- Kernel Extensions Need Authorization Code At High#
- Kernel Extensions Need Authorization Drivers That Run#
Kernel Extensions Need Authorization Code At High
This is not a surprise: Apple has invested considerable effort into building out a trusted boot process rooted in hardware, but the security gains of trusted boot are limited if arbitrary code at high privilege levels can be loaded after the boot process is completed. In fact, limiting the scope of root access is exactly what Apple has tried to accomplish with System Integrity Protection (SIP) (also known as "rootless"). Our example leverages certificate-based mutual authentication followed by.Even root access doesn’t necessarily imply kernel access. The following example shows how to configure.
Kernel Extensions Need Authorization Drivers That Run
From Apple’s documentation, the Network Extensions API can be used to build "content filters, DNS proxies, and VPN clients." The Endpoint Security API can be used for "Endpoint Detection and Response software and antivirus software." DriverKit allows developers to write device drivers that run in userspace. Apple has used this ability to gradually phase out certain types of kernel extensions, and has replaced the functionality that they need to access with new APIs that can be accessed from outside the kernel.At the time of writing, Apple provides three APIs under the umbrella of the system extensions: Network Extensions, Endpoint Security, and DriverKit. Apple controls who receives these entitlements, allowing them to control which kernel extensions are able to load on macOS machines. Since macOS Yosemite (v10.10, released 2014), Apple has required that kernel extensions possess a particular entitlement (essentially a permission granted with a signature) to load. SIP protection is enforced by the kernel, but we’ve already seen that kernel extensions can modify kernel behavior, so how do we prevent a kernel extension from simply disabling SIP?Kernel extension code signing is one of the first tools Apple deployed to address this issue.
Old News: The Santa Kernel ExtensionThe Santa kernel extension is named santa-driver, and hooks into the Kauth KPI (kernel programming interface). File execution events), communicating with the Santa service santad for policy decisions, responding to those events with an allow or deny, caching those decisions, and invalidating cache entries. Its responsibilities are scoped to: listening to the proper events (i.e. Santa has the benefit of being an open-source project that sees wide industry use, making it an effective subject for a customer story of migration to the new Endpoint Security APIs.Both the kernel extension and system extension source are present in the Santa repository, and a well-designed abstraction layer within Santa allows us to compare how these two implementations provide the same functionality (allowing or denying executions) to the rest of the Santa codebase.Santa has minimal functionality located within the kernel extension (now system extension). Santa’s developers have recently migrated this component to use the new Endpoint Security APIs. There are different bits of management functionality in Santa that enable centralized rule management and synchronization, but the primary functionality of allowing or denying the execution of a binary was formerly only possible via a kernel extension.
0 kommentar(er)
