![]() The EndpointSecurity framework, which is a userland framework that can be used by any process with the correct entitlements to receive system events, as well as allow/block system events.What this means for security vendors is that those who are currently using a kernel extension to provide protection or detection will essentially need to toss out their kernel component and use the new frameworks that Apple has provided. In this post, we will go into the new EndpointSecurity and SystemExtensions frameworks.Īt WWDC 2019, Apple announced that in the upcoming macOS 10.16 release, third party vendors will no longer be allowed to run in the kernel via kernel extensions. In part 2 we covered techniques that could be used in kernel to gather even more details on system events. In part 1, we reviewed the existing kernel extension frameworks and the information that these frameworks can provide. This is the third and final post of a three-part series on understanding kernel extension frameworks for Mac systems.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |