hoakley October 2, 2019 Macs, Technology

Security changes coming in Catalina: what’s changed

Apple laid out its plans for the changes in macOS security coming in macOS 10.15 Catalina at WWDC in June. Since then, ten beta releases of Catalina have passed under the bridge, and quite a bit has changed. This article looks at the changes we should expect to see in the first release of Catalina this month – which could, of course, be just a few days away.

Read-only system volume

The biggest single change coming in Catalina takes System Integrity Protection a step further by separating almost all of the system onto a new read-only volume. In place of a single boot volume such as Macintosh HD, Macs running Catalina have two linked volumes named Macintosh HD and Macintosh HD – Data, with the latter containing all the files and folders which are write enabled, including many from top-level hidden folders and /System itself.

This new separation isn’t optional, and Apple has gone to considerable lengths to make it as seamless as possible, including the addition of a new type of bi-directional link which it terms a firmlink. For example, all your regular command tools remain accessible through their normal paths. However, some less-used paths have changed, notably to writable items which were in /System/Library, so some scripts which rely on those will need to be modified.

For the few users who have turned SIP off, partially or completely, this will prove a challenge, of course.

Extensions

Apple is moving developers away from creating third-party kernel extensions. Not only do these require user consent in the Security & Privacy pane, as they have in Mojave, but a new extension won’t be loaded until you restart your Mac. This can interrupt installation scripts, and some installers might struggle to resume properly once your Mac has restarted.

As in Mojave, all third-party extensions which have been signed since April 2019 must now be notarized, but as usual those which have already been installed before upgrading to Catalina should be retained and continue to work, as long as they are compatible and not blacklisted.

Catalina is also very careful in the LaunchAgents, LaunchDaemons and Preference Panes which it accepts. When you upgrade, you may find a folder of Relocated Items containing suspect items which macOS has discovered. So far, this hasn’t been documented particularly well either.

Hardening and notarization

Apple’s original plan was for all newly-installed third-party software not from the App Store to have to be notarized, and at WWDC Apple announced that all apps signed by developers from 1 June 2019 had to be notarized. Although this hasn’t changed, the requirements for notarization have.

In that original plan, legacy apps could be notarized without meeting new stringent requirements such as hardening and deep code-signing, but all newly-signed apps were required to meet those. Between September 2019 and January 2020, Apple has relaxed its requirements across the board, and allowed newly-signed apps to merely have undergone Apple’s malware checks to be notarized.

This means that for new apps, hardening and deep signing aren’t mandatory until next year. What is required is that the app has been checked by Apple for the presence of malware. The result is that some notarized apps are hardened and meet Apple’s strict rules, but others aren’t.

There is considerable controversy over whether hardening and deep signing bring much security benefit. Apple claims that these should make those apps significantly more robust in the face of malware, and eventually this should prove better for users. But that isn’t really going to gather pace until Apple restores its stringent rules for notarization in January.

None of this prevents a user from running a new app (complete with quarantine flag) which isn’t signed at all, or which is signed but not notarized. If you double-click an app which isn’t notarized and it has a quarantine flag set, so hasn’t yet cleared its first run checks, macOS informs you that the app can’t be opened because it can’t be checked for malicious software.

Select the same app icon and use the Finder’s menu command to open the app, and a similar dialog appears, this time also offering to open the app for you. Once that app has cleared its first run, no further warning dialogs should be shown.

Those apply to newly-installed third-party software not obtained from the App Store, and apply when it’s first run. They don’t apply to apps which have already passed their first run checks, so all your existing apps which aren’t notarized should still run fine. But Catalina also checks every app, regardless of its quarantine status, for malware using XProtect, when that app is opened. Unlike performing a full signature check, this adds very little time to the launch process.

However, over the last couple of years Apple has let XProtect lie fallow and its current list of malware signatures isn’t as comprehensive as it could be. For this additional scanning to be worthwhile, Apple will need to support XProtect better in the future.

Privacy protection

Catalina extends the privacy protections introduced in Mojave, which will, for example, affect many apps which access files in your Documents folder without presenting an Open File dialog. For most users, this will mean adding more apps to the Full Disk Access list in Security & Privacy, something we’re already getting used to.

