darwin-xnu icon indicating copy to clipboard operation
darwin-xnu copied to clipboard

Introduce a new mitigation

Open LIJI32 opened this issue 2 years ago • 10 comments

Hi, I'd like to introduce a new mitigation to the XNU kernel.

Pros:

  • Prevents all userspace to kernel PEs
  • Mitigates all in-userspace vulnerabilities
  • Eliminates 99% of the remaining kernel vulnerabilities
  • No performance costs

Cons:

  • Drops support for certain rarely-used power user features such as process creation and communication with hardware

Judging by Apple's recent developments in security, such as APFS seals that completely prevent modification of system files, new code signing policies that are hostile towards indie and open-source developers, and untested overly-strict sandbox profiles that break operating system functionality, I believe this is a welcome change that respects Apple's security-above-all policy.

LIJI32 avatar Aug 02 '22 17:08 LIJI32

Still leaves too many opportunities for code execution, not strict enough for Apple.

PayterX avatar Aug 14 '22 21:08 PayterX

image.jpg

Nul-led avatar Aug 23 '22 00:08 Nul-led

You are a legend.

twisted-nematic57 avatar Sep 26 '22 04:09 twisted-nematic57

Ah yes, that was the word I was looking for.

twisted-nematic57 avatar Nov 03 '22 23:11 twisted-nematic57

Eliminates 99% of the remaining kernel vulnerabilities

$2,000,000 bug bounty for figuring out that 1%!

/s LOL

twisted-nematic57 avatar Dec 07 '22 22:12 twisted-nematic57

LGTM!

Scherso avatar Jan 19 '23 16:01 Scherso

LGTM!

Glowman554 avatar Jan 19 '23 18:01 Glowman554

"malicious code execution prevented" is way too descriptive, I think "legacy execution system has been deprecated" works much better, as it perfectly describes to a user what is going on, and how it can be fixed, just like any other issue on Darwin / macOS.

RoseApollo avatar Apr 26 '23 20:04 RoseApollo

This is truly a pull request of all time

9021007 avatar Apr 26 '23 21:04 9021007

"malicious code execution prevented" is way too descriptive, I think "legacy execution system has been deprecated" works much better, as it perfectly describes to a user what is going on, and how it can be fixed, just like any other issue on Darwin / macOS.

This certainly sounds more Apple like.

IsaccBarker avatar Apr 26 '23 22:04 IsaccBarker