SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

An Overview of the Mac’s Most Important Built-in Security Features

Posted on December 1, 2017

For this week’s show, we’re back to talking about the Mac — more specifically, addressing some of the most important security features baked directly into macOS. What steps has Apple taken to keep users safe, and what tools are there to make sure we’re all enjoying our Macs safely and securely? Perhaps you know someone who is about to get a new Mac, or maybe you’re even the one giving it as a gift for the holidays! Being able to learn about staying safe on a new machine is important. Just as important, though, is that you understand these security features too. So, whether it’s your curiosity or someone else that’s focused on the security of macOS, we’re here to help you become more familiar with them.

Today, we’ll be hitting several topics in rapid succession, so buckle up — our topics include:

  • Understanding Gatekeeper
  • What is System Integrity Protection?
  • The importance of XProtect
  • Sandboxing: how it works
  • Firewalls: what do they do?
  • Secure Kernel Extension Loading explained

Understanding Gatekeeper

Let’s start with one of the most important security features of macOS: Gatekeeper. There’s a lot of bad software out there in the world and a lot of malicious programmers who want to trick users into running something they shouldn’t. Finding ways to stop that from happening, and keeping users from running untrustworthy software as much as possible, has been a goal in operating system design for some time. Starting in OS X Lion version 10.7.5, Apple introduced the concept of the “Gatekeeper,” a digital guardian that essentially acts like a bouncer checking a guest list. If the software isn’t on the list, you might not be able to run it.

How does it work? In essence, Gatekeeper is a piece of technology in macOS that enforces Apple’s digital code-signing procedures. For more information on what “signing” is and why it’s important, we covered that in some detail recently on our Oct 28th Episode (verify that’s the one you mean) . Generally speaking, though, it boils down to this: Apple charges developers $99 for a license, which in turn allows developers to create a digital signature for their app that says “Hey, I made this software and it is legitimate.” Gatekeeper focuses on this signature, which can only match to the software that’s published by Apple or the developer.

If the software signature is what Gatekeeper expects, it usually allows the software to run. If something is different — for example, if a hacker tampers with a download server and uploads a poisoned version of an installer — Gatekeeper will detect that something is wrong and alert the user. However, it’s important to note that a signed app doesn’t mean it’s 100% safe, without security flaws or bugs — it just means that for all Apple knows, it is the same software that the developer says they published. It doesn’t mean that some other part of the software couldn’t be exploited. Overall, though, having Gatekeeper in place drastically reduces the likelihood that you’ll run a malicious app. That said, if an app with a revoked certificate is already on your machine, it can continue to run.

Gatekeeper isn’t a totally silent part of the system, though most times a signed app won’t trigger an alert when you open one. Instead, you’ll often see warnings for files downloaded from the Internet, as Gatekeeper places a quarantine flag on these files. This flag triggers a warning upon execution that details the file, its signature, and where and when you downloaded it. You can then review the facts about the software before you run it.

One important note: sometimes apps download files on their own, such as an automatic update or additional content. These files do not receive the same quarantine flags unless the app downloading them supports the feature. Some third-party software cannot set these flags, so Gatekeeper can’t do anything about them. That’s why you need to stay on top of your other security precautions. Gatekeeper is an excellent first line of defense and an effective way to detect clear and obvious threats. It’s just one component of the system, though, and there’s plenty more going on under the hood to keep you safe.

What is System Integrity Protection?

Let’s look at another line of defense Apple has introduced into macOS in recent years, this time one that you probably never even noticed existed. How many times have you heard stories, in the news or from friends, about computers that were “bricked” by malware altering or erasing core system files? With the recent outbreak of the NotPetya wiper/ransomware combo, we saw this in action as the malware altered the boot files for computers and rendered them inoperable. A key goal for many malware authors is to gain access to the files that the system uses for all kinds of important operations. From there, it’s often a hop, skip, and a jump to total control or arbitrary code execution.

Users who only have one account on their Mac, especially if it has root or administrator privileges, poses a special danger. If malware can hijack these user credentials, you’re going to be in a world of trouble. In the past, it was even worse; once you typed in your Mac’s username and password to allow a program to run, it gained root-level access to the machine. In other words, it was perilously easy for software to tamper with the system and cause potential problems, or even expose users to security problems.

Enter System Integrity Protection, a feature introduced in the El Capitan release in 2015. At its core, SIP uses a design meant to prevent programs from maliciously tampering with core system files. Not only does it protect these files very carefully, but it also places some real restrictions on the root user — previously the only way you could have “all powerful” access to the machine. Remember, the root user typically has permission to alter or change the system in any way. With the introduction of System Integrity Protection, that ability became constrained to a certain degree.