Many conventional document-based apps will be unaffected by this. But the more an app tries to work with protected resources, the more of a pain it will be to configure its privacy settings. Well-designed apps which have been specifically updated for Catalina should walk you through getting these settings right; they’re also the most likely to be properly hardened, deep signed, and notarized under strict rules.

Vulnerabilities

In early August, Apple announced an expanded Bug Bounty programme which includes macOS, but so far doesn’t appear to have started that. As a result, some macOS security researchers may be sitting on small collections of vulnerabilities which they have discovered in Catalina. Don’t be surprised if these lead to some turbulence in the first months of Catalina’s public release cycle.

On the other hand, Catalina introduces developer support for major new features which enable third-party anti-malware products to watch for suspicious behaviour. Digita Security, now part of Jamf, is already pioneering this with its GamePlan, aimed at enterprise users. Expect to see more products in the coming months.

For the first time in several years, Apple has delayed releasing a major new version of macOS until well after its corresponding iOS release. This should indicate that it intends the first release of Catalina to have fewer bugs than did Mojave or the more disastrous High Sierra. We’ll see how well this works out in a few days or weeks.

Summary

Once you’ve upgraded to Catalina:

Prefer to install notarized third-party apps when they’re from outside the App Store.
If you need to ‘first run’ a non-notarized app, use the Finder’s Open command to be given the option.
Most won’t notice the new read-only system volume, unless you run scripts which access system paths, which could have moved.
Beware of installing third-party software which relies on extensions: ensure they’re notarized and compatible with Catalina.
Bear with the additional privacy dialogs, and be ready to add more apps to the Full Disk Access list.
Watch for new security products built specifically for Catalina.

23Comments

Add yours

1

Valdo on October 2, 2019 at 7:10 am

Some apps (or parts of them) are since 10.14.4 or 5 already moved to “Relocated Items”.

LikeLiked by 1 person
- 2
  
  hoakley on October 2, 2019 at 8:03 am
  
  Thanks.
  Although I haven’t seen it in a long time, this can happen during an update. But I think it may be more common and prominent with the Catalina upgrade, from what I hear.
  Howard.
  
  LikeLike
  - 3
    
    Valdo on October 2, 2019 at 9:09 am
    
    Sorry, I have to correct myself, in Mojave is called “AppTranslocation”
    
    LikeLiked by 1 person
    - 4
      
      hoakley on October 2, 2019 at 9:13 am
      
      Ah – that’s something completely different, and was introduced I think in High Sierra.
      When an app is first run with a quarantine flag set on it, it isn’t run from where it has been put, but is moved (translocated) to a special folder and run from there. This is to block malware from relying on its location, as it breaks fixed paths. Once it has cleared Gatekeeper checks, the translocation folder should be removed. This should all be invisible to the user.
      Howard.
      
      LikeLike
5

Nik on October 2, 2019 at 10:22 am

I have a couple of questions:

1. Is there any limit on the number of times for notarizing an app/pkg that you know of? The pkg I work on has release almost every week and for each week I notarise the pkg multiple times(at least twice). Would it be a problem?

2. Unix command open for opening an app as user/root in loginwindow no longer works in 10.15 when tried from a root process (CLI). The reason I do this is to check accessibility permission of that app. However running a process using LoginWindow launch agent allows the app to be opened with the params I pass from loginnwindow process. This doesnt occur in 10.14.

LikeLiked by 1 person
- 6
  
  hoakley on October 2, 2019 at 11:18 am
  
  Thank you.
  1. No, AFAIK there’s no limit. I’d notarize for each released build – that’s what’s required by the user. It appears that you don’t even have to change the build number to notarize again, but it’s good practice to.
  2. Sorry, I don’t know. Do you get an error from macOS generally, or from TCC, perhaps? Worth checking the log to discover what’s failing.
  Howard.
  
  LikeLike
- 7
  
  Jerry Fritschle on October 3, 2019 at 2:11 pm
  
  To your first question, if there is such a limitation, I have not hit it. This is despite the fact that, more than once, I have notarized an application, but then had to repeat moments later after running it and finding a bug I’d missed. Silly me.
  
