A look at OS X's user space mechanisms for endpoint behavioural monitoring solutions
Seriously Apple? First you took away our root access, now you’re taking away our kexts? What next, why don’t you just take away the esc key…
In OS X Catalina, Apple has introduced the Endpoint Security framework, with a clear warning to all developers: get out of the kernel. Kernel extensions are going to be deprecated and removed in the near-ish future.
Not many applications require kernel-level access, but security has gotten very used to living in kernel-land, which is why this is an annoying development for some folks.
But could it be that Apple are on to something? Anyone who has worked on enterprise endpoint security (on either side of the vendor/buyer divide) would have come across the dreaded “agent sprawl” issue, but besides that, there is the inherent inefficiency of everyone needing their own kernel implementations that may all do more or less the same thing. Are these implementations really sufficiently differentiated that they represent a meaningful competitive differentiator? It would seem Apple thinks not, so they are trying to take ownership of some of that work, by providing and mandating the use of userspace frameworks.
In this talk, first we’ll peek under the hood of behavioural monitoring solutions like AV, AWL, host-based application firewalls, EDR etc - with an eye to understanding what OS support these solutions require, with particular emphasis on kernel-side components. Effectively we’ll be teasing out some design patterns that are useful for endpoint protection.
Next, we’ll see how similar aims can be achieved with new/updated OS X userspace frameworks: Endpoint Security and NetworkExtension.