If third-party vendors want to add new features to the macOS kernel, such as antivirus capabilities, ransomware blocking, data breach auditing, behavior monitoring and so on, they usually need the support of the system’s exported interfaces. At present, only two known official interfaces are available, they are Kernel Authorization subsystem and Mandatory Access Control framework. Unfortunately, neither of them are suitable for today’s kernel development tasks. The Kernel Authorization KPIs was designed thirteen years ago and it is clear that it lacks the necessary maintenance and upgrades. For example, there are only seven file operation related notification callbacks available, which are obviously not enough. For each notification callback (KAUTH_SCOPE_FILEOP), we cannot modify the return results. For some specific callback functions, the input parameters lack critical context information. As for the Mandatory Access Control framework, Apple directly claims that third parties should not use these private interfaces, this mechanism is not part of the KPI.
In order to bring about some changes, I’d like to introduce you to Kemon, an open source Pre and Post-operation based kernel callback framework. With the power of Kemon, we can easily implement LPC communication monitoring, MAC policy filtering, kernel driver firewall, etc. In general, from an attacker’s perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, Kemon can help construct more granular monitoring capabilities. I also implemented a kernel fuzzer through this framework, which helped me find many vulnerabilities, such as: CVE-2017-7155, CVE-2017-7163, CVE-2017-13883, etc.
Kemon’s features include:
In addition, Kemon project can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.
Please use Xcode project or makefile to build the Kemon kext driver