The primary areas protected by SIP include folders and drive destinations such as /System, /bin, /user, and /sbin, as well as any apps that come preinstalled on your Mac. Even if you have root access yourself, you won’t be able to tamper with the files found in these destinations. For some power users and especially for developers, that’s sometimes a problem — obviously, it sounds like you might not be able to access root at all. That’s the way it is on iOS, for example, and it’s a part of why jailbreaking became so popular. However, it is possible to disable System Integrity Protection.

For most users, we don’t recommend this. SIP comes enabled by default, and unless you’re running into an issue where software simply won’t work with SIP enabled, you should leave it that way. In fact, if software cannot run without SIP, it’s often worth asking: Do I really need it after all? Maybe yes, maybe no, but it’s a good sign that you should dig a little deeper and see why it needs those permissions. Keep your system strong and secure by allowing this technology to protect you in the background.

The importance of XProtect

Protecting important system files from alteration and damage is an important step, but it’s just one part of the larger efforts Apple makes to protect our Macs. Did you know that macOS has a type of anti-malware software built into its features? You might not know it by name, but you’ve probably seen it in action any time you’ve downloaded something from the web. Called XProtect, it works in many ways much like Gatekeeper. It can pop up a message with some valuable information about a file, such as the time, date, and download method. Right away, you can review this data to see if it matches what you expect. XProtect does more than that, though.

Originally introduced to OS X Snow Leopard in 2009 as a part of the File Quarantine software, XProtect’s job is to stop a subset of malicious programs from running on Macs. It’s similar to a typical antivirus product in that it uses “definitions” to determine the difference between legitimate software and malware. Anytime you run something downloaded from the web, XProtect checks the software against its library of known malware modules and apps. If it detects something that shouldn’t be on your machine, the message you see has more information than just the time and date of the download. XProtect will warn you that the program could be malicious and might damage your machine. If you see this message, you should know it’s time to turn back!

Overall, XProtect offers a quick and easy way for Apple to warn users and stop malware from running. XProtect might have something added to its list as a result of numerous complaints Apple hears at the Genius Bar, for example. In the past, they’ve primarily used it to combat adware, which continues to be a growing problem on the Mac. It’s a convenient way for Apple to blacklist sudden or severe threats, but XProtect has a few drawbacks, too. It’s a useful tool, but it can’t be something you can rely on solely for all your security needs.

What are the cons? Number one: XProtect can’t proactively remove infections. If you’ve already run something malicious by mistake, XProtect can’t help you by removing the infection as a regular antivirus program can. It also does not provide around the clock protection — it only kicks in when you might be running something downloaded from the web. To top it off, Apple’s definitions list for XProtect is rather small and updated somewhat infrequently. While it’s worth having around, it also means you need to turn to more full-featured antivirus and anti-malware solutions to be safer.

Sandboxing: how it works

We’re not done, though! There is still more built into the operating system to keep users from encountering malicious software. Again, while a solid AV software with the ability to monitor your system will always provide the most robust protection, Apple makes multiple efforts to protect users as much as possible. Another important way they do this is through “sandboxing.” The App Sandbox is a type of access control program in macOS that functions in the kernel, meaning it’s a very basic part of the operating system and not something which apps can easily escape.

A “sandbox” isn’t unique to Macs. In fact, it’s a common technique in the security sector on all platforms, and in many other applications, too. It’s simply a way for Apple to mitigate any potential damage from a compromised application. Instead of running wild and causing damage, it’s stuck inside the sandbox with virtual walls around it to keep it from escaping into the wider parts of your Mac. You can’t kick sand out of the sandbox, in other words, and ruin your good time.

The way it works is straightforward: apps in the Sandbox receive only the bare minimum level of permissions necessary to run. They cannot access core system resources or sensitive user data, or at least not without user consent in the first place. Everything starts at the bare bones level, and users can add or revoke permissions for an app within the sandbox as necessary. While this doesn’t prevent all problems from occurring, it does mean that any compromised app only has a limited area to cause problems. If you’re an iPhone user, you’re familiar with this technology already — iOS itself is a giant sandbox, and it’s a big reason why we see fewer major problems or damage-causing malware events from the iOS App Store.

Software available in the Mac App Store must work within the App Sandbox as a rule. For those published outside the App Store but still signed with a valid developer ID, they can also use the Sandbox as needed. Unsigned software won’t run in the sandbox, but chances are you shouldn’t run unsigned software without a very good, trustworthy reason. Remember, running software outside the sandbox means that apps could do damage. That’s why SIP and other security components are so important.

Firewalls: what do they do?

Firewalls are of vital importance for the modern user who spends just about every day connected to the Internet. With always-on connections, managing the software and servers trying to connect to your machine is important. With no firewall at all, your computer remains exposed to all kinds of web traffic — some of it quite malicious.

