
Little Snitch and the deprecation of kernel extensions - guessmyname
https://blog.obdev.at/little-snitch-and-the-deprecation-of-kernel-extensions/
======
jiripospisil
This is good news. Moving to the Network Extension framework means that Little
Snitch's filtering will run entirely in user space, which is not only great
for security but it will also allow the code to be written in a higher level
language such as Swift.

~~~
CameronNemo
What if that has an impact on performance? Kernel-user space communication
usually means copying data into different portions of memory, plus a context
switch.

~~~
ancarda
We shouldn't ever trade security for performance. Doing that is how Microsoft
ended up putting shit like _font rendering_ into the kernel. Made Windows very
fast, but made it so much worse when a bug was found.

~~~
overgard
That's pretty broad. I have a gaming machine with practically no personal data
on it, I just want it to be fast. But the tradeoffs for my work machine are
way different. Security is ALWAYS a tradeoff. If we wanted perfect airline
security we'd fly naked.

Also not like limiting vulnerabilities to user space is always a big
improvement. If someone hacks my user account on a single user computer, they
have access to all the data I care about anyway. They could ransomeware my
stuff even without kernel access.

~~~
philistine
A gaming machine with no personal data on it. We call that a console, and they
are indeed built for speed above all else.

~~~
Hamuko
Consoles are really built for a price point above all else. Hence why they're
always lacking in performance compared to contemporary gaming PCs.

~~~
sitkack
They also take security very very seriously.

~~~
StavrosK
Consoles take DRM safety seriously, the fact that that aligns with user
security is purely coincidental.

------
beckler
Little Snitch 4 is a rather impressive piece of software. The map is my
favorite part. It's not always accurate, but it's absolutely wild to see the
places apps want to ship data off to.

Also if you interface directly to your WAN, you can see all the bots/worms/etc
that try to connect to your IP. I got a surprising amount of netbios queries
from Iran (I'm assuming from EternalBlue based malware trying to connect), but
I highly recommend NOT doing this. It's the wild west outside your firewall.

~~~
qwerty456127
> It's the wild west outside your firewall.

You mean outside my $5 NAT WiFi router last updated 6 years ago (because the
manufacturer won't maintain it any more and the ISP never gave me the admin
password anyway)?

~~~
philjohn
This right here is the very reason OpenWRT exists.

I never trust ISP provided equipment to do my routing, if I can't use it in
modem mode (or provide my own modem) then a DMZ and port forwarding have to do
... but I'd sooner just choose another provider.

~~~
qwerty456127
At least you need to know the settings for this. I tried attaching my laptop
directly to the cable and that didn't work (I would put my own router if it
did). There probably is some sort of PPPoE over a statically-configured
network.

------
danieldk
Background: Apple is abolishing (third-party) kernel extension to increase
security:

[https://developer.apple.com/system-
extensions/](https://developer.apple.com/system-extensions/)

~~~
riazrizvi
And Apple takes another step closer toward a proprietary OS away from UNIX.
Perhaps 10.16 will lose certification [1].

[1]
[https://www.opengroup.org/openbrand/register/](https://www.opengroup.org/openbrand/register/)

EDIT: I can't find anything that references kernel extensions in the
conformance [2] section of the spec, so maybe 10.16 will adhere to the UNIX03
standard after all.

[2]
[https://pubs.opengroup.org/onlinepubs/009695399/](https://pubs.opengroup.org/onlinepubs/009695399/)

~~~
TazeTSchnitzel
POSIX does not standardise kernel extensions. You can't use Linux kernel
extensions on other OSes for example.

~~~
saagarjha
You can't even use Linux kernel extensions across different versions of Linux…

------
gumby
There are so many people using it at Apple that I can't imagine LS5 not
working on 10.16 when it ships to the general public.

~~~
bredren
I hope this goes over better than the Sign in with Apple deadline that was
attempted. That seemed like a pretty big flop.

~~~
saagarjha
Sign in with Apple can't be a flop; it's required to pass app review.

------
greendave
Apple has really done a 180 degree turn from back in the early OS X days, when
they actually did quite a bit of work to keep existing applications
functional. Forget binary compatibility, now even existing APIs are
disappearing left and right.

~~~
bognition
That makes sense right though. 15 years ago the number of people using OSX was
a fraction of what it is today. They had to be very protective of that
customer base.

Now the install base is huge and the threats are different.

~~~
outworlder
> Now the install base is huge and the threats are different.

Counterpoint: Microsoft's install base is enormous and has been for decades.
They very very rarely intentionally break backwards compatibility.

~~~
viscanti
Counterpoint: Microsoft's obsession with backward compatibility is why there
are so many zero day exploits for their OS. Complexity comes with a cost.

~~~
bshacklett
One doesn't even have to look that far. They haven't shipped a Windows update
on time for years due to bugs pushing the dates back. I can't imagine that
their backwards compatibility requirements have been part of the problem. In
fact, wasn't there a specific issue that was linked back to compatibility with
CP/M not that long ago?

Edit: This is what I was thinking of:
[https://www.itnews.com.au/news/how-a-1974-bug-still-bites-
wi...](https://www.itnews.com.au/news/how-a-1974-bug-still-bites-win10-and-
azure-users-515102)

------
tambourine_man
What worries me about this move from Apple is that it may stifle creativity on
the platform.

Apple is working closely with Little Snitch to provide them with APIs with the
features they need. Fine.

But would Little Snitch exist if there were no Kernel Extensions?