  LikeLiked by 1 person
8

Jerry Fritschle on October 3, 2019 at 2:24 pm

I wondered a little bit why Apple had to obfuscate the fact, to the end user, that a Catalina boot drive is now two distinct volumes. It’s the “ease of use” thing, I guess, along the lines of how they have always hidden the underlying unix directories with the short funny names. 🙂

Having said that, your explanation involving firmlinks does demonstrate that, whether or not it “looks” like a single volume, in many ways it still has to act like one.

LikeLiked by 1 person
9

Jacques Distler on October 3, 2019 at 11:49 pm

“Catalina is also very careful in the LaunchAgents, LaunchDaemons and Preference Panes which it accepts. ”

WTF? After deprecating Cron and other mechanisms for executing periodic tasks, in favour of launchd, now they’re going to put restrict the use of launchd scripts?

I expect /System/Library/LaunchDaemons to be unmodifiable (it already is, thanks to SIP). But /Library/LaunchDaemons ? Really?

LikeLiked by 1 person
- 10
  
  hoakley on October 4, 2019 at 7:04 am
  
  Thanks.
  The problem is this is an observed not documented behaviour, so we don’t at present know why some items get picked out like this. It doesn’t apply to all, just some.
  Howard.
  
  LikeLike
11

Jacques Distler on October 4, 2019 at 7:32 am

Here’s another thing I am trying to wrap my head around: what does moving from SIP to “read-only” boot volumes buy you?

With SIP, the Kernel enforces a restriction that only authorized processes (Apple’s updaters) are allowed to write to system directories.

With a “read-only” boot volume, the Kernel enforces a restriction that NO ONE can write to those same directories.

Under what threat-model is the first vulnerable, but not the second? The only thing I can think of is a rogue “Apple” updater.

But in that case, we haven’t really added any protection. Under Catalina, to do ANY system updates, the machine has to be rebooted and the boot volume mounted read/write. Now we need to add extra bells ‘n whistles to make sure only authorized Apple updaters can do that. But, once we have, we’re still vulnerable to the the same rogue Apple updater as before.

So what have we gained?

LikeLiked by 1 person
- 12
  
  hoakley on October 4, 2019 at 8:14 am
  
  Thanks.
  The answer to your question is it brings a much simpler and more robust system.
  In Mojave, SIP is a real mess. Protection is determined by property list, extended attribute, and possibly one or two other things too. Although completely disabling SIP appears quite robust and we hope not vulnerable, there’s always the possibility of finding a more limited way to disable SIP on certain items, which would allow exploitation. With several mechanisms to work on, the chances of an attacker finding a vulnerability in one of them are higher.
  In Catalina, protection is clean. If it’s on the read-only system volume, it’s protected. There’s no way of removing protection from just a few files or folders – to change any contents of the system, the attacker has to disable SIP entirely and mount the whole volume with write permissions.
  If you consider the only possible attack is by spoofing an Apple installer, there isn’t much difference. But that’s only one mode of attack on the current implementation of SIP, isn’t it?
  Howard.
  
  LikeLike
  - 13
    
    Jacques Distler on October 4, 2019 at 1:54 pm
    
    Well, yes. The standard Unix answer to “How do I protect a set of files from being tampered with, even by a rogue setuid process?” is “Put them on a read-only volume.” That’s the best you can possibly do, with standard Unix access-control mechanisms.
    
    The whole point, though, of Apple’s security efforts in El Cap/Mojave/Catalina, is that the standard Unix “user-based” access controls are inadequate and need to be supplemented by “app-” or “process-” based access controls (“entitlements”). The benefits are supposed to extend not just to SIP, but also to securing the user’s own files (e.g. calendars and contacts) from rogue processes.
    
    There may be bugs in Apple’s implementation of entitlements. But it seems to me that the solution is to fix those, rather than risk introducing NEW bugs in the kernel code needed to implement “firmlinks”.
    
    (I guess the simpler response is that Apple’s new approach to system-protection in Catalina only LOOKS cleaner because they’ve hidden the implementation details from you.)
    
    LikeLiked by 1 person
    - 14
      
      hoakley on October 4, 2019 at 3:27 pm
      
      Thank you.
      I don’t think that firmlinks have any security component, do they? They’re merely bidirectional cross-volume links, so any bugs in them shouldn’t have security consequences.
      I like what you say in the first para, though, that putting system files on a read-only volume is “the best you can possibly do”. So this combines elaborate platform-specific mechanisms which may well contain bugs with a proven and strong Unix access-control mechanism.
      Sounds good to me!
      Howard.
      
