hoakley June 10, 2023 Macs, Technology

Bastion in defence of Sonoma security

macOS security has been quietly changing in Ventura, and an account given at WWDC has provided revelations of more to come in macOS 14 Sonoma. This involves a sea change from largely static detection and protection to those based more on behaviours. Here I try to explain how some of these changes are likely to take effect.

Behavioural detection

In the past, macOS has largely relied on static methods for tasks like the detection of malware. The older XProtect system is a good example: it relies on detection signatures, updated periodically by Apple in Yara definition files. When new apps are checked by Gatekeeper, they’re scanned to see if they match any of the signatures of known malware; if they’re clear, XProtect and Gatekeeper consider the app is free from malware.

That can work for a lot of malicious software, but it can only ever detect what’s known, and can also be played or tricked into approving malicious code. One alternative is to monitor potentially malicious behaviour, as you do when you use a software firewall like Lulu or Little Snitch to monitor and block outgoing connections, a common behaviour of much malicious software. Behavioural detection can tackle and identify malware not previously known, but it’s also more difficult to ensure that it doesn’t generate many false positives.

Bastion and more XProtect

If you cruise Ventura’s logs, you may have come across two new names there: Bastion and XProtectBehaviorService. For example, here’s a pair of entries seen during a first-run Gatekeeper check:
1.037060 syspolicyd Got bastion violation BastionRule-3 path /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder responsible path: /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder 1.080139 XProtectBehaviorService Processed behavioral violation for process file:///System/Library/CoreServices/Finder.app/Contents/MacOS/Finder file:///System/Library/CoreServices/Finder.app/Contents/MacOS/Finder BastionRule-3

@tsunek0h has looked in some detail at the rules for what looks like behaviour-based malware detection. There are currently four Bastion rules, one of which monitors the behaviour of processes accessing folders in ~/Library/Application Support that contain sensitive data for third-party messaging apps like WhatsApp. At present, in Ventura, processes that access those aren’t blocked, but their behaviour is recorded in the XProtectBehaviorService database.

Environment constraints

In Robert Kendall-Kuppe’s presentation at WWDC last week, he spoke about what Apple refers to as environment constraints, rules to describe the expected behaviour of non-malicious code. These have already been implemented in Ventura for much of its system code, and in Sonoma extend to third-party software as well.

They can reduce the attack surface of third-party code, and initially are mainly aimed at helper apps that might be run as Launch Agents, Launch Daemons and Login Items, although they can extend to libraries and more. In Sonoma, apps are encouraged where appropriate to provide a dictionary containing a set of requirements, both in terms of facts and predicates, that determine what can use their helper apps, and how. Ventura version 13.3 introduced launch constraints, and the whole scheme of environment constraints is intended to be fully enforced in Sonoma.

Effects

Until last year, little could be done about malicious software until it had been detected and analysed by Apple’s security engineers. If any of it was found to be signed using an Apple Developer certificate, or notarized, its signature or ticket could be revoked immediately. Following that, a Yara rule to detect the malware would be developed and released in the next update to XProtect’s data files, by which time the malware developer may well have started abusing different signing certificates, and maybe even evaded the new Yara rule too.

The promise of behavioural detection is that malicious behaviour should be prevented before it can occur, without having to wait for detection and analysis by Apple’s engineers. These are early days still, and we can but wait and see how well Sonoma performs.

14Comments

Add yours

1

Maurizio on June 10, 2023 at 8:22 am

Disappointing that they start wwdc macOS segment talking about the new screensaver feature , instead of point out how the foundation of sonoma are getting stronger. It seams also a lot faster and tweked , safari js get a big jump. They are switching to Swift from obj-c for framework ?

LikeLiked by 1 person
- 2
  
  hoakley on June 10, 2023 at 9:33 am
  
  Ah – remember that the first two sessions are driven by marketing, and less for developers. We usually get this in the number of new emoji coming, and this year it was stickers! Very important for the press, and really significant for many ordinary users.
  I don’t know whether Safari has been rewritten, but WebKit at least is all open source.
  Howard.
  
