Guide for Apple IT: Threat Detection and Apple’s New EndpointSecurity Framework

Posted on February 6, 2020

In macOS 10.15 Catalina, Apple released new frameworks that have big implications for the future of macOS threat detection and the development of security solutions: the EndpointSecurity framework and the SystemExtension framework. Beyond expanding the safety and security of macOS, Apple is using these frameworks as userspace alternatives to KEXTs (Kernel Extensions). Moving forward, if a Kernel Extension feature has a System Extension equivalent, the Kernel Extension feature is considered deprecated and the developer should work to migrate those features to a System Extension. A list of deprecated Kernel Extension features is available in this Apple Developer support article.

In this guide, we’re going to take a look at what these releases mean for Mac security and development and explain how they work. Here’s a quick overview of what we’ll cover:

  • A Primer on macOS Threat Detection
  • What’s Apple EndpointSecurity Framework?
  • What are System Extensions?
  • System Extensions vs. KEXTs

A Primer on macOS Threat Detection

Apple has always been known for its innovative security solutions. From building security capabilities into the silicon of their device hardware to designing deep system and app security processes that offer maximum protection without interfering with usability, every new release of macOS is a step toward safer and more stable devices.

Back in macOS 10.7.3, Apple released Gatekeeper, a program that requires downloaded software to be signed by Apple before it can be run. Apple also uses XProtect (also referred to as File Quarantine or Known Malware Detection in their documentation) as a signature-based system linked to Gatekeeper. It checks the signatures of suspicious files against records of known malware to make sure only safe files are opened on your device.

Catalina continues this trend, releasing more security features that have big implications for macOS threat detection. One key capability for effective threat detection and security tools is a process and file monitor, which watches various system and file events for anomalous or malicious activity, such as trojan applications that trick users into activating adware, malicious websites, or documents that install dangerous programs once opened.

Creating a comprehensive process and file monitor on previous releases of macOS has been difficult. The best method was to use KEXTs to receive data about events in real-time or attempt to block malicious behaviors before they were carried out. However, starting with macOS 10.15 Catalina, Apple is offering new frameworks to give developers more visibility into process, network, and file system events.

Enter: the EndpointSecurity and SystemExtension frameworks, two promising new releases on top of which future endpoint security programs will be built. In the rest of this guide, we’ll break down what these are and what implications they have for the future of macOS threat detection.

 

What’s the Apple EndpointSecurity Framework?

As we mentioned earlier, developing endpoint security programs for macOS has been tricky in the past – but with the announcement of Apple’s EndpointSecurity framework, all of this changes.

Essentially, Apple’s EndpointSecurity framework is a new API that monitors system events for malicious activity. As Apple describes in their support documentation:

“Endpoint security clients, including Endpoint Detection and Response software and antivirus software, can now leverage the new EndpointSecurity API to monitor and even block system events to better conform with security policies and protect from potential malicious activity.”

In this way, the Apple EndpointSecurity framework lets registered clients receive notification of events that have already occurred and authorize events that are still pending. This pertains to events such as process executions, forking processes, signal raising, mounting file systems, and more.

The framework will also let new and existing security software developers reinvent their existing macOS security agents, which can be easily installed and approved by an MDM solution.

 

What are System Extensions?

Like KEXTs, System Extensions extend the functionality of the operating system. However, unlike KEXTs, System Extensions run in userspace, outside of the kernel thus free from many of the restrictions developers had to face while coding in the kernel, many of which we’ll discuss in the next section. This significant departure from KEXT development opens up advanced macOS threat detection capabilities.

At WWDC (Worldwide Developers Conference) 2019, Apple announced three types of System Extensions:

  1. Network Extensions which are intended to replace Network Kernel Extensions, including the capability to filter traffic, reroute traffic, and connect to VPNs.
  2. Endpoint Security Extensions which replace KEXTs that monitor security events with the kauth interface. Endpoint Security Extensions are intended to be used for security apps such as endpoint detection and response, anti-virus, or data loss prevention apps.
  3. Driver Extensions which replace device driver KEXTs that use IOKit. Driver Extensions let you control USB, Serial, Network Interface Controllers (NIC), and Human Interface Devices (HID).

