Securing macOS: A Closer Look At Built-In macOS Application Security

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

In an increasingly connected world, the security of our digital lives has become more critical than ever. As users rely heavily on their computers for work, personal communication, and handling sensitive information, the need for a secure operating system is paramount.

While macOS is widely regarded for its user-friendly nature, it's important to acknowledge that no operating system is immune to security threats. From malware and phishing attacks to data breaches and unauthorized access, macOS users must be vigilant and proactive in safeguarding their systems and personal information.

In this research, we'll take a closer look at the world of macOS security. We will shed light on the various layers of protection offered by Apple.

Simulate macOS Endpoint Attacks with Picus Platform

Built-In macOS Application Security

When it comes to protecting macOS-powered devices, Apple has implemented a range of robust security measures that often go unnoticed.

macOS takes a multi-faceted approach to safeguarding its system against potential threats from Internet-downloaded applications. It integrates a variety of protective measures to ensure that such apps are free from known malware. By leveraging advanced technologies, macOS not only detects and eliminates malware but also establishes additional barriers to prevent untrusted apps from compromising user data.

Transparency, Consent, and Control - TCC

Transparency, Consent, and Control (TCC) is a fundamental aspect of privacy and security in modern digital ecosystems. It refers to a set of mechanisms and practices designed to provide users with clear visibility and control over the permissions and access rights granted to applications and services on their devices.

In macOS, TCC serves as a crucial component of privacy protection by offering users the ability to manage which applications have access to sensitive data and system resources. This includes permissions for accessing location data, contacts, calendars, microphones, cameras, and more. By allowing users to review and modify these permissions, macOS ensures that individuals have granular control over their personal information.

The transparency aspect of TCC ensures that users are fully informed about the data an application requests and the specific purpose for which it is required. When an application attempts to access sensitive data for the first time, macOS displays a consent prompt, clearly stating the information being requested and the purpose it will serve. This transparency empowers users to make informed decisions about granting or denying access.


Figure 1: TCC Warning

Under System Preferences > Privacy & Security, users can see which applications have permissions to which services.


Figure 2: Giving Full Disk Access to Terminal

TCC Database

TCC is an SQLite database, and this database is located in /Library/Application\ Support/com.apple.TCC/TCC.db. The following command allows users to view the System TCC database.

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db




The TCC database includes the following tables.

  • access 
  • access_overrides
  • active_policy admin
  • expired
  • policies

➜ ~ sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db


SQLite version 3.37.0 2021-12-09 01:34:53

Enter ".help" for usage hints.

sqlite> .tables

access                   active_policy     expired         

access_overrides  admin             policies        

Example 1: TCC.db tables

The database also allows users to view System applications and TCC permissions.

sqlite> select client, auth_reason, auth_value, service from access;


us.zoom.xos|5|0|kTCCServiceSystemPolicyAllFiles

com.logitech.Logi-Options|4|2|kTCCServiceAccessibility

com.logitech.manager.daemon|4|2|kTCCServiceAccessibility

com.logitech.manager.daemon|4|2|kTCCServiceListenEvent

us.zoom.xos|4|0|kTCCServiceAccessibility

us.zoom.xos|4|2|kTCCServiceScreenCapture

/usr/libexec/sshd-keygen-wrapper|4|0|kTCCServiceSystemPolicyAllFiles

com.apple.screensharing.agent|4|0|kTCCServicePostEvent

com.apple.screensharing.agent|4|0|kTCCServiceScreenCapture

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/Support/AEServer|4|0|kTCCServiceAccessibility

com.apple.Terminal|4|2|kTCCServiceSystemPolicyAllFiles

Example 2: TCC system app accesses

File Quarantine

File Quarantine is the predecessor of Gatekeeper and was introduced with OS X Leopard (10.5). With the File Quarantine feature, the extended attribute-(XA) com.apple.quarantine attribute is added to the files downloaded from the Internet.

File Quarantine is designed to notify users when an application downloaded from the Internet is run for the first time.