Firewalls are simple in that they often allow or disallow network traffic based on pre-defined rules or guidelines set by the OS and/or user. MacOS has a firewall built directly into the system, just as it has many other security features. Rules for apps are added to the firewall automatically or by the user; once added, you can choose whether to allow an app to receive connections from the Web or to deny it access. Not everything needs access to the Internet, and it’s smart to lock down what doesn’t need it. Sometimes, malware will look for ports held open by software to infiltrate the machine.

Apple’s built-in firewall only governs inbound connections — not those made by software on an outgoing basis. If you’re concerned about malware sending data off-site or someone tampering with your data over the network, you’ll want to choose an outbound firewall to pair with the built-in option. These programs offer users the chance to see what data wants to flow off their machine and gives them tools to stop it if necessary.

The modem or router supplied by your ISP also likely contains a built-in firewall. Consult your user manual or service provider for more information on configuration. You may not have to add additional software to your Mac, the Little Snitch outbound firewall for example, unless you need the additional security and peace of mind. Even so, setting up your Mac’s built-in firewall is a good idea — especially if you take it out of the house and use it on different wireless networks. Let’s lock down your network traffic, so no one is sneaking onto your machine through an open port.

You can find out more about configuring your Mac’s built-in firewall by visiting https://support.apple.com/en-us/HT201642 or Googling “configuring macos firewall”.

When installing apps with valid digital signatures, such as those from the App Store, you will be asked if you would like them to receive incoming Internet connections through the firewall. iTunes is an example of an app which would be allowed this permission. There is a firewall setting called “automatically allow signed software to receive incoming connections.” It’s up to you if you’d like to enable this feature or not – if you install a lot of software, it might be convenient to enable. However, we have seen bad things happen to good software, so we typically advise caution when enabling automatic permissions in security software.

Secure Kernel Extension Loading explained

Okay, “secure kernel extension loading” is a mouthful, and it might just sound like a whole lot of jargon. However, it’s a very important component to system security on every Mac. Before we dive into this relatively new feature (only introduced recently, in macOS High Sierra 10.13), let’s get some definitions out of the way. What is the kernel? What is a kernel extension, and why should you care? The kernel is the most basic layer of the operating system — it’s where a lot of the most important tasks occur, but completely out of sight of the user. It’s all about file management, security, hardware drivers, and more. Think of it as the foundation from which Apple can build up the rest of the system.

A kernel extension, then, is something that “extends” the functionality of the kernel and adds a low-level process to the background operations of your Mac. In many cases, this is not only something you want, but it might be something you need. Lots of software might need to tap into low-level system access; you’ll often find kernel extensions (KEXTs) bundled in with common hardware such as scanners, printers, and other peripherals. Without installing them, your hardware won’t work!

The popular firewall app Little Snitch is also a good example of when you might want to install a KEXT. It needs access to the network traffic on the machine, which is a function of the kernel. Why? Little Snitch reroutes outbound network traffic through itself to determine if it should be allowed or not based on the rules defined by the user. Without a kernel extension to tap into the flow of network data on your Mac, Little Snitch could not do its job.

However, that doesn’t mean that every KEXT is good. In fact, it’s very easy to make them “bad.” One of the easiest examples to point to is an item called LogKext. This app is actually malware masquerading as a kernel extension; it simply captures all your keystrokes as the system processes them – in other words, it’s a keylogger. LogKext was open-sourced by its developers some years ago, leading it to crop up in all kinds of malware. If you were to install a program bundled with LogKext, you might have your information stolen without ever knowing something was wrong.

With all that said, let’s talk about secure kernel extension loading. What is it? Simply put: it’s a security precaution put in place to stop users from blindly running every KEXT they find or that software requests to install. It gives users a chance to review what they’re installing. MacOS now warns users every time they try to load a new third-party KEXT; officially KEXTs from Apple will still work without user intervention. When prompted by this warning, users have a chance to turn back and stop installation. This helps prevent any nasty surprises from ruining your day when you install software that might not be the most trustworthy. If you see these alerts, don’t just click “OK” without thinking — stop and look at what it’s asking you to do!

Sound like a lot? In a way, it is — but then again, there’s no shortage of security threats to today’s users, even on Apple platforms. With everything from Gatekeeper to sandboxing and even your Internet firewalls, there’s a great deal of technology working behind the scenes to keep you safe and secure. Combine that with good anti-malware software, and you have a recipe for an excellent experience on the Mac — whether it’s yours or your friend’s new machine.

If it’s a friend you want to help out, point them to this episode, or send them a link to our show notes right here. Naturally developers are going to say about their products are “safe, secure — and it just works.” That’s fine, but it helps if users like you know more about what the system and apps offer. We hope you’ve learned a little something new on today’s episode of The Checklist.

As always, you can check out the show notes and all our previous episode right here. Check back in next week when we’ll start to take a more in-depth look at some of the latest security additions, tweaks, and issues present in iOS 11. Thanks for listening to The Checklist, brought to you by SecureMac.

Join our mailing list for the latest security news and deals