~~~
hyperbovine
Yes? Clearly the market is there. And writing kernel extensions is a major
PITA. One benefit of working in user space is that you can (usually) do so in
the language of your choosing. Little Snitch 0.0.1alpha would have been a lot
easier to prototype in Swift than in C.

~~~
bspammer
I believe GP is saying that if the transition to kernel extensions had
happened before Little Snitch was written, then LS could never be written
after that point because they wouldn't have the required leverage to get Apple
to expose the API they need.

What if we'll be missing out on other groundbreaking future apps that need
kernel space information to function?

~~~
tambourine_man
That’s it.

------
leokennis
Little Snitch also nicely shows how Google will make increasingly desperate
attempts to invisibly update its software in the background.

It starts with a request to Google.com from Google Software Updater. But if
you block that and the follow ups enough times, in the end it will even try
curl’ing directly to IP’s...

~~~
Spivak
Or it just assumes that name resolution is broken for some benign reason.

~~~
Zenbit_UX
Exactly, that's just good programming.

------
djsumdog
I guess it will be even more difficult to run Hackintoshes with 10.6

~~~
sudosysgen
If you have hackintosh level access, you would be able to inject kexts
anyways.

~~~
Wowfunhappy
Exactly.

In the event that the entire concept of kernel extensions is removed (which
seems unlikely), Hackintosh developers could just recompile the kernel. Or
have the bootloader patch the kernel binary. (Fun fact: Clover already allows
any user to do Find ==> Replace on aribitrary strings or hex sequences in the
kernel.)

You can do this stuff on a real Mac too btw, as long as SIP is off.

Now, if Apple actually put a concerted effort into screwing Hackintosh users,
they could probably kill the scene relatively easily. But, they don't seem
interested in doing that. Their attitude since the initial Intel release of
Tiger has seemingly been indifference.

~~~
saagarjha
> Hackintosh developers could just recommpile the kernel.

No, not really. macOS's kernel, and especially its kernel extensions, are
closed source.

~~~
ttobias
I think the biggest problem in the future will be the apple’s security chip
every new macOS hardware includes one it gets integrated more with every
version of macOS. My assumption is that at some point essential parts of the
OS and macOS programs will be dependent on the presence of the security chip
and apple will cut off support to hardware without one. Just a matter of time.
The questions is how will the hackintosh community solve this problem?

~~~
monocasa
Run it in a very thin hypervisor that sort of looks like bluepill and emulate
the security chip's API?

------
test7777
Showing the deprecation message before the API that replaces it is actually
out? Isn't that a bit of an a-hole move? I know everyone here is a developer
and hates code older than a month, but really? Nobody gonna call them out on
that?

~~~
minusf
that's exactly what depr. messages are for. it's to call to attention it's
going away. once it's gone a deprecation message is useless.

------
Isamu
I never looked before but "ls /dev/bpf*" shows a lot of Berkeley packet
filters. Maybe that reflects a movement toward user-space monitoring?

~~~
wahern
Interesting. I get 256 on Catalina (0-255), as opposed to 4 (0-3) on Mojave.
/dev doesn't appear to be dynamic as it is on Linux, so they've chosen to pre-
create more device files. More importantly, on Catalina the permissions are
now ug=rw (0660) and with a group name of "access_bpf", whereas on Mojave they
were u=rw (0600) and "wheel".

So, yeah, looks like Catalina was a stepping stone.

------
rlonstein
Archive before it gets hugged to death...
[https://archive.is/7HxHk](https://archive.is/7HxHk)

------
KingOfCoders
This article sparked interest into Snitch again and I've tried to upgrade from
Snitch 3 - sadly upgrading doesn't work.

------
unixhero
A port to Linux would be nice, just saying!

~~~
m463
there is a project called opensnitch that supposedly does similar things on
linux

[https://github.com/evilsocket/opensnitch](https://github.com/evilsocket/opensnitch)

I'm not sure how active it is (no recent activity and there seem to be a lot
of forks)

------
ethanpil
I think Hackintosh enthusiasts are also an intended target of this phase
out... These systems heavily rely on kexts...

~~~
Hamuko
If there's a will, there's a way.

------
milofeynman
What's the cleanest way to monitor your entire network similar to little
snitch?

~~~
bashinator
Install a private CA root cert on all the machines in your network, and set up
a router that's able to MitM TLS sessions to do deep packet inspection. Palo
Alto Networks' kit has this kind of capability.

~~~
beckler
Most enterprise networks do this, but you'll have major issues with IoT
devices and devices/apps that do certificate pinning. You'll probably have to
put those on your guest network... Assuming you have one.

------
spacepinball
So basically they will charge me once more for a compatibility fix.

------
IOT_Apprentice
So will the deprecation break Hackintoshs?

~~~
nutjob2
No. Hackintosh is a hardware and firmware platform, mostly at a lower level
than macOS. Barring custom Apple hardware, anything that runs on Apple
hardware will run on Hackintosh. Even custom hardware can be worked around as
long as it is not critical (eg a custom CPU).

------
delouvois
Snitches get stitches

------
shanemhansen
It's interesting to compare and contrast community reactions to apple vs
google policies, as well as how the companies interface with popular software.

Google changes extension model for Chrome, breaking ad blockers, reaction
seems to be that it's an obvious power grab.

Apple changes extension model, breaking network blocker, reaction seems to be
favorable.

~~~
saagarjha
> Google changes extension model for Chrome, breaking ad blockers, reaction
> seems to be that it's an obvious power grab.

Interestingly, Apple made _this exact change_ in Safari _first_.

~~~
leokennis
And were shouted at for it.

~~~
saagarjha
Not really.