Screenshot 2023-07-31 at 09.36.48

Figure 3: File Quarantine Warning

The warning above is triggered when trying to open files with the com.apple.quarantine extended attribute. Files that have @ at the end of their permissions flags have extended attributes.

➜ tools ls -l

 

total 1632
drwx------@ 6 picus staff 192 Jun 17 00:07 jtool2
-rw-r--r--@ 1 picus staff 832413 Jun 17 00:07 jtool2.tgz

The xattr utility allows users to view a file's extended attributes.

xattr CleanMyMacX.dmg 


com.apple.macl

com.apple.metadata:kMDItemWhereFroms

com.apple.quarantine

Example 3: Extended attributes of a downloaded file

The xattr -p command is used to display extended attribute values.

xattr -p com.apple.quarantine CleanMyMacX.dmg 


0081;64c3bf9d;Firefox;01EB78B6-2EB3-48BF-808B-B8D50B4AEE8C

Example 4: com.apple.quarantine extended attributes of a downloaded file

Extended Attribute - com.apple.quarantine

The structure of the values in com.apple.quarantine is given in Figure 4.

Screenshot 2023-07-31 at 09.43.36
Figure 4: The structure of com.apple.quarantine extended attributes

QuarantineEventsV2 Database - com.apple.quarantine

All flag information of the com.apple.quarantine attribute is available in the com.apple.LaunchServices.QuarantineEventsV2 SQLite database. The database is located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2.

➜ ~ sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2


SQLite version 3.37.0 2021-12-09 01:34:53

Enter ".help" for usage hints.

 

sqlite> .schema

CREATE TABLE LSQuarantineEvent (  LSQuarantineEventIdentifier TEXT PRIMARY KEY NOT NULL,  LSQuarantineTimeStamp REAL,  LSQuarantineAgentBundleIdentifier TEXT,  LSQuarantineAgentName TEXT,  LSQuarantineDataURLString TEXT,  LSQuarantineSenderName TEXT,  LSQuarantineSenderAddress TEXT,  LSQuarantineTypeNumber INTEGER,  LSQuarantineOriginTitle TEXT,  LSQuarantineOriginURLString TEXT,  LSQuarantineOriginAlias BLOB );

CREATE INDEX LSQuarantineEventIndex  ON LSQuarantineEvent (  LSQuarantineEventIdentifier );

CREATE INDEX LSQuarantineTimeStampIndex  ON LSQuarantineEvent (  LSQuarantineTimeStamp );

 

sqlite> .tables

LSQuarantineEvent

Example 5: QuarantineEventsV2 database

The following SQL command can be used to display the values in the LSQuarantineEvent.

sqlite> select * from LSQuarantineEvent;


87A946DE-B399-4050-A8D0-AA8B367CA73F|712139861.371294|com.apple.Safari|Safari||||0|||

71BA058F-EE40-4E4A-8F1F-1024F431D0F1|712140006.612305|com.apple.Safari|Safari||||0|||

F208738B-7B2B-43D5-B899-D8ABCC2D9A4D|712150977.27626|com.apple.Safari|Safari||||0|||

47EB09C4-930B-4855-BD97-D2F5C959F99B|712151493.15678|com.apple.Safari|Safari||||0|||

1BE1FD13-B935-45C6-89E4-B7C4BDC9A02E|712167224.613103|com.apple.Safari|Safari||||0|||

98E55B99-2A5B-4F21-953F-E9B3AE82034C|712171029.575085|com.apple.Safari|Safari||||0|||

8652C19B-A44B-4A3D-AE4D-42099459743A|712171234.319902|com.apple.Safari|Safari||||0|||

01EB78B6-2EB3-48BF-808B-B8D50B4AEE8C|712242961.0|org.mozilla.firefox|Firefox||||0|||

Example 6: Contents of LSQuarantineEvent

LSQuarantineEvent Table

The LSQuarantineEvent table includes the following columns. The structure of the values in the table is given in Figure 5.

