• About
  • Blog
  • Videos
  • Projects
  • Publications
  • Presentations
Menu

Todd Heberlein

Developer of the original Network Security Monitor (NSM)
  • About
  • Blog
  • Videos
  • Projects
  • Publications
  • Presentations

Mac Security Evolution

August 11, 2024

The 1990s - the golden era of viruses

The 1990s were a golden era for malware developers targeting personal computers like the original Mac.

Back then, there was essentially no distinction between programs you might get from a friend with a floppy disk or download from the Internet and the operating system itself.

Any malicious or infected program could damage or steal any file or infect any other program it could find.

Cheetah - Modern Kernel and UNIX Security Model

But in 2001, Apple introduced its new, modern operating system based on the NextStep operating system, and this marked the beginning of more than two decades of Apple increasingly hardening the Mac against damages caused by errant programs and malicious attackers.

Mac OS X brought with it a robust, UNIX-based security design with code separated into kernel space and user space, user accounts, and the operating system’s files and programs owned by the root user.

The UNIX security model protected those root-owned files from regular programs.

With Mac OS X, regular programs could still modify the user’s files, but the OS blocked them from modifying the root-owned files, including other programs on the system.

This stopped the primary way most viruses spread.

Panther - FileVault

With Panther, Apple added FileVault, which encrypted the hard disk.

This meant that even if your Mac was stolen or you left your laptop in a taxi, your data was safe from prying eyes.

Snow Leopard - XProtect

While Mac OS X’s modern design stopped most viruses, users could still download malicious programs.

With Snow Leopard, Apple added XProtect, a built-in antivirus system to detect and clean the small number of malware programs that existed for the Mac.

Snow Leopard, part 2 - Mac App Store

A few months after Snow Leopard first shipped, Apple introduced the Mac App Store, creating a place for users to download curated and trusted apps.

Over the years, Apple added more security requirements to apps in the App Store, making it the safest place for users to download apps for their Mac.

Lion - Sandboxing

With Lion, Apple introduced sandboxing for apps.

While the UNIX security model was a tremendous boon to Mac security, it still allows any program the user runs to read or write to any of the user’s own files.

This means a Trojan horse app, or an app with a vulnerability that can be exploited, can potentially steal or encrypt your data as in a ransomware attack.

But any app using Apple’s sandbox has to ask the user to access each file or collection of files before the program can open it, even if the UNIX security model would allow it.

If the program tries to access a file the user did not grant it access to, the operating system blocks it.

This largely stops the scourge of today’s threat landscape - ransomware.

Apple encourages all developers to sandbox their apps, and Apple requires any app distributed through the App Store to be sandboxed.

Mountain Lion - Gatekeeper & Software Updates

With Mountain Lion, Apple introduced two critical security features: Gatekeeper and automatic software updates.

With Gatekeeper, the user sets the security level a program must meet before it is allowed to run on their computer.

Over the years, Apple has used Gatekeeper to drive security requirements for apps running on the Mac, and at the same time making it harder for users to bypass those requirements and accidentally run malicious programs.

With automatic software updates, Apple closed a major hole in its security - long-lived vulnerabilities.

Ideally, developers ship bulletproof code, but in practice, code often has bugs, many of which can become security vulnerabilities.

Before automatic software updates, these vulnerabilities, even after being discovered, could remain available for months or years.

Automatic software updates dramatically shrank that window of vulnerability.

El Capitan - SIP

With El Capitan, Apple took another dramatic step above and beyond the UNIX security model - it reduced the power of root.

On UNIX systems, a program running with root privilege essentially has the power of god on the system, being able to do anything it wants, including changing any critical files.

Attackers, once gaining a foothold on a system, usually try to “escalate to root” to achieve full control of the system.

In El Capitan, Apple introduced System Integrity Protection, or SIP, which walls off critical parts of the operating system from even root processes.

Root processes can no longer modify these protected parts of the OS.

On the Mac, root is no longer god. It is just a minor deity.

Secure Enclave

With the MacBook Pro with Touch ID, Apple introduced the concept of the Secure Enclave, and has improved it many times since.

The Secure Enclave is essentially its own little CPU and microkernel, providing services to the main CPU and operating system.

It protects biometric information like fingerprint data for Touch ID, encryption keys for file encryption and secure boot, passwords, and even Apple Pay information.

Even if an attacker acquires root privileges or compromises the kernel, they can’t access the sensitive information in the Secure Enclave.

Mojave - Scanning and Notarization

With Mojave, Apple introduced vulnerability scanning for programs and notarizing programs that pass.

This added another layer of security by reducing the chance of a program having malware or using unsafe APIs that can be exploited.

All programs distributed through the App Store are scanned.

Developers who want to distribute their apps outside the App Store can still get their apps scanned and receive a notarization certificate they can attach to their apps, showing they’ve passed Apple’s security scan.

Over the years, Apple has increasingly pushed developers to get their apps scanned and notarized before users install them.

Catalina - System Extensions

With Catalina, Apple began addressing a major security risk - kernel extensions.

While, in theory, third-party developer programs should run in user space, for decades developers have created code that runs as part of the operating system’s kernel.

This code, known as kernel extensions, can introduce security vulnerabilities and potentially cause the OS to crash.

We saw this in dramatic fashion in July 2024 when a bug in CrowdStrike’s Falcon kernel extension crashed millions of Windows computers, taking banks, airlines, government services, and many other organizations offline.

With Catalina, Apple introduced their system extension architecture, allowing third-party developers to move the functionality of their kernel extensions into user space.

Today, for example, CrowdStrike’s Falcon and Ennetix’s xTend sensors for the Mac run as system extensions in user space. Should these programs crash, they can’t endanger the security and safety of the Mac operating system.

Conclusions

Over the last 20-plus years, Apple has relentlessly and radically improved the Mac’s security.

Beginning with Cheetah, with a proper kernel and UNIX security model, Apple continued to improve the security, adding a built-in antivirus system, binary scanning and notarization, FileVault, sandboxing, Gatekeeper, automatic software updates, System Integrity Protection, Secure Enclave, and System Extensions.

Does this mean your Macs are now completely secure and you no longer need to monitor them for malicious activity?

No, especially for enterprises.

Software still has bugs, and bugs can can be exploited.

Many software packages are still distributed outside the App Store and often aren’t sandboxed.

Python and shell scripts aren’t scanned and notarized.

While difficult, users can still bypass Gatekeeper to allow any software to run on their systems.

And never forget about your insiders—they are sometimes an enterprise’s biggest threats.

The Mac is more secure than it has ever been, so celebrate that!

But for enterprises, never let your guard down.

Note 1: This post was originally planned for release on 2024-08-12, but because of active discussions, I’ve released it a day early.

Note 2 (2024-08-12): Ennetix xTend for the Mac, which leverages Apple’s system extension architecture, is available through Apple’s App Store. Ennetix Endpoint system extension, which feeds data to Ennetix xTend, is available from Ennetix’s web site (see Section 2.1 here). Both applications are free, and neither collect information about users.

Note 3 (2024-08-12): Full disclosure: I wrote Ennetix xTend for the Mac, so I may biased towards it. Here are previous blog posts covering xTend:

  • Beyond network monitoring: unlocking the power of host monitoring

  • xTend for discovery

  • Unplugged, asleep, in a bag, but transforming itself

← Simulated Lighting GlitchNo one wants to be commoditized →

Powered by Squarespace