doc/uid/TP40001858-CH225-SW1">8</a>]. These filters will later be compared and contrasted with Apple's Network Extension framework — new with macOS 10.15 — in order to understand what has changed, what's been improved, and what has been taken away.
<h2>Wrapping up</h2>While KAuth, MACF, and IP/Socket filters all provide lots of information for introspecting into filesystem, network, and process events, there are times where not enough information is provided to developers regarding these events. In the next post of this series, we'll learn how to further enrich the information about certain events by diving deeper into the inner workings of XNU.
<h2>Appendix</h2>
[0] <a href="https://www.synack.com/blog/monitoring-process-creation-via-the-kernel-part-i/">https://www.synack.com/blog/monitoring-process-creation-via-the-kernel-part-i/</a>
[1] <a href="https://www.apriorit.com/dev-blog/411-mac-os-x-kauth-listeners">https://www.apriorit.com/dev-blog/411-mac-os-x-kauth-listeners</a>
[2] <a href="https://reverse.put.as/2014/10/03/can-i-suid-a-trustedbsd-policy-module-to-control-suid-binaries-execution/">https://reverse.put.as/2014/10/03/can-i-suid-a-trustedbsd-policy-module-to-control-suid-binaries-execution/</a>
[3] <a href="https://developer.apple.com/library/archive/technotes/tn2127/_index.html">https://developer.apple.com/library/archive/technotes/tn2127/_index.html</a>
[4] <a href="https://developer.apple.com/library/archive/technotes/tn2459/_index.html">https://developer.apple.com/library/archive/technotes/tn2459/_index.html</a>
[5] <a href="https://developer.apple.com/library/archive/samplecode/KauthORama/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003633">https://developer.apple.com/library/archive/samplecode/KauthORama/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003633</a>
[6] <a href="https://github.com/apple/darwin-xnu/blob/xnu-4903.221.2/security/mac_policy.h">https://github.com/apple/darwin-xnu/blob/xnu-4903.221.2/security/mac_policy.h</a>
[7] <a href="https://developer.apple.com/library/archive/samplecode/tcplognke/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003669">https://developer.apple.com/library/archive/samplecode/tcplognke/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003669</a>
[8]<a href="https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/NKEConceptual/intro/intro.html#//apple_ref/doc/uid/TP40001858-CH225-SW1">https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/NKEConceptual/intro/intro.html#//apple_ref/doc/uid/TP40001858-CH225-SW1</a>

Mac system extensions for threat detection: Part 1

Start free trial

Blog Footer CTA

Sign up for Elastic Cloud free trial

Will Yu

Надсилаючи цю форму ви погоджуєтеся з <a href="/legal/terms-of-use">Умовами надання послуг Elastic</a>. Ваші особисті дані будуть опрацьовані відповідно з <a href="/legal/privacy-statement">Положеннями про конфіденційність Elastic</a>.

Newsletter GDPR Text - Ukrainian

By submitting you acknowledge that you've read and agree to our <a href="/legal/elastic-cloud-account-terms" target="_self">Terms of Service</a>, and you agree to receive the <a href="/legal/privacy-statement#how-we-use-the-information" target="_self">selected communications</a> at the contact details you provided above. See <a href="/legal/privacy-statement/" target="_self">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.

Communication Preferences - ONLY for /communication-preferences

By submitting you agree to <a href="/agreements/global/cloud-services-monthly" rel="nofollow">Elastic Cloud Terms of Service</a>. Your personal data will be processed in accordance with <a href="/legal/privacy-statement">Elastic's Privacy Statement</a>.

Cloud Trial GDPR Text

Intentionally Blank

By submitting you acknowledge that you've read and agree to our <a href="/legal/serverless-preview-terms" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.

Serverless GDPR Text

提交即表示您確認已詳閱並同意我們的<a href="/legal/elastic-cloud-account-terms" target="_blank">服務條款</a>，且同意 Elastic 使用您在上方提供的個人資料<a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">與您聯絡</a>，為您提供相關產品和服務的資訊。如需詳細說明或隨時想停止收到產品和服務資訊，請參閱 <a href="/legal/privacy-statement/" target="_blank">Elastic 的隱私聲明</a>。

Newsletter GDPR Text - TW

By submitting you acknowledge that you've read and agree to our <a href="/legal/elastic-cloud-account-terms" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.By submitting this form, I agree to Elastic sharing my contact information with Google Cloud. I also agree to Elastic giving my information to the vendor for the purpose of shipping my food package.

GDPR Text + Google Cloud

Inviando la registrazione (1) esprimi il consenso ai <a href="/legal/terms-of-use">termini e condizioni di Elastic</a> e <a href="/legal/privacy-statement">all’informativa sulla privacy</a>, nonché (2) a ricevere saltuarie e-mail.

Newsletter GDPR Text - Italian

By submitting you acknowledge that you've read and agree to our <a href="/legal/terms-of-use" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.

Newsletter GDPR Text

Load more

Overview

Can't make it? Register and we'll send you the recording. You'll also receive an email with related content

Can't make it? Register and we'll send you the recording. You'll also receive an email with related content.

You'll also receive an email with related content.

You'll also receive an email with related content

Speakers

Close

See more insights

The content on this page is not available in the selected language. As Elastic grows globally, we continue to support content in multiple languages.

Author

Articles by Will Yu

Elastic

Mac system extensions for threat detection: Part 3

Mac system extensions for threat detection: Part 2

Mac system extensions for threat detection: Part 1

Sign up for Elastic Cloud free trial