  • LSQuarantineEventIdentifier
  • LSQuarantineTimeStamp
  • LSQuarantineAgentBundleIdentifier
  • LSQuarantineAgentName
  • LSQuarantineDataURLString
  • LSQuarantineSenderName
  • LSQuarantineSenderAddress
  • LSQuarantineTypeNumber
  • LSQuarantineOriginTitle
  • LSQuarantineOriginURLString
  • LSQuarantineOriginAlias


Figure 5: LSQuarantineEvent table analysis

Gatekeeper

Gatekeeper is a built-in security technology designed to run trusted software on macOS. When downloading an application from the Internet outside the AppStore and opening that application, Gatekeeper confirms that the application comes from the identified developer and is known to Apple (notarization).

Figure 6: Gatekeeper Warning

The operations of the Gatekeeper service are performed at the system level by spctl - SecAssessment system policy security macOS binary.
The spctl command is used to check whether an application is signed and notarized. The command returns either "accepted" or "rejected", depending on the Gatekeeper's evaluation.

➜ ~ spctl --verbose=4 --assess --type execute /Applications/Hopper\ Disassembler\ v4.app


/Applications/Hopper\ Disassembler\ v4.app: accepted

source=Notarized Developer ID

 

 

 

Example 7: spctl - notarization and signed information

The main difference between Gatekeeper and File Quarantine is the signature check. File Quarantine does not perform signature checks.


Figure 7: Gatekeeper Warning

Gatekeeper Database

Gatekeeper performs the controls from its own database, and it keeps a blocklist for applications. The Gatekeeper's database is in SQLite format and is located at /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/gk.db.

➜ ~ sqlite3 /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/gk.db


SQLite version 3.37.0 2021-12-09 01:34:53

Enter ".help" for usage hints.

 

sqlite> .schema

CREATE TABLE settings (name TEXT, value TEXT, PRIMARY KEY (name));

CREATE TABLE blocked_hashes (hash BLOB, hash_type INTEGER, flags INTEGER, PRIMARY KEY (hash, hash_type));

CREATE TABLE blocked_teams (team_id TEXT, flags INTEGER, PRIMARY KEY (team_id));

 

sqlite> .table

blocked_hashes  blocked_teams   settings

Example 8: Gatekeeper's database - gk.db

The following SQL command can be used to display the IDs in blocked_teams table.

sqlite> select * from blocked_teams LIMIT 10;


F9X83Q5222|1

SS3YFP6RJ7|0

QC8B2PF82S|0

UQ5TUCT7AL|0

NZD5N78GXM|0

Q6XAB4776L|0

GQ65ME5KV3|0

8CHL2NLV6W|0

7698FPNAVX|0

DB6GMRL6AQ|0

Example 9: blocked team IDs in gk.db

Malware Detection - XProtect.bundle

macOS has a built-in security tool called XProtect that provides signature-based detection. XProtect performs malware detection using YARA signatures. YARA rules are regularly updated by Apple.
XProtect performs a continuous security scan of the macOS system, including in the following cases.

  • Launch a downloaded app for the first time 
  • Change an app in the file system
  • XProtect signatures are updated

XProtect is included in File Quarantine technology.

When an application downloaded from the Internet using an application sensitive to File Quarantine technology is opened, A warning appears in front of the user that the application is downloaded from the Internet (Gatekeeper).

When this application downloaded from the Internet is run, File Quarantine technology checks whether the relevant application matches any of the signatures in XProtect. If there is a match, another warning is displayed saying that running the application may harm the system (File Quarantine).

XProtect checks application files and file hashes against these signatures when the application is first launched or whenever it changes. When XProtect detects a matching signature, it prevents the relevant code from running, and the user is informed of the option to delete the relevant application (Gatekeeper).


Figure 8: XProtect Warning

XProtect Files

XProtect is included in macOS in .bundle format. XProtect files are located at /Library/Apple/System/Library/CoreServices/XProtect.bundle.

