Time to move from Kernel Extension to System Extension




Kernel Extensions (KEXTs)?

Kernel Extensions (KEXTs), provide control to the developers in order to load the code directly into the macOS kernel. It is fundamentally an extension to what macOS does and can effectively extend or change a particular service. KEXTs being part of Kernel, which is in control of everything on the system, get the full system privileges in order to create very powerful apps.

As they say, with power comes responsibility. A small bug in a kernel code can bring the whole system down. That makes kernel extension complex and hard to develop. So any mischievous kernel extension, may possess a great risk both from security and stability perspective.

Deprecation of Kernel Extensions

At Worldwide Developers Conference (WWDC) 2019, Apple announced the deprecation of few of the KEXTs also called as legacy system extensions. According to Apple, Kernel programming interfaces (KPIs) will be deprecated as alternatives become available, and future OS releases will no longer load kernel extensions that use deprecated KPIs by default. macOS Catalina will be the last macOS to fully support KEXTs.

System Extensions

Modern alternative to KEXTs are System Extensions and DriverKit. System extensions and drivers built with DriverKit run in user space, where they can’t compromise the security or stability of macOS. Once installed, an extension is available to all users on the system and can perform tasks previously reserved for kernel extensions. There are 3 types of System Extensions:

  1. Network Extensions: These replace the network KEXTs (NKEs) and would be helpful to write apps like
    1. Content filters like Web, URL filters used by companies to detect malicious/phishing URLs or for categorizing those.
    2. App proxy providers which are typically used for scanning any traffic using proxies. E.g. mail proxies, detecting spam mails, etc.
    3. NextGen Security solutions like Zero Trust Network Access (ZTNA), SDP, etc.
  2. Endpoint Security: These replace the KAUTH based modules which are typically used in
    1. Endpoint security clients like Endpoint Detection and Response (EDR)
    2. Antivirus real time protection
    3. Activity monitors
  3. DriverKit: These replaces few of the IOKit based drivers that are mainly used for writing device drivers like USB, NIC, HID, etc.

Transition

Apple have been working with the developers to transition their software. System Extension will improve the security, reliability and enable more user-friendly software distribution mechanisms on macOS.

macOS Catalina 10.15.4 and later updates show the following message in case a legacy system extension is loaded


Just for the transition, Apple has allowed means to allow legacy system extensions but only with a caveat that those will not work on future versions of macOS.

Challenges

System Extensions are meant to ease the life of user and developer. But based on our experience, though users will certainly benefit from the move, it is still a significant effort to develop the System Extensions. This is because:

  • Few of the stuff is still not documented properly. It is only through lot of analysis and observation that we could infer those areas.
  • There would be runtime challenges. E.g. Multiple Network Extensions trying to save preferences concurrently might fail one of the operation. This can be handled by serializing the save operations instead of relying on Network Extension framework.
  • For VPN related Network extensions, attempts to start the VPN tunnel through daemon, might fail due to unpreparedness of Network Extension framework. Based on our research, an option is to move these calls to Launch Agent.

Conclusion

Based on our extensive research and development on System Extensions, we have listed only few of the challenges here. But we reckon that there are many stones waiting to be unturned.

It seems that the legacy system extensions are still working on Big Sur, but based on Apple’s statement these would soon be deprecated and will not load. So if you are a developer still working on Kernel Extension, it’s time to move to System Extension.