You probably noticed that each of these System Extensions replace KEXTs with similar capabilities. This is part of an effort by Apple to phase out KEXTs to create a more stable and secure environment for macOS – which System Extensions can achieve. Currently, KEXTs are still needed for some operations, but System Extensions should be used in place of KEXTs whenever possible.

In order to explain why, let’s take a look at some of the shortcomings of KEXTs and how System Extensions solve them.

The Problem with KEXTs

KEXTs have been a hallmark of Mac since the beginning. Essentially, KEXTs are bundles of code that let developers extend the capabilities of the kernel. Because the kernel is in charge of everything on the system, and because all KEXTs are given kernel privileges, these extensions are very powerful.

But their power is also their problem. Since actions taken within the kernel are prioritized over everything else in the system, developing and debugging apps in the kernel leaves no room for error. If a program isn’t perfect, it can halt all of the system’s processes, if not cause it to crash. Developers are also limited to using a single framework and can only write code using the C or C++ languages while creating KEXTs.

The power of KEXTs also leads to some security concerns. Since one of the most important jobs for the kernel is to define and enforce the system’s security policy, and KEXTs operate within it, they’re effectively “above the law.” That means if a KEXT has a bug that makes it vulnerable to being compromised, then the entire system is at risk – and there’s no security rule that can restrain it.

To rectify these problems, Apple introduced System Extensions. Let’s take a look at how they compare to KEXTs, and why they’re such a big step forward for macOS threat detection.

KEXTs vs. System Extensions

One of the biggest differences between System Extensions and KEXTs is that System Extensions run in userspace rather than in the kernel. This means developers can code and debug outside of the restrictions of the kernel, so their apps don’t have to be essentially bug-free at risk of causing kernel panic, crashing the entire machine, or making its functionality slow and unpredictable. With System Extensions, the days of worrying about dynamic memory allocation, synchronization, and latency are over.

System Extensions also give developers more freedom over what frameworks and programming languages they use. While KEXTs only supported one and required all code to be written in C or C++, System Extensions lets developers use any framework in the macOS SDK and accept any programming language.

However, there is one exception: because of their close relationship to hardware, driver extensions still must be written in C or C++ and have to use the DriverKit framework in tailored runtime.

As you’ll see in the next section, one of the most significant benefits of using System Extensions involves its security capabilities.

 

How System Extensions Increase Security

We already mentioned that KEXTs are “above the law” since they function within the kernel. Because of this, vulnerabilities within the KEXT can leave the entire system at risk – with no restraint. This underpins the most significant security and stability issue with KEXTs: their power means that small errors or gaps in development leave the entire system vulnerable to being compromised and controlled.

System Extensions change this. Rather than running in the kernel with complete control over the entire system, these extensions run in userspace, just like an app. That means System Extensions are answerable to the system’s security policies rather than above them. However, this doesn’t mean that System Extensions can only perform functions that apps can. System Extensions are granted certain permissions to perform advanced functions, such as having direct access with associated hardware devices or using APIs to talk to the kernel.

This separation between the kernel and the System Extension means that a buggy extension won’t crash the whole system, leave it vulnerable to compromise, or make it unstable. In other words, the consequences of the extension are isolated to the app – even if it crashes, everything else on the system will continue running, unaffected.

Beyond making development easier, this is a significant step forward in making macOS safer. Taken in conjunction with the Apple EndpointSecurity Framework, developers gain advanced security capabilities to monitor and authorize system events, detect and deter malicious activity, and develop extensions in userspace that communicate with the kernel – without leaving the system vulnerable or unstable.

 

Apple’s new EndpointSecurity Framework and System Extensions have a lot of promise, and here at Kandji, we’re looking forward to the new opportunities it opens up for MDM (mobile device management) solutions. As the only MDM with a pre-built library of security controls and the industry’s first one-click compliance framework, we take security seriously and look forward to developing modern features that make the most out of the latest evolutions in the world of macOS threat detection and security development.

Request access to Kandji today.