➜ ~ tree XProtect.bundle 


XProtect.bundle

└── Contents

    ├── Info.plist

    ├── Resources

    │   ├── LegacyEntitlementAllowlist.plist

    │   ├── XProtect.meta.plist

    │   ├── XProtect.plist

    │   ├── XProtect.yara

    │   └── gk.db

    ├── _CodeSignature

    │   ├── CodeDirectory

    │   ├── CodeRequirements

    │   ├── CodeRequirements-1

    │   ├── CodeResources

    │   └── CodeSignature

    └── version.plist

4 directories, 12 files

Example 10: Contents of XProtect.bundle folder

XProtect.yara: This file contains Apple's built-in YARA rules.

import "hash"
private rule Macho
{
    meta:
        description = "private rule to match Mach-O binaries"
    condition:
        uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}
private rule PE
{
    meta:
        description = "private rule to match PE binaries"
    condition:
        uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x4550
}
rule XProtect_MACOS_644e18d
{
    meta:
        description = "MACOS.644e18d"
    strings:
        $a = { 63 6f 6e 6e 65 63 74 54 6f 50 72 6f 78 79 4d 61 6e 61 67 65 72 }
        $b = { 63 6f 6e 6e 65 63 74 54 6f 44 65 73 74 69 6e 61 74 69 6f 6e }
        $c = { 68 65 61 72 74 62 65 61 74 53 65 6e 64 65 72 }
        $d = { 63 6f 6e 6e 65 63 74 54 6f 43 6e 63 }
        $e = { 70 72 6f 78 69 74 2e 63 6f 6d 2f 70 65 65 72 }
    condition:
        Macho and 2 of them
}

…redacted…

Example 11: Contents of XProtect.yara

XProtect.meta.plist: This .plist file contains information about malicious application plugins (Java, Flash, etc.) and harmful Safari extensions. Extension block definitions are made according to the bundle identifier and related Developer ID information.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

 <key>ExtensionBlacklist</key>

 <dict>

  <key>Extensions</key>

  <array>

   <dict>

    <key>CFBundleIdentifier</key>

    <string>com.searchnt.safari</string>

    <key>Developer Identifier</key>

    <string>6ERPEMNB65</string>

   </dict>

   <dict>

    <key>CFBundleIdentifier</key>

    <string>com.shelfsick.safari</string>

    <key>Developer Identifier</key>

    <string>33HGJH7H8P</string>

   </dict>

   <dict>

    <key>CFBundleIdentifier</key>

    <string>com.searchnt.safari</string>

    <key>Developer Identifier</key>

    <string>LUZSN84HYP</string>

   </dict>

…redacted…

Example 12: Contents of XProtect.meta.plist

XProtect.plist: This .plist file contains information about the application bundle and the harmful content in it. As an example, the content of the OSX.28a9883 signature name in XProtect.plist is given below.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<array>

 <dict>

  <key>Description</key>

  <string>OSX.28a9883</string>

  <key>LaunchServices</key>

  <dict>

   <key>LSItemContentType</key>

   <string>com.apple.application-bundle</string>

  </dict>

  <key>Matches</key>

  <array>

   <dict>

    <key>MatchFile</key>

    <dict>

     <key>NSURLTypeIdentifierKey</key>

     <string>public.unix-executable</string>

    </dict>

    <key>MatchType</key>

    <string>Match</string>

    <key>Pattern</key>

    <string>3A6C6162656C3A706C697374506174683A</string>

   </dict>

   <dict>

    <key>MatchFile</key>

    <dict>

     <key>NSURLTypeIdentifierKey</key>

     <string>public.unix-executable</string>

    </dict>

    <key>MatchType</key>

    <string>Match</string>

    <key>Pattern</key>

    <string>3A62696E3A706C6973743A</string>

   </dict>

   <dict>

    <key>MatchFile</key>

    <dict>

     <key>NSURLTypeIdentifierKey</key>

     <string>public.unix-executable</string>

    </dict>

    <key>MatchType</key>

    <string>Match</string>

    <key>Pattern</key> <string>214023247E5E262A28295B5D7B7D3A3B3C3E2C2E31713277336534723574367937753869396F3070415A5358444346564742484E4A4D4B4C5157455254595549</string>

   </dict>

  </array>

 </dict>

…redacted…

Example 13: Contents ofXProtect.plist

The "string" values in the "pattern" keys can be analyzed by converting them to ASCII format as follows. These patterns are searched by XProtect for each signature in the plist file.

