nondetection
The Mac didn't seem like much of an operating system to attack for awhile. Then it did. Apple reacted with great strides to further protect Macs, compartmentalizing all the things along the way. The attack surface moved. Let's talk about why developers don't always get to have nice things and dig into extensibility of apps and browsers a little.
This conversation begins with telemetry into how modern app toolchains work on the platform now that it's sandboxed. Compartmentalized apps don't use older dylibs or kernel extensions. Instead, they use app, system, network, driver, or browser extensions (sometimes these categories overlap or can communicate with one another). For example, it's common for a password manager to use Apple's AutoFill Extension, a browser plug-in/extension (or four), and for that extension to have entitlements to access other apps. Word salad jargon unpacked:
Sandbox: Somewhat based on the TrustedBSD model, this is often used as a broad term for the gradual elimination of root account access, the restriction of kernel access, and more granular controls to access system resources and user data in macOS to only apps with a given set of entitlements.
Extensions: To quote Apple Support "System extensions work in the background to extend the functionality of your Mac." https://support.apple.com/en-us/HT210999
System Extensions: System extensions run in the background to add new functionality to a Mac. Because they run in the background, Apple is concerned about privacy and security implications and so have typically required a certain level of telemetry by end users into what functionality they provide. The main types of system extensions include DriverKit (to create drivers to interface with hardware), Endpoint Security (to find and eliminate various events on a system traditionally caused by malware), and Network Extensions (to control the flow of packets over interfaces as is often done with proxies, ZTNA, content filters, VPNs, etc). Some of these require entitlements by Apple in order to include in projects.
App Extensions: App extensions allow developers to provide functionality beyond their app so other developers can use or embed an experience into their own. Apple creates plenty of extensions to make it easier for third party developers to deliver consistent experiences. Examples of this is how many apps show notifications, use quick look, or have similar share sheets. These are used in apps and made possible by other apps (for the most part).
Browser Extensions: Safari, the native browser on the Mac has one set of options, but it's not the only extensible browser. People might also load Google Chrome, Firefox, Microsoft Edge, or a number of other browsers. Those that use webkit primarily have similar extension options that Safari has, but Chrome, Firefox, and Edge might be completely different. Most render data for a user to view with an html file but also have javascript or collection of javascripts used to monitor for a given behavior and when triggered take an action or set of actions.
Entitlements: To quote Apple Developer Documentation "An entitlement is a right or privilege that grants an executable particular capabilities." https://developer.apple.com/documentation/bundleresources/entitlements
Systems administrators often focus on apps and configuration settings to enforce a given security posture. Extensions are a part of apps, but can be accessed by other apps. The fact that apps consume extensions, instantiate extensions, or have data that can be deep-linked into makes extensions a common blindspot in the modern device management toolchain for most organizations. Packages are brought into every programming language and necessary to both provide a consistent experience and keep developers from having to create every little thing they want to put into an app from scratch. This page is meant to provide an overview of a set of projects developed to research the abilities, workarounds, and dangers from extensions.
