Is macOS’s new XProtect behavioural security preparing to go live?

Until early last year, there was one XProtect, sets of rules that among other things tried to detect known malware during Gatekeeper checks on apps and other code. Then in March 2022, Ventura silently added a second XProtect, this time a set of scanning modules run at least once a day to detect known malware and remove it. Since June last year, that XProtect Remediator has rapidly matured, to the point where it now looks for 19 different types of malware on macOS 10.15 and later, and is updated at least once a month.

A third XProtect was discovered in Ventura, this time observing potentially malicious behaviour such as attempts to access private data for browsers and messaging apps. This XProtect Behaviour Service (XBS) has used a set of Bastion rules embedded in the strings in syspolicyd to record behaviours in a new database, but so far has been an observer and hasn’t blocked such behaviours. Security researchers have already been able to discover its records of novel malicious code, and Chris Long has documented how to access its database, but so far syspolicyd has only watched and recorded.

Recent descriptions of Bastion rules have identified four, last updated in syspolicyd in macOS 13.5 on 24 July 2023. Those changed on 8 August, when Apple released its first update to the Bastion rules, and again a month later on 1 September, when they changed again. There’s now a fifth Bastion rule, and XBS appears to be getting ready to fly for the first time.

XProtect Remediator updates

Updates provided to XProtect Remediator versions 108 (8 August 2023) and 109 (1 September 2023) contained two additional files not seen in previous updates:

bastion.sb, a text file containing the latest Bastion SystemPolicyConfiguration, its rules;
BastionMeta.plist, a property list defining behaviour dictionaries for XBS and Bastion.

Bastion rules

Although each recent version of these rules is prefaced by the line
(version 3)
those embedded in syspolicyd and the two updates are different.

Each defines four groups of processes: usual-offenders, which are common exceptions to several rules; then separate groups of exceptions to each of rules 1, 2 and 3. For example, com.apple.mds and other Spotlight indexing processes are usual-offenders, while com.apple.Finder is only a rule-one-offender.

Using those lists of exceptions, five Bastion rules are built as filters:

excludes other processes from accessing private data for Google Chrome, Firefox and Safari;
excludes other processes from accessing private data for Messages, Microsoft Teams, Slack and WhatsApp;
excludes other processes from accessing the QuarantineEvents database;
controls access to two socket ioctl commands SIOCIFCREATE and SIOCGIFDESC;
controls access to writing within Library/PrivilegedHelperTools/ directories.

The updated bastion.sb file supplied in recent XProtect Remediator updates is explicitly referenced by syspolicyd, presumably to replace the version embedded in its own code. However, it’s unclear how updates are recognised by syspolicyd so that they can take effect without macOS being restarted.

BastionMeta.plist

This property list, identical in both versions, contains a dictionary of five behaviours. Each has a Signature Name, such as macOS.NetworkSniffer.Generic, a Boolean value indicating the need for immediate reporting, and a binary flag ranging from 1 to 16. The behaviours are named:

Browser
Messages
QntDb
NetworkSniffer
HiddenPrivilegedHelpers

and correlate with the five Bastion rules, for which this file appears to provide the metadata. Thus rule 1 protects browser data, rule 2 messaging data, rule 3 quarantine records, rule 4 network packet sniffing, and rule 5 hidden privileged helper apps.

Future

Without a mechanism for updating Bastion rules outside macOS updates, XBS would lack the ability to accommodate changes in response to changing threat. These first updates are an important milestone in the development of XBS as effective security protection, but until syspolicyd is switched from observation to intervention, its role is severely limited.

While they’re bundled in XProtect Remediator updates, Bastion rule updates are installed on all Macs running macOS 10.15 Catalina or later. Unlike XProtect Remediator, which is essentially a self-contained security tool, Bastion updates are only effective for macOS with a version of syspolicyd that supports behavioural protection, which almost certainly excludes macOS before Ventura. As Ventura has now entered its first year of security-only updates, it looks unlikely that its syspolicyd will support intervention, and it’s most likely that it will be left as an observer.

The timing of these updates is consistent with the intended release of fully functional intervention in Sonoma, perhaps in macOS 14.3 early next year, or possibly sooner. As long as bastion.sb and BastionMeta.plist files remain in plain text, it should be straightforward to watch this evolution. Now might also be a good time to prepare test tools to confirm how Bastion rules are applied by syspolicyd. These are interesting times indeed.

2Comments

Add yours

1

Myob on September 4, 2023 at 3:13 pm

Thank you for the article and its links. Very helpful for future purchasing decisions. That Apple is allocating resources on this (and presumably on Wardle’s recent disclosure about Background Task Manager) is appealing.

LikeLiked by 1 person
- 2
  
  hoakley on September 4, 2023 at 5:05 pm
  
  Thank you.
  Over the last two or three years, Apple has invested heavily and new teams (and managers) have been breathing fresh air into its security engineering. We’re now starting to see the results.
  Howard.
  
  LikeLike

XProtect Remediator updates

Bastion rules

BastionMeta.plist

Future

Share this:

Related