Hex Value Stored in the Pattern Key

Converted to ASCII

3A6C6162656C3A706C697374506174683A

:label:plistPath:

3A62696E3A706C6973743A

:bin:plist:

214023247E5E262A28295B5D7B7D3A3B3C3E2C2E31713277336534723574367937753869396F3070415A5358444346564742484E4A4D4B4C5157455254595549

!@#$~^&*()[]{}:;<>,.1q2w3e4r5t6y7u8i9o0pAZSXDCFVGBHNJMKLQWERTYUI

LegacyEntitlementAllowlist.plist: This plist file is undocumented by Apple.
It is seen that only cdhash information is included in the plist. Detailed information about cdhash can be found in Apple documentation.

cdhash: The code directory hash identifies a specific version of a program. This allows the system to verify that the contents of a binary have not changed since being code-signed.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

 <key>cdhashes</key>

 <array>

  <data>

  AAFd7LJtQHNzgvxZ5kOMf5kNDVo=

  </data>

  <data>

  AAQCJMThA3BGcNrYDj3cGpx+i3U=

  </data>

…redacted…

Example 14: Contents of LegacyEntitlementAllowlist.plist

XProtect Unified Logs: An example of unified logs of XProtect Remediator events are given below.

➜ ~ log show -info -backtrace -debug -loss -signpost -predicate 'subsystem == "com.apple.xprotect"'


Filtering the log data using "subsystem == "com.apple.xprotect""

Timestamp Thread Type Activity PID TTL

2023-07-24 10:03:23.070580+0300 0x3f1a Default 0x0 1387 0 XprotectService: [com.apple.xprotect:xprotect] Using meta-plist from: /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist

2023-07-25 19:19:22.509786+0300 0x52629 Default 0x0 4602 0 XprotectService: [com.apple.xprotect:xprotect] Using meta-plist from: /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist


…redacted…

Example 15: XProtect unified logs

Malware Removal Tool - MRT

MRT is another built-in anti-malware tool for macOS which is available on macOS 10.8.3 and higher versions. When it is infected with malware, the macOS system is cleaned with MRT. MRT checks the malware database regularly updated by Apple and removes infections. Similar to XProtect, MRT is activated automatically at system startup. MRT is located at /Library/Apple/System/Library/CoreServices/MRT.app.

➜ ~ tree MRT.app


MRT.app

└── Contents

    ├── Frameworks

    │   ├── libswiftAppKit.dylib

    │   ├── libswiftCore.dylib

    │   ├── libswiftCoreData.dylib

    │   ├── libswiftCoreFoundation.dylib

    │   ├── libswiftCoreGraphics.dylib

    │   ├── libswiftCoreImage.dylib

    │   ├── libswiftDarwin.dylib

    │   ├── libswiftDispatch.dylib

    │   ├── libswiftFoundation.dylib

    │   ├── libswiftIOKit.dylib

    │   ├── libswiftMetal.dylib

    │   ├── libswiftObjectiveC.dylib

    │   ├── libswiftQuartzCore.dylib

    │   ├── libswiftXPC.dylib

    │   └── libswiftos.dylib

    ├── Info.plist

    ├── MacOS

    │   ├── MRT

    │   └── mrt-helper

    ├── PkgInfo

    ├── Resources

    │   ├── Info.plist

    │   ├── ar.lproj

…redacted…

42 directories, 95 files

Example 16: Contents of MRT.app folder

When the MRT binary is analyzed, data related to different malware types are seen.