      LikeLike
15

Florian on October 6, 2019 at 9:54 am

Thanks for the article. I was wondering if you know by now if one has to disable SIP & boot to Recovery to flash a custom host file in Catalina?

LikeLiked by 1 person
- 16
  
  hoakley on October 6, 2019 at 10:08 am
  
  I’m sorry I don’t know at the moment. If it’s on the read-only system volume you’ll also have to mount it for writing too.
  Howard
  
  LikeLike
- 17
  
  hoakley on October 6, 2019 at 8:33 pm
  
  I have now had a chance to check this out on beta 11, and it looks as if the hosts file is stored on the writeable volume, not the read-only volume. So you should – if nothing changes in the release – be able to write a custom hosts file to Catalina.
  You will need to check on the release version, of course.
  Howard.
  
  LikeLike
18

anarvey on October 7, 2019 at 11:48 pm

Could this message from a launchdaemon on Catalina be evidence of it being rejected by Catalina. (It works previously)
com.apple.xpc.launchd[1] (com.detectxswift.search[55073]): Service exited due to SIGABRT

LikeLike
- 19
  
  hoakley on October 8, 2019 at 6:14 am
  
  I don’t know: that’s for DetectXSwift, so I’d contact its developer to check whether it’s compatible with Catalina. He maybe has an update ready in beta, if not released.
  Howard.
  
  LikeLike
20

Security changes coming in Catalina: what’s changed – The Eclectic Light Company – Jerry's Mac Blog on October 10, 2019 at 2:45 pm

[…] Source: Security changes coming in Catalina: what’s changed – The Eclectic Light Company […]

LikeLike
21

Peet on February 21, 2020 at 3:34 pm

TLDR: Did you ever find any documentation about 10.15’s “very careful” handling of launchd?

We’re getting deep into 10.15 now (10.15.3) and I’m just no running into a LaunchDaemon/LaunchAgent issue that seems to be specific to Catalina being “very careful“ with launchd scripts. Basically I have a shell script that I’m using to fire a service. The service needs PPPC controls and if it’s fired by a shell, the entire shell needs to be granted the control. So I wrap it in a Platypus .app, sign the .app and give it the PPPC controls. Works in 10.14 and 10.13.

The crazy thing is in 10.15 it just does not fire during startup. If it’s a global LaunchAgent set to run at “Loginwindow” it works perfectly at logout. Also fails at startup as a LaunchDaemon, but works as expected if unloaded and loaded when booted. Same issue as an AppleScript .app. I’m trying an Automator .app today, but am guessing it will also fail.

Enabling std out and std err on the launchd plist I can tell that it’s trying to run and I’m sure the app fires, but the app never process the script.

I’m just failing to find any sort of documentation about any launchd changes in 10.15. Did you ever come across any?

LikeLiked by 1 person
- 22
  
  hoakley on February 21, 2020 at 4:09 pm
  
  Thank you.
  Documentation from Apple? Need I say more?
  No, I can’t recall seeing any, although as it’s so hard to locate and so unusual anyway, that shouldn’t be surprising.
  Howard.
  
  LikeLike
23

Peet McKinney on February 22, 2020 at 5:35 am

Yeah that’s what I thought, but thanks a million for the reply. I did narrow the issue to the fact that both the Platypus and AppleScript apps make calls to have hooks into the UI in some way or another. Simply using the NSUIElement/true in the bundle’s info.plist doesn’t undo those hooks. 10.14 and below allowed the apps to run at startup, but 10.15 fixed that. Though I’m still not sure how to get good debug info on it, but that’s another story.

I’m flailing around with Xcode and have “written” an Objective C “Command Line Tool’ that calls the script. I wrapped it up by hand in a .app bundle and it works as expected, but damn if I can figure out how to switch the working directly to the binary’s folder so I can use a relative path for the script. It’s more hacky than a Platypus or AppleScript app but it works for now. Maybe I can get it to work with a swift project, but boy o boy I’m in over my head.

Thanks again!

LikeLike