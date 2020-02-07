Image: Bundo Kim

At the WWDC conference last year, Apple announced plans to write off macOS “kernel extensions” (KEXTs) and replace them with a new mechanism called “system extensions.”

The first step towards this announcement was made with the release of macOS Catalina (10.15.0) in September 2019, when system extensions were introduced in addition to kernel extensions.

The final step of Apple’s plan will take effect in the coming weeks, with the upcoming release of macOS Catalina 10.15.4.

According to Apple, starting with macOS 10.15.4, the use of kernel extensions will notify the user that the software contains an outdated API and ask the user to contact the developer for alternatives.

What is the difference between the two?

Both kernel extensions and system extensions have the same purpose. Allows users to install apps that extend the native capabilities of the macOS operating system.

Apps install kernel / system extensions that allow them to perform operations for which macOS has no native functions or functions.

Mac antivirus software, firewalls, VPN clients, DNS proxies, USB drivers and others all use kernel extensions.

The difference between these two new extension systems is that the older kernel extensions run their code at the macOS kernel level, while the newer system extensions run in a more tightly controlled user space.

Great move for security

“From Apple’s point of view, this is an important step on the road to improving macOS security,” Patrick Wardle, lead investigator at Jamf and a well-known macOS security expert, told ZDNet this week.

“Third-party core extensions are a juicy attack vector for attackers focused on macOS,” he added. “Especially if, as an attacker, you can exploit a kernel extension or load your own extension (assuming it is signed).”

And attacks with KEXTs have happened in the past (1, 2, 3).

“It’s really game over for macOS,” Wardle said. “Many security mechanisms have been implemented / enforced in the kernel.”

Wardle says that such an attack does not work with system extensions because they are running in user mode.

“Because they don’t run in the kernel, an exploit no longer gives you access to kernel mode, as it did with a KEXT exploit,” Wardle said.

“So Apple actually wants to kick everyone (from the kernel), largely for security reasons.”

Potential disadvantages



However, Wardle says that this movement also has a downside.

The first is that by kicking app developers out of the kernel, Apple is also gaining much more control over macOS, similar to the control they have over iOS.

Until now, macOS has been a haven for developers and its users. If macOS didn’t have a specific function, developers could just create an app and use a kernel extension to add the functions they needed.

The second disadvantage is that many security tools themselves have trusted heavily and are built around the full access to kernel extensions that a user’s Mac offers. One could argue that Apple’s move toward system extensions could put an end to non-neutral security products, thereby losing part of their ability to detect and stop malware on the move.

However, Wardle, who is the author of many free macOS security tools, says that Apple “offers some great user-mode frameworks that give third-party security tools the capabilities they need”, so it seems that Apple is not just branching out cutting his feet.

But for the time being it is unclear whether system extensions offer the same versatility and coding freedom as kernel extensions. This remains to be seen – and a topic for another article – because we need more time for macOS developers to slowly switch to system extensions in the future.

However, Wardle points out that the move is generally good for macOS security, regardless of other possible reasons for Apple’s move.