Figure 9: MRT binary

For example, when the data of the Mughtesec malware is examined, it is understood that the MRT application keeps behavioral patterns of the malicious software and detects the malware by comparing the activities in the system with these patterns.

Figure 10: Mughtesec malware family

MRT is retired from macOS and is being replaced by XProtect Remediator.

XProtect Remediator - XProtect.app

With the release of macOS 12.3, Apple also released a new macOS tool called XProtect Remediator (XPR). XProtect Remediator is reminiscent of MRT in the sense that it is an application package, but it contains different binaries for different malware.

➜ ~ tree XProtect.app


XProtect.app

└── Contents

    ├── Info.plist

    ├── MacOS

    │   ├── XProtect

    │   ├── XProtectRemediatorAdload

    │   ├── XProtectRemediatorBadGacha

    │   ├── XProtectRemediatorColdSnap

    │   ├── XProtectRemediatorDubRobber

    │   ├── XProtectRemediatorEicar

    │   ├── XProtectRemediatorFloppyFlipper

    │   ├── XProtectRemediatorGenieo

    │   ├── XProtectRemediatorGreenAcre

    │   ├── XProtectRemediatorKeySteal

    │   ├── XProtectRemediatorMRTv3

    │   ├── XProtectRemediatorPirrit

    │   ├── XProtectRemediatorRankStank

    │   ├── XProtectRemediatorRoachFlight

    │   ├── XProtectRemediatorSheepSwap

    │   ├── XProtectRemediatorSnowBeagle

    │   ├── XProtectRemediatorSnowDrift

    │   ├── XProtectRemediatorToyDrop

    │   ├── XProtectRemediatorTrovi

    │   └── XProtectRemediatorWaterNet

    ├── PkgInfo

    ├── Resources

    │   ├── com.apple.XProtect.agent.scan.plist

    │   ├── com.apple.XProtect.agent.scan.startup.plist

    │   ├── com.apple.XProtect.daemon.scan.plist

    │   ├── com.apple.XProtect.daemon.scan.startup.plist

    │   ├── com.apple.XprotectFramework.PluginService.plist

    │   └── libXProtectPayloads.dylib

    ├── XPCServices

    │   └── XProtectPluginService.xpc

    │       └── Contents

    │           ├── Info.plist

    │           ├── MacOS

    │           │   └── XProtectPluginService

    │           ├── _CodeSignature

    │           │   └── CodeResources

    │           └── version.plist

    ├── _CodeSignature

    │   └── CodeResources

    └── version.plist

10 directories, 34 files

Example 17: Contents of XProtect.app folder

Different binaries for different malware are in XProtectRemediator<FAMILY_NAME> format. The main differences between MRT and XProtect Remediator are as follows.

  • MRT only works during the reboot and login phases.
  • XProtect Remediator scans at regular intervals.

Unified logs of XProtect Remediator events can be examined as follows.

When the logs are examined, it is seen that the binaries in XProtect Remediator are scanned regularly.

➜ ~ log show -info -backtrace -debug -loss -signpost -predicate 'subsystem == "com.apple.XProtectFramework.PluginAPI" && category == "XPEvent. Structured"'


Filtering the log data using "subsystem == "com.apple.XProtectFramework.PluginAPI" AND category == "XPEvent.structured""
Timestamp Thread Type Activity PID TTL
2023-07-25 12:09:44.709808+0300 0xaafcff Default 0x0 24149 0 XProtectRemediatorSnowDrift: [com.apple.XProtectFramework.PluginAPI:XPEvent.structured] {"caused_by":[],"status_message":"NoThreatDetected","status_code":20,"execution_duration":0.00012195110321044922}

2023-07-25 12:09:44.806791+0300 0xaafd07 Default 0x0 24150 0 XProtectRemediatorTrovi: [com.apple.XProtectFramework.PluginAPI:XPEvent.structured] {"caused_by":[],"status_message":"NoThreatDetected","status_code":20,"execution_duration":9.1910362243652344e-05}


…redacted…

Example 18: XProtect Remediator unified logs

Malware Response in Apple

When new malware is discovered, the following steps are taken.

