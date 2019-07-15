Apple's lofty goal for macOS Catalina is to make the system as secure as iOS while maintaining all the traditional flexibility of the Mac.￼ And… that's easier said than done. With iOS, Apple got to start fresh and lock everything down since day one. The Mac, by starkest of contrasts, has been relatively open for decades.

For many years, that was fine. Thanks to the market share and attack surface of Windows, it made far more economic sense for bad actors to go after Microsoft users and leave Apple users alone.

But, now we have the web, we have phishing and spear-phishing, ransomware and spyware, we even have ad trackers and social networks and the ability and eagerness of bad actors and unscrupulous companies to target any and every platform and person, including those of us on the Mac.

So, Apple has been carefully hardening macOS against exactly those kinds of attacks. Carefully, because people who are used to the Mac being open are concerned — legitimately sometimes, completely paranoid others — that Apple is going to impose the same type of control it has over iOS.

Over the years we've gotten Gatekeeper to prevent unauthorized apps from running, and System Integrity Protection to stop anything from modifying the operating system, and social tracking and fingerprinting… well, that's been shut down.

With MacOS Catalina, Apple is perpetrating some of their biggest security and privacy balancing acts ever. All in the name of continuing to let us do what we want with our Macs, but locking out everyone else.

Gatekeeper

Apple thinks about security on the Mac the way pretty much anyone in the industry would tell you they should think about it — through defense in depth.

That means multiple layers of security to prevent or delay attacks from happening, reduce the attack surface and create choke points that are easier to defend, like only running trusted apps, minimizing and containing anything that does get through, like with sandboxing, and dealing with anything that somehow makes it onto the system, like revoking a trust certificate.

Gatekeeper is the starting point. Currently, when you download an app, whether it's off the Store or the Web or even from AirDrop, that app is quarantined. If and when you try to open a quarantined app, Gatekeeper checks it for known malware, validates the developer signature to make sure it hasn't been tampered with, makes sure it's allowed to run, for example matches your settings for App Store apps and/or known developer apps, and then double checks with you that you really want to run the app for the first time, that it's not trying to pull a fast one and autorun itself.

Something similar happens with files you download directly from the web or through a sandboxed app or get AirDropped as well. Basically, most things hitting your device for the first time.

But, up until now, Gatekeeper had some limits. It only checked quarantined apps and only when you tried to run them using the graphical interface, in other words with LaunchServices, the very first time you tried to run them.

For example, double-clicking on an app to run it or a file to open it.

With Catalina, Gatekeeper will also check apps launched via the terminal as well. They'll get the same malware scan, signature check, and local security policy check. The only difference is, even on first run, you only need to explicitly approve software launched in bundles￼, like a standard Mac app bundle, not for standalone executables or libraries.

What's more, Gatekeeper will now also check non-quarantined apps and files for malware. In other words, the second time, third time, four hundredth time you run it, every time you run it, Gatekeeper will check for malicious content and if it ever finds any, block it and alert you.

Of course, because the Mac is the Mac, you can still override all of this if you really want to and run anything you want, any time you want, and the Mac you want.

Read-Only System Volume

What's the point of security if anything that tries hard enough can just write all over the root files anyway?

That's not really something anyone says, but it is something macOS Catalina is addressing with dedicated, read-only hardware partition for the root file system to keep it separate and secure from the rest of your data and reduce the chances anything can corrupt or infect it.

To make it work, the Apple File System, APFS, is introducing the concept of a volume group. That's a set of one system volume and one data volume, paired, and treated as a single volume.

They show up as a single volume, they share encryption state, which means the same password unlocks them both, and are otherwise almost indistinguishable to a casual observer.

They even maintain a single, unified directory hierarchy through another new concept called firmlinks, which Apple calls bi-directional wormholes in path traversal. Ha.

Firmlinks are created at install time and are transparent to users. They can only be for directories and have a one-to-one relationship, like Users to Users and Local to Local. No-one-to-many — totally monogamous — and can only be used in volume groups between the paired volumes. This isn't files gone wild, people.

Now, just like System Integrity Protection and T2 could annoy people trying to run new versions of the OS on no-longer supported hardware or trying to install alternate operating systems, this can do things like preventing custom icons for existing apps.

So, you can disable read-only if you absolutely want to by disabling System Integrity Protection, but it will revert to read-only the next time you reboot.

APFS has also added snapshotting, so, if something goes wrong after an update, like some of your apps end up being incompatible, you'll be able to restore from the snapshot and basically Quantum Realm your system back to the point before the upgrade snapped.

Snapshots only last for a day, and only if you have enough space on your drive, so if you ever need to use the feature, use it fast.

System Extensions & DriverKit

Apple has also added two new technologies to Catalina, to better protect the operating system but also allow a range of useful features. They're System Extensions and DriverKit

System Extensions replace the old Kernel Extensions, or KEXTS, but run in user space, safely outside the kernel. Network Extensions support content filters, DNS proxies, and VPN clients. Endpoint Security Extensions replace kauth event monitoring and can be used for endpoint detection and response, anti-virus, and data loss prevention tools. Driver Extensions replace IOKit device drivers and support USB, Serial, Network Interface Controller, and Human Interface devices.

That last one is built using DriverKit, which is a new set of frameworks, updated and modernized from IOKit, so that drivers can be built more safely and securely outside the kernel. Which means, if they have a vulnerability, it doesn't expose the kernel and its privileges to exploitation. And if it crashes, it doesn't panic the kernel and take down the whole system like some Guru Mediation Error gone wrong.

Everything, all of it, stays far more safely in userland where it now belongs.

Data Protection

Just like Apple has previously added the requirement for apps to ask permission before they can use the mic and the camera, Apple is now requiring apps to ask permission before they can access your data in the file system as well.

It doesn't matter if that data on the desktop, or in documents, downloads, iCloud Drive, other cloud storage systems like Dropbox or Google Drive directories, external storage like USB drives or SD cards, or network-attached storage volumes.

The apps, they've got to ask.