Top 5 Reasons Why xTend for Linux is Your Organization’s New Best Friend
July 6, 2024Diagnosing the Root Cause of my Poor Digital Experience
September 11, 2024Mac Security Evolution: From the 90s to Today
1. The 1990s – the golden era of viruses
The 1990s were a golden era for malware developers targeting personal computers like the original Mac. Back then, there was essentially no distinction between programs you might get from a friend with a floppy disk or download from the Internet and the operating system itself. Any malicious or infected program could damage or steal any file or infect any other program it could find.
2. Cheetah – Modern Kernel and UNIX Security Model
But in 2001, Apple introduced its new, modern operating system based on NeXT’s OS, and this
marked the beginning of more than two decades of Apple increasingly hardening the Mac against damages caused by errant programs and malicious attackers. Mac OS X brought with it a robust, UNIX-based security design with code separated into kernel space and user space, user accounts, and the operating system’s files and programs owned by the root user. The UNIX security model protected those root-owned files from regular programs. With Mac OS X, regular programs could still modify the user’s files, but the OS blocked them from modifying the root-owned files, including other programs on the system. This stopped the primary way most viruses spread.
3. Panther – FileVault
With Panther, Apple added FileVault, which encrypted the hard disk. This meant that even if your Mac was stolen or you left your laptop in a taxi, your data was safe from prying eyes.
4. Snow Leopard – XProtect
While Mac OS X’s modern design stopped most viruses, users could still download malicious programs. With Snow Leopard, Apple added XProtect, a built-in antivirus system to detect and
clean the small number of malware programs that existed for the Mac.
5. Snow Leopard, part 2 – Mac App Store
A few months after Snow Leopard first shipped, Apple introduced the Mac App Store, creating a
place for users to download curated and trusted apps. Over the years, Apple added more security requirements to apps in the App Store, making it the safest place for users to download apps for their Mac.
6. Lion – Sandboxing
With Lion, Apple introduced sandboxing for apps. While the UNIX security model was a
tremendous boon to Mac security, it still allowed any program the user ran to read or write to any
of the user’s own files. This meant a Trojan horse app, or an app with a vulnerability that could be exploited, could potentially steal or encrypt your data as in a ransomware attack. But any app using
Apple’s sandbox has to ask the user to access each file or collection of files before the program can
open it, even if the UNIX security model would allow it. If the program tried to access a file the
user did not grant it access to, the operating system blocked it. This largely stops the scourge of
today’s threat landscape – ransomware. Apple encourages all developers to sandbox their apps, and Apple requires any app distributed through the App Store to be sandboxed.
7. Mountain Lion – Gatekeeper & Software Updates
With Mountain Lion, Apple introduced two critical security features: Gatekeeper and automatic software updates. With Gatekeeper, the user could set the security level a program must meet before it was allowed to run on their computer. Over the years, Apple has used Gatekeeper to drive security requirements for apps running on the Mac, making it harder for users to bypass those
requirements and accidentally run malicious programs. With automatic software updates, Apple closed a major hole in its security – long-lived vulnerabilities. Ideally, developers ship bulletproof code, but in practice, code often has bugs, many of which can become security vulnerabilities.
Before automatic software updates, these vulnerabilities, even after being discovered, could remain available for months or years. Automatic software updates dramatically shrank that window of vulnerability.
8. El Capitan – SIP
With El Capitan, Apple took another dramatic step above and beyond the UNIX security model – it reduced the power of root. On UNIX systems, a program running with root privilege essentially
has the power of god on the system, being able to do anything it wants, including changing any
critical files. Attackers, once gaining a foothold on a system, usually try to “escalate to root” to
achieve full control. In El Capitan, Apple introduced System Integrity Protection, or SIP, which
walls off critical parts of the operating system from even root processes. Root processes can no
longer modify these protected parts of the OS. On the Mac, root is no longer god. It’s just a minor
deity.
9. Secure Enclave
With the MacBook Pro with Touch ID, Apple introduced the concept of the Secure Enclave,
improving it many times since. The Secure Enclave is essentially its own little CPU and
microkernel, providing services to the main CPU and operating system. It protects biometric
information like fingerprint data for Touch ID, encryption keys for file encryption and secure boot,
passwords, and even Apple Pay information. Even if an attacker acquires root privileges or
compromises the kernel, they can’t access the sensitive information in the Secure Enclave.
10.Mojave – Scanning and Notarization
With Mojave, Apple introduced vulnerability scanning for programs and notarizing programs that pass. This added another layer of security by reducing the chance of a program having malware or using unsafe APIs that can be exploited. All programs distributed through the App Store are scanned. Developers who want to distribute their apps outside the App Store can still get their apps scanned and receive a notarization certificate they can attach to their apps, showing they’ve passed Apple’s security scanning. Over the years, Apple has increasingly pushed developers to get their
apps scanned and notarized before users install them.
11. Catalina – System Extensions
With Catalina, Apple began addressing a major security risk – kernel extensions. While, in theory,
third-party developer programs should run in user space, for decades developers have created code that runs as part of the OS’s kernel. This code, known as kernel extensions, can introduce security vulnerabilities and potentially cause the OS to crash. We saw this in dramatic fashion in July 2024 when a bug in CrowdStrike’s Falcon kernel extension crashed millions of Windows computers, taking banks, airlines, government services, and many other organizations offline. With Catalina, Apple introduced their system extension architecture, allowing third-party developers to move the functionality of their kernel extensions into user space. Today, for example, CrowdStrike’s Falcon and Ennetix’s xTend sensors run as system extensions in user space. Should these programs encounter a bug, they can’t endanger the security and safety of the Mac OS.
12.Conclusions
Over the last 20-plus years, Apple has relentlessly and radically improved Mac security. Beginning
with Cheetah, with a proper kernel and UNIX security model, Apple continued to advance, adding
a built-in antivirus system, binary scanning and notarization, FileVault, sandboxing, Gatekeeper,
automatic software updates, System Integrity Protection, Secure Enclave, and System Extensions.
Does this mean your Macs are now completely secure and you no longer need to monitor them for malicious activity? No, especially for enterprises. Software still has bugs, and bugs can quickly become exploits. Many software packages are still distributed outside the App Store and often
aren’t sandboxed. Python and Bash scripts aren’t scanned and notarized. While difficult, users can still bypass Gatekeeper to allow any software to run on their systems. And never forget about your insiders—they are sometimes an enterprise’s biggest threats.
The Mac is more secure than it has ever been, so celebrate that! But for enterprises, never let your
guard down.