  • Any associated Developer ID certificates are revoked.
  • Notarization revocation tickets are issued for all files (apps and associated files).
  • XProtect signatures are developed and released.

Behavioral Detection - BastionRules

Apple has released a new XProtect module with macOS Ventura. With this module, it is seen that XProtect has a behavioral detection feature. The SQLite database file of this module is located at /var/protected/xprotect/XPdb.

Figure 11: XPdb

An example rule structure and information in the events table is as follows.

Figure 12: XPdb BastionRules

XPdb and XProtect activities, in general, are handled by the System Configuration Policy Daemon - syspolicyd.
When the syspolicyd binary is analyzed, the registerBastionProfile function is seen in the SandboxManager class. The retain array draws attention to this function.

Figure 13: XPdb - retain

When the offset is analyzed, the following data can be seen.

Figure 14: syspolicyd - retain array

The edited version of the data in aNversion3nnall is as follows.

(version 3)

(allow default job-creation file-write-setugid)
(allow file-test-existence)

(define (system-binary signing-id)

 (require-all
  (signing-identifier signing-id)

  (process-attribute is-platform-binary)))

(define bastion-usual-offenders
 (require-any
  (system-binary \"com.apple.imagent\")
  (system-binary \"com.apple.imtransferservices.IMTransferAgent\")

  (system-binary \"com.apple.fseventsd\")
  (system-binary \"com.apple.mds\")
  (system-binary \"com.apple.mdsync\")
  (system-binary \"com.apple.XProtectFramework.plugins.MRTv3\")

  (system-binary \"com.apple.MRT\")
  (system-binary \"com.apple.XProtectFramework.plugins.Pirrit\")

  (system-binary \"com.apple.mdworker_shared\")

  (system-binary \"com.apple.jetsam_priority\")

  (system-binary \"com.apple.diskarbitrationd\")

  (system-binary \"com.apple.StorageManagement.Service\")

  (system-binary \"com.apple.dt.IDECacheDeleteAppExtension\")

  (system-binary \"com.apple.STMExtension.Applications\")

  (system-binary \"com.apple.StorageManagement.Service\")

  (system-binary \"com.apple.coreservices.uiagent\")

  (system-binary \"com.apple.imdpersistence.IMDPersistenceAgent\")))


(define rule-one-offenders

(require-any

  (system-binary \"com.apple.Safari.PasswordBreachAgent\")

  (system-binary \"com.apple.Safari.History\")

  (system-binary \"com.apple.Safari.CacheDeleteExtension\")

  (system-binary \"com.apple.Finder\")

  (system-binary \"com.apple.SafariBookmarksSyncAgent\")

  (system-binary \"com.apple.UserEventAgent\")

  (system-binary \"com.apple.appkit.xpc.openAndSavePanelService\")

  (system-binary \"com.apple.SafariNotificationAgent\")

  (system-binary \"com.apple.dt.SKAgent\")

  (system-binary \"com.apple.backupd\")

  (system-binary \"com.apple.STMExtension.Developer\")

  (system-binary \"com.apple.STMExtension.Mail\")

  (system-binary \"com.apple.Safari\")))


(define rule-two-offenders

 (require-any

  (system-binary \"com.apple.suggestd\")

  (system-binary \"com.apple.IMAutomaticHistoryDeletionAgent\")

  (system-binary \"com.apple.MobileSMS\")

  (system-binary \"com.apple.MobileSMS.spotlight\")

  (system-binary \"com.apple.photolibraryd\")

  (system-binary \"com.apple.Spotlight\")

  (system-binary \"com.apple.coreduetd\")

  (system-binary \"com.apple.filecoordinationd\")

  (system-binary \"com.apple.Safari.SandboxBroker\")

  (system-binary \"com.apple.quicklook.ThumbnailsAgent\")

