hoakley January 8, 2023 Macs, Technology

Last Week on My Mac: the trouble with better security

Last week’s project was to deliberately challenge macOS Ventura 13.1 with malicious software, and quite an adventure. I was particularly interested in two aspects: first, how different levels of security protection affected the ability of built-in protection to protect the user, and perhaps more importantly what the user would be informed of. After all, you can have the best tools and defences, but if you aren’t aware that your Mac has encountered something malicious, you’re lost.

Having a little insight into the complexity of macOS security, I suspected that progressively disabling its protective layers would change its behaviour in complex ways. Two things that I hadn’t expected were the lack of dependence on quarantine, and the way that XProtect Remediator appeared to step in to compensate for reduction in other layers.

Quarantine had always been something of a gentleman’s agreement: if potentially malicious software was downloaded in a way that let a quarantine flag be attached to it, and didn’t play dirty, then Gatekeeper could perform its full first-run checks. Not any more, though, as macOS has welshed on its side of that agreement, and now seems to check everything much the same in the end. That doesn’t of course mean you can strip all those quarantine flags, just that when malware tries that, it doesn’t get the advantage that it used to.

XProtect Remediator was more of an unknown. It’s designed to be as unobtrusive as possible, and run its scans with minimal impact on our use of the Mac. The drawback with doing so is that, unlike with Gatekeeper’s warnings, the user is likely to be absent if a scan does discover something untoward. Posting a notification in the small hours of the morning isn’t going to be much use.

So significant scan results have to be stored for the user to retrieve after the fact, and this is where these new scans run into trouble. According to current dogma, there’s only two places XProtect Remediator can post its results: as entries in the Unified log, which it does in all compatible macOS from Catalina on, and as Endpoint Security events, as it does in Ventura. If you’re a regular user running a fairly standard system, neither of those will be accessible at all.

Before Apple introduced the Unified log in macOS Sierra, it wasn’t uncommon for users to browse the log. Many who relied on Time Machine to make their backups used to check it to ensure that no errors had occurred. Sierra instantly put a stop to that, with its endless log chatter drowning everything else out, and Console left unable to help. Over the last six years, that has only grown worse, to the point where many of us are now turning off logging by some subsystems in a desperate bid to retain access to the log. XProtect Remediator’s log entries might as well be encrypted for all the help they’ll be to the average user.

Endpoint Security remains a mystery, though. Often, when Apple introduces valuable new features, it retains the initiative by exploiting them before third-parties can. Yet, in the case of Endpoint Security, there’s nothing that I’ve seen in macOS that seems to do anything useful with it. While several third-parties do offer products that use it, most seem aimed more at corporate and enterprise markets. Third-party security products aimed at ordinary users, or even small business, seem thoroughly vague about Endpoint Security support, something I for one want to know more about before I’d consider subscribing to their products.

We’re left with what’s one of Apple’s most promising and capable defences against malware, incapable of informing the user about the most important security events, such as the detection of malware, and the outcome of its attempts to remove it.

When the original XProtect, run as part of Gatekeeper checks, suspects an app you’re trying to run is malicious, you see an immediate and unmistakeable warning, even though the name given to the malware may be unhelpful. A few hours later, when its Remediator sibling discovers and removes malicious components, it passes on in silence. That surely can’t be what Apple intends.

I’d like to think that, somewhere in Apple, there’s an engineer just putting the finishing touches to an addition for Privacy & Security in System Settings that will better inform the user in macOS 13.3 or so. It may not help those stuck with earlier macOS that still enjoy the protection of XProtect Remediator, but it would be an important step forward.

8Comments

Add yours

1

prairiewalker on January 8, 2023 at 2:41 pm
Reply

I am a slightly knowledgeable Mac user over four decades of OSs and used to browse the log with Console when I was curious or having a problem with Time Machine or another tool. I cast my vote for Apple to have development create a useful log browser. Maybe using GPT?

An aside, Time Machine for my use seems to have grown into a trouble free backup program over the past decade.

LikeLiked by 1 person
- 2
  
  hoakley on January 8, 2023 at 3:53 pm
  Reply
  
  Thank you.
  Howard.
  
  LikeLike
3

Duncan on January 8, 2023 at 4:28 pm
Reply

I wonder if an analogy can be made here to Gödel’s Incompleteness Theorem, where any sufficiently complex compute system can never be made secure. The parallels in nature are evident: there is no species that is immune to viruses or other harm (well, tardigrades might come close), so vulnerabilities are literally a way of life.

What’s unique among computer systems, though, is the nature of the attacks. There is no upper bound to the number or severity of malicious attempts – they can increase exponentially as adversarial computing resources grows. If some maladjusted billionaire decided they wanted to flood the world’s networks with attacks just for the sake of it, they could hire a team to do so and the Internet and everything attached to it would become a dystopian battleground. We’re already on that path.

These bandaids that Apple and every other software vendor are cobbling together might be buying some time, but I hope that some research lab is earnestly working on an entirely new operating system that addresses this from the very first line of code. Unix/Linux/Windows/etc. can not hold up forever under these circumstances.

LikeLiked by 1 person
- 4
  
  hoakley on January 8, 2023 at 6:13 pm
  Reply
  
  Thank you.
  If the Incompleteness Theorem does apply, then surely there’s no point in trying to write a completely robust operating system?
  I don’t think this is as bleak as you portray. There is an upper bound to attacks, determined by the vulnerabilities that can be exploited. OS developers are increasingly using techniques which break the usual Tom and Jerry chase: the SSV is a good example, as being able to change the macOS System volume is so difficult now that attackers simply don’t bother, and look for other vulnerabilities. Apple has also recently made major changes throughout its kernels that render a whole class of exploits impossible.
  Besides, if either side were to ‘win’, the other side would lose funding. The big money favours ongoing battles, not an end to war.
  Howard.
  
