darwin-xnu
darwin-xnu copied to clipboard
Introduce a new mitigation
Hi, I'd like to introduce a new mitigation to the XNU kernel.
Pros:
- Prevents all userspace to kernel PEs
- Mitigates all in-userspace vulnerabilities
- Eliminates 99% of the remaining kernel vulnerabilities
- No performance costs
Cons:
- Drops support for certain rarely-used power user features such as process creation and communication with hardware
Judging by Apple's recent developments in security, such as APFS seals that completely prevent modification of system files, new code signing policies that are hostile towards indie and open-source developers, and untested overly-strict sandbox profiles that break operating system functionality, I believe this is a welcome change that respects Apple's security-above-all policy.
Still leaves too many opportunities for code execution, not strict enough for Apple.
You are a legend.
Ah yes, that was the word I was looking for.
Eliminates 99% of the remaining kernel vulnerabilities
$2,000,000 bug bounty for figuring out that 1%!
/s LOL
LGTM!
LGTM!
"malicious code execution prevented" is way too descriptive, I think "legacy execution system has been deprecated" works much better, as it perfectly describes to a user what is going on, and how it can be fixed, just like any other issue on Darwin / macOS.
This is truly a pull request of all time
"malicious code execution prevented" is way too descriptive, I think "legacy execution system has been deprecated" works much better, as it perfectly describes to a user what is going on, and how it can be fixed, just like any other issue on Darwin / macOS.
This certainly sounds more Apple like.