  LikeLike
3

Nick on June 10, 2023 at 8:30 am

Great to see macOS security getting more powerful, but I have to ask whether this is just Apple playing catchup to the behavioural blocking and containment offered by Windows Defender in Windows 11, or does it leapfrog it in terms of capability?

It would be interesting if someone who knows the Windows Defender ability in this respect could comment on the relative strengths of the two protection systems.

LikeLiked by 1 person
- 4
  
  hoakley on June 10, 2023 at 9:35 am
  
  Thank you.
  Windows and macOS security are so totally different that I don’t think you can make such comparisons. The threats have also been very different historically. If you want to make comparisons, you also have to include code signing, notarization, SIP and the SSV.
  Howard.
  
  LikeLike
5

Harald Striepe on June 10, 2023 at 4:08 pm

“Platforms State of the Union” is usually interesting for a first technical look.
What I am wondering is whether there are any real updates to the HyperVisor for running macOS guests. The current restrictions make that very limited.

LikeLiked by 1 person
- 6
  
  hoakley on June 10, 2023 at 4:30 pm
  
  I am covering that very topic in my overview of WWDC here tomorrow. Yes, there are, but not everything you’d want.
  Howard
  
  LikeLike
  - 7
    
    Harald Striepe on June 11, 2023 at 2:47 am
    
    I looked at the rather brief HyperVisor update. Underwhelmed.
    I do not understand their unwillingness to support Apple ID/iCloud login. I can live without wallet and access to Touch ID. But Xcode is crippled without login.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on June 11, 2023 at 8:47 am
      
      I don’t know whether that support might come later in Sonoma, but I agree that it’s a major shortcoming.
      Howard.
      
      LikeLike
9

Dominik Hoffmann on June 13, 2023 at 4:49 pm

Third-party anti-virus software also is effective only against known threats, right. Or is there any out there that is more effective against unknown threats that what’s built into Ventura or upcoming Sonoma?

LikeLiked by 1 person
- 10
  
  hoakley on June 13, 2023 at 8:28 pm
  
  I don’t know, and I don’t know of anyone who was conducted any objective testing. It’s quite hard to devise tests for unknown threats, as that involves developing new malware.
  Furthermore, most third-parties are as secretive as Apple about what their protection actually does, when you start trying to look for precise details.
  Having tested known malware against Ventura, I’m impressed at its performance. It was really quite hard to even get most malware to run, because of Gatekeeper and related checks. In the end, I had to reduce security and turn SIP off so that XProtect Remediator could get a look at what I was trying to run.
  Howard.
  
  LikeLike
11

Simon Chang on June 28, 2023 at 8:29 am

Many thanks for the detailed analysis! Still praying Apple to implement nested virtualisation to complement its visualisation framework. That will make a big difference in my view.

LikeLiked by 1 person
- 12
  
  hoakley on June 28, 2023 at 1:04 pm
  
  I’m not sure what you would use a nested VM for that an ordinary VM wouldn’t do as well. However, I fear you may have a very long wait, as I suspect it isn’t even in Apple’s longcast plans.
  Howard.
  
  LikeLike
  - 13
    
    Simon Chang on July 5, 2023 at 8:05 am
    
    I suppose some programs will detect if the host is virtualised and without NV some apps will not even run. This might not be that vital or can be mitigated by finding alternative versions of programs. However, some of Windows VM’s functions will be restricted without nested virtualisation, named Windows Sandbox, WSL2, and some essential security enhancement e.g. kernel memory integrity as part of the virtualisation-based security mechanism. It’s definitely a pity to see Apple not implementing it and probably, yes I totally agree with you, it’s not a priority for Apple either.
    
    LikeLiked by 1 person
    - 14
      
      hoakley on July 5, 2023 at 8:09 am
      
      Erm Windows isn’t a supported guest OS. You can choose between macOS or Linux. I wouldn’t think for a minute that Apple intends supporting Windows. Should running Windows ever be supported officially on Apple silicon Macs, I would expect it to be a distinct boot process, much like Asahi Linux.
      Howard
      
      LikeLike

·Comments are closed.

Behavioural detection

Bastion and more XProtect

Environment constraints

Effects

Share this:

Related