  LikeLike
5

markbot2zero on January 8, 2023 at 10:07 pm
Reply

Thank you, Howard.

re: “The big money favours ongoing battles, not an end to war.”

How profound and how true — and if not quite universally applicable in other areas of life, then close to it.

While Apple’s lack of explanation, at least for the time being, of its now multifacted (or perhaps “multi-layered” is a better term?) security, is frustrating, I suppose that

Protect Now — Explain Later

is better than

Explain Now — Protect Later

And speaking of threats, Apple’s attention to security is a threat to all the 3rd-party companies in the Mac security/anti-malware space. One thing I guess we all would like to know is how (or whether) the progressively improving and effective baked in macOS security components stack up with commercial AV, or even if they obviate the latter completely.

And as long as the discussion has taken a more general turn (i.e., “Gödel’s Incompleteness Theorem”) I hope it’s not too off topic for me to mention that Lastpass, one of more popular password managers out there, was apparently rather thoroughly hacked a few months back:

https://techcrunch.com/2022/12/22/lastpass-customer-password-vaults-stolen/

coughing up encrypted data for (if I’m reading it correctly) 30M+ users. As one commenter put it, the vaults are being drilled now.

I’m a 1Password user–fingers crossed–looking forward to the widespread adoption of “FIDO” (this, by the way, is a generic name for a pet dog here in the US of A, maybe England too?) webauthn, and passkeys.

-Mark

P.S. Oh, and never fear, this being the US of A, class action lawsuit already filed:

LikeLiked by 1 person
- 6
  
  hoakley on January 8, 2023 at 10:40 pm
  Reply
  
  Thank you, Mark.
  Last week, I did address the question of whether macOS protection from malware should be sufficient for the average user, and remain impressed with it. Undertaking any sort of comparison with commercial offerings is a major piece of work, and I’m not sure that even with ample resources you’d be able to make the comparison objectively.
  Third-party vendors are careful not to provide too much detail on what their products protect against. Inevitably, they underplay the effectiveness of that in macOS. For instance, you’ll find critical references to ‘old’ XProtect and its Yara signatures, but little or no mention of the new XProtect Remediator.
  In the end, even the best seems more commercial than informative. They want you to subscribe to their service.
  Yes, Fido is a generic name for a pet dog here, maybe going back to the Romans, as it means ‘I trust’ in Latin. It was also the name of a fairly unsuccessful system for trying to disperse fog from airport runways. I hope that isn’t an ill omen.
  Howard.
  
  LikeLike
7

markbot2zero on January 9, 2023 at 12:29 am
Reply

Thank you again, Howard.

And thanks for that excellent article about macOS protection. I read it, will re-read it, share it with my clients, and post the link here for others:

https://eclecticlight.co/2023/01/03/can-you-rely-on-macos-ventura-for-malware-protection/

I’m mulling over the remarks of Duncan, above and your response.

Bottom Line: SSV is not a “band aid” because:

1. Band Aids are applied after a wound, and SSV is there to prevent the wound in the first place. An inoculation, or vaccination, not a post traumatic treatment.

2. It is a forbiddingly powerful anti-tampering technology.

And (I’m thinking out loud here, thoughts which are definitely not original) the question is not whether a complex software system can be made secure from any and all threats (impossible to prove, I’m sure) but whether (and I’m quoting you here, Howard) attacking them is:

“…so difficult now that attackers simply don’t bother, and look for other vulnerabilities.”

Patrick Wardle revels in hacking macOS’s security, finding chinks in macOS’s armor, making (as he puts it) “Kickass Mac malware.” But as far as I can tell, he’s never cracked SSV, nor even tried. I don’t believe he’s even mentioned it on Objective See, his website and blog. This in itself is an interesting, perhaps revealing, omission.

And this is the key: neither Patrick, nor those black hat hackers are going to bother with SSV.

The goal in security is not to prove that your software (in this case macOS, but whatever) is invulnerable. The (more realistic) goal is to make it so difficult to hack your software that the Bad Guys give up (or don’t even try) and look for the “lower hanging fruit,” more tractable vulnerabilities elsewhere that give them more bang for their hacking buck.

(Bad Guys are as human — and lazy — as the rest of us. Unlike mountain climbers, they’re not going to try to hack SSV “because it’s there.”)

I guess this could be called the “Fruit Tree Theory” of software security. All software is hanging on the Vulnerability Tree, at some level — that’s a given we have to live with. (And yes, the equivalent of a hurricane, God forbid, could blow the whole thing down.)

The idea then is to have your software (in this case, your “Apples”) sprouting on the highest branches possible: make it the “High Hanging Fruit” — and keeping the Bad Guys focused on the lower branches, snagging lemons or kumquats, or better yet, the stuff rotting on the ground.

Just had to get this off my chest. Thanks for reading.

-Mark

LikeLiked by 1 person
- 8
  
  hoakley on January 9, 2023 at 7:19 am
  Reply
  
  Thank you, Mark.
  The alternative to low handing fruit is the predator who picks the easiest of their prey, rather than going for the hardest to catch. I’m not sure it’s lazy, just the most successful strategy.
  Howard.
  
  LikeLike

Share this:

Like this:

Related