Apple deprecating macOS kernel extensions (KEXTs) is a great win for security

Discussion in 'other security issues & news' started by mood, Feb 8, 2020.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    23,592
    Apple deprecating macOS kernel extensions (KEXTs) is a great win for security
    Apple kernel extension APIs to be deprecated in macOS 10.15.4
    February 7, 2020
    https://www.zdnet.com/article/apple...extensions-kexts-is-a-great-win-for-security/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,392
    Location:
    The Netherlands
  3. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,007
    Location:
    Member state of European Union
    It is similar but different than PatchGuard. Apple makes hardware and software. On macOS you don't install drivers, because OS already has them built-in. Windows ecosystem is completely different in that regard and Microsoft must provide support to install 3rd-party drivers. These 3rd-party device drivers are executed in kernel-space. PatchGuard just provides some mitigation against modifications of certain other parts of kernel, but device drivers are still executed in kernel-mode. Malicious driver still may change a lot of system memory addresses and there are even ways to bypass PatchGuard.
    MacOS will completely remove ability to install anything in kernel-mode created by 3rd-party. Very easy step, but also very significant.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,392
    Location:
    The Netherlands
    OK cool, didn't know about this. However, it sounds like so called "kernel extensions" have the same capabilities that drivers on the Windows OS have. So I'm guessing that's why Apple wants to get rid of them. It will make it harder for malware to bypass security tools.

    Correct, but PatchGuard does interfere with most techniques being used by malicious drivers, they simply can not modify most important parts of the kernel. And all drivers must be signed of course. At first I thought it was a dumb decision but I later changed my mind, it was actually a good thing.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.