  (system-binary \"com.apple.messages.StorageManagementExtension\")

  (system-binary \"com.apple.corespotlightd\")

  (system-binary \"com.apple.mdwrite\")))


(define rule-three-offenders

 (require-any

  (system-binary \"com.apple.Safari\")

  (system-binary \"com.apple.cfprefsd\")

  (system-binary \"com.apple.mail\")

  (system-binary \"com.apple.lsd\")

  (system-binary \"com.apple.sharingd\")

  (system-binary \"com.apple.dataaccess.dataaccessd\")

  (system-binary \"com.apple.defaults\")))


(with-filter

 (require-not (require-any bastion-usual-offenders rule-one-offenders))

  (allow (with user-approval \"BastionRule-1\") file*

   (subpath \"${ANY_USER_HOME}/Library/Application Support/Google/Chrome/Default/\"))

  (allow (with user-approval \"BastionRule-1\") file*

   (subpath \"${ANY_USER_HOME}/Library/Application Support/Firefox/Profiles/\"))

  (allow (with user-approval \"BastionRule-1\") file* 

   (subpath \"${ANY_USER_HOME}/Library/Safari/\")))

(with-filter

 (require-not (require-any bastion-usual-offenders rule-two-offenders))

  (allow (with user-approval \"BastionRule-2\") file* 

   (subpath \"${ANY_USER_HOME}/Library/Messages/\"))

  (allow (with user-approval \"BastionRule-2\") file*

   (subpath \"${ANY_USER_HOME}/Library/Application Support/Microsoft/Teams/\"))

  (allow (with user-approval \"BastionRule-2\") file*

   (subpath \"${ANY_USER_HOME}/Library/Application Support/Slack/\"))

  (allow (with user-approval \"BastionRule-2\") file*

   (subpath \"${ANY_USER_HOME}/Library/Application Support/WhatsApp/\")))


(with-filter

 (require-not (require-any bastion-usual-offenders rule-three-offenders))

  (allow (with user-approval \"BastionRule-3\") file*


(literal \"${ANY_USER_HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\")))


(with-filter

 (require-not (process-attribute is-platform-binary))

  (allow (with user-approval \"BastionRule-4\") socket-ioctl

   (ioctl-command SIOCIFCREATE SIOCGIFDESC)))

When these data are analyzed, it is understood that Bastion rules are the working mechanism.

It sets up four filters using the with-filter construct to control access permissions based on specific conditions:

  1. The first filter, BastionRule-1, restricts file access to specific subpaths within Chrome, Firefox, and Safari application support directories, but only if the accessed binary is not part of either bastion-usual-offenders or rule-one-offenders.

  2. The second filter, BastionRule-2, allows access to subpaths within Messages, Microsoft Teams, Slack, and WhatsApp application support directories, but only if the accessed binary is not part of either bastion-usual-offenders or rule-two-offenders.

  3. The third filter, BastionRule-3, grants access to a specific file ( com.apple.LaunchServices.QuarantineEventsV2 ) in the user's preferences directory ( Library/Preferences/ ) but only if the accessed binary is not part of either bastion-usual-offenders or rule-three-offenders.

  4. The fourth filter, BastionRule-4, allows access to a specific socket ioctl command ( SIOCIFCREATE and SIOCGIFDESC ), but only if the process attribute is-platform-binary is not satisfied.

There are four types of Bastion rules. For example, with the BastionRule-1 type rule, it is understood that the application movements in the ~/Library/Application Support/ directory are followed.

In macOS Ventura, these behaviors are not blocked; they are saved in the XPdb database.

Conclusion

macOS has many built-in security features that provide good security for the average user. With regular updates and responsible user practices, macOS is a great option for everyday use. 

For those who are looking for a more secure, safe, and reliable computing experience, learning the details of Apple's security utilities is a great way to safeguard user data and privacy. Understanding long-standing applications such as File Quarantine and Gatekeeper and new features such as XProtect Remediator would help users and security professionals attain a higher level of security.