A look at OS X's user space mechanisms for endpoint behavioural monitoring solutions
Seriously Apple? First you took away our root access, now you’re taking away our kexts? What next, why don’t you just take away the esc key…
In OS X Catalina, Apple has introduced the Endpoint Security framework, with a clear warning to all developers: get out of the kernel. Kernel extensions are going to be deprecated and removed in the near-ish future.
Not many applications require kernel-level access, but security has gotten very used to living in kernel-land, which is why this is an annoying development for some folks.
But could it be that Apple are on to something? Anyone who has worked on enterprise endpoint security (on either side of the vendor/buyer divide) would have come across the dreaded “agent sprawl” issue, but besides that, there is the inherent inefficiency of everyone needing their own kernel implementations that may all do more or less the same thing. Are these implementations really sufficiently differentiated that they represent a meaningful competitive differentiator? It would seem Apple thinks not, so they are trying to take ownership of some of that work, by providing and mandating the use of userspace frameworks.
In this talk, we'll take a look at the new/updated OS X userspace frameworks, principally the Endpoint Security Framework, to understand how effective they can be as a base to build endpoint security capabilities like AV, AWL, etc. We'll also explore some of the broader implications around the provisioning and mandated use of such frameworks, in terms of the security of the platform, and the opportunities for users and developers.
Tirath is a Software Engineer with 6 years experience working on endpoint protection solutions. Prior to working in infosec he worked in areas like databases and scientific computing.