-
Notifications
You must be signed in to change notification settings - Fork 47
3. macOS System Architecture
This is a high level refresher and is not exhaustive. macOS is no different from other operating systems in that it has a user space / kernel space boundary enforced by security controls. Fundamentally macOS boils down to the XNU hybrid kernel consisting of BSD and Mach components.
The incomplete XNU source code can be found on Apple's Open Source Software Distributions account on GitHub: https://github.com/apple-oss-distributions/xnu.
XNU is the hybrid heart (kernel) of macOS consisting of BSD and the Mach microkernel. A brief overview of each of these components is listed below and shown in the above diagram.
Mach's role in the hybrid kernel architecture is multifaceted in that it provides abstractions from "process execution" to IOKit drivers to time primitives. Fundamentally, processes on macOS (exposed by the BSD side of the kernel) are made up of Mach Tasks / Threads. This tight relationship is exposed further by IPC primitives like ports, which facilitate secure communication channels for data exchange between tasks.
This is the primary section we're interested in here as it implements the KAuth (Kernel Authorizatuon) KPI, BSM (Basic Security Module), and MACF (Mandatory Access Control Framework). BSD's role in the kernel is also pretty vast. It exposes POSIX compliance via the BSD system call table, processes/threads, file permissions, etc in addition to manging system resources and the implementation of the file system (APFS as of 2017 with the introduction of 10.13 High Sierra). Additionally, here you'll notice each part of the BSD component registering their scopes to BSM using kauth_register_scope
.
User space has a few primary ways to communicate with the kernel (hands wave):
- User Space → Process → Thread → IPC → System Call → Trap → Kernel Space
- User Space → Process → Thread → Exception → Trap → Kernel Space
- User Space → Process → Thread → Interrupt → Trap → Kernel Space
- User Space → Process → Thread → System Call → Trap → Kernel Space
We're including this section as brief overview for legacy data sources reliant on Kernel Extensions (KEXTs). KEXTs are denied from loading by the default LocalPolicy object on AppleSilicon (signed by the Secure Enclave) and the T2 chip on Intel. Apple Platforms leverage a defense in-depth approach for their secure boot (iBoot) implementation. Starting with hardware each stage in the boot chain validates the next. iBoot exists to help thwart downgrade attacks, boot time infection, and maintain system integrity. Changing the boot security level of macOS requires booting into recoveryOS (which can have it's own password).
These settings can be modified with "Startup Security Utility" in recoveryOS. To boot into recoveryOS on Apple Silicon hold the power button until you see a logo. You can then set the Security Policy for the boot disk.
- (Default) Full Security: Similar to the iOS boot process -- only allows booting the latest installed OS (disallows downgrades). Utilizes a personalized OS signature from Apple -- requires an internet connection at OS install time. Signatures are personalized when they include a specific ECID (Exclusive Chip Identifier).
-
Reduced Security: Instruct iBoot to allow for OS downgrades. The global signature needs to be trusted, but the OS does not need to be the latest. Utilizes the OS' global signatures for validation.
- Allow loading of notarized kernel extensions.
- Allow remote management of kernel extensions and automatic software updates.
-
Permissive Security (requires that SIP is "disabled"): Allows for booting custom XNU kernels. To do this iBoot accepts objects signed by Secure Enclave with the same private key used to sign the LocalPolicy object. Once SIP is disabled this boot security option will be enabled in Startup Security Utility.
- Allow loading of notarized kernel extensions.
- Allow remote management of kernel extensions and automatic software updates.
These settings can be modified with "Startup Security Utility" in recoveryOS. To boot into recoveryOS on Intel hold (⌘ + R) until you see a logo.
- (Default) Full Security: Similar to the iOS boot process -- only allows booting the latest installed OS (disallows downgrades). Utilizes personalized OS signature from Apple servers -- requires an internet connection at OS install time.
- Medium Security: "Allows any version of signed operating system software ever trusted by Apple to run.
- No Security: Does not enforce any requirements on the bootable OS.
-
Boot media options:
- T2 external boot enforcement: Disallow USB, Thunderbolt, PCIe, or SATA.
- Allow booting from any device / removable media.
Apple Silicon Boot | Intel Boot |
---|---|
https://support.apple.com/guide/security/boot-process-secac71d5623/web | https://support.apple.com/guide/security/boot-process-sec5d0fab7c6/web |