Apple deprecating macOS kernel extensions (KEXTs) is a great win for security

Apple kernel extension APIs to be deprecated in macOS 10.15.4.

macOS Macbook Apple

Image: Bundo Kim

At the WWDC conference last year, Apple announced plans to deprecate macOS "kernel extensions" (KEXTs) and replace them with a new mechanism called "system extensions."

The first step towards this announcement was made with the release of macOS Catalina (10.15.0) in September 2019, when system extensions were introduced alongside kernel extensions.

The final step of Apple's plan will come into effect in the coming weeks, with the upcoming release of macOS Catalina 10.15.4.

According to Apple, starting with macOS 10.15.4, use of kernel extensions will trigger a notification to the user that the software includes a deprecated API and will ask the user to contact the developer for alternatives.

What's the difference between the two?

Both kernel extensions and system extensions serve the same purpose. They allow users to install apps that extend the native capabilities of the macOS operating system.

Apps install kernel/system extensions that allow them to perform operations for which macOS has no native features or functions.

Mac antivirus software, firewalls, VPN clients, DNS proxies, USB drivers, and others, all make use of kernel extensions.

The difference between these two new extension systems is that the older kernel extensions execute their code at the macOS kernel level, while the newer system extensions run in a more tightly-controlled user-space.

Great move for security

"From Apple's point of view, this a major step towards improving the security of macOS," Patrick Wardle, Principal Security Researcher at Jamf, and a well-known macOS security expert, told ZDNet in an interview this week.

"Third-party kernel extensions do pose a juicy attack vector for attackers targeting macOS," he added. "Especially if you, as an attacker can exploit a kernel extension, or load your own (assuming it's signed)."

And attacks involving KEXTs have happened in the past [1, 2, 3].

"It's really game over for macOS," Wardle said. "Many many security mechanisms are implemented/enforced in the kernel."

Wardle says that an attack like this wouldn't work with system extensions, as they run in user-mode.

"As they don't run in the kernel, an exploit doesn't give you kernel-mode access anymore as it did with a KEXT exploit," Wardle said.

"So Apple basically wants to kick everybody out [of the kernel], largely for security reasons."

Potential downsides

However, Wardle says there's also a downside to this move.

The first is that by kicking app devs out of the kernel, Apple also gains a lot more control over macOS, similar to the control they have over iOS.

Until now, macOS has been a haven for developers and its users. If macOS didn't have a specific feature, developers could just create an app and leverage a kernel extension to add the features they needed.

The second downside is that many security tools themselves, have heavily relied and have been built around the full access kernel extensions provide to a user's Mac. One might argue that Apple's move towards system extensions might end un neutering security products, which will lose some of their ability to detect and stop malware along the way.

However, Wardle, who is the author of many free macOS security tools, says that Apple has provided "some great user-mode frameworks that provide 3rd-party security tools the capabilities to they need," so it appears that Apple hasn't been cutting the branch from under its feet, just yet.

But for the time being, it is unclear if system extensions would provide the same versatility and coding freedom as kernel extensions. This remains to be seen -- and a topic for another article -- as we'll need more time for macOS developers to slowly make the switch to system extensions going forward.

However, Wardle points out that the move is a good one for macOS security, overall, regardless of other possible reasons for Apple's move.