RSA Infosec guru Patrick Wardle has found a novel way to attempt to detect and stop malware and vulnerability exploits on Macs – using Apple’s own game engine.
The boss of Objective-See, a maker of in-our-opinion must-have macOS security tools, explained at this year’s RSA Conference, held this week in San Francisco, how he and his colleagues developed a series of rules to potentially identify malicious software and network intruders, then plugged them into Apple’s macOS games development toolkit to create a capable Mac security suite.
The idea, said Wardle, was to develop a package that would address what he saw as serious deficiencies in the Mac security space, both technically and culturally, from insecure Safari browser code to Apple fans convinced their computers can’t fall victim to software nasties.
“If you look at the market for zero-days, Safari vulnerabilities are cheaper than Windows browsers, and it’s not because of supply and demand,” Wardle mused. “Macs are softer targets, they’re easier to attack, and Mac users are overconfident.”
To address these issues, Wardle and his team took a two-phase approach. First, they developed MonitorKit, which is open-source software due to appear on GitHub, that ties into multiple macOS components to fire off alerts whenever suspicious stuff such as keylogging, downloads, simulated clicks, and file encryption occur. The idea here was to create a system that could collect up tell-tale signs of a potential malware infection, ransomware attack, or even an attempt at a zero-day exploit.
“It ingests all these events using a variety of low-level subsystems and generates an output of standard events,” Wardle explained.
The second phase was to create an engine that could sort through those events using rules and event triggers to filter potentially malicious actions from everyday activities, the ultimate goal being to detect and thwart bad actors or at least warn the user that shenanigans are afoot. This part is where Wardle turned to video games.
He realized that the basic function of a computer game engine – to receive events, apply rules to them, and generate an outcome based on that information – would be the perfect platform for his new security system, and Apple’s Gameplaykit was a particularly easy framework to work with.
Using Gameplaykit’s GKRuleSystem as a logic controller, Wardle had a way to apply sets of rules and triggers to MonitorKit’s signals to alert the user of suspicious events – such as attempts to disable system monitoring processes (as would happen during an infection attempt), perform mass encryption of files (the main step of a ransomware attack) or the appearance of applications emblazoned with a vendor’s name without a matching certificate (such as a fake Adobe Flash installer). These should quickly add up to alarm bells going off.
Taking things a step further, Wardle said, administrators could also apply their own rules to detect and block dangerous user behavior, rogue employees, and other insider threats. The tool can be set up to flag up misuse of superuser privileges, or the insertion of USB drives, or after-hours log-ins, and so on.
What’s more, Wardle thinks the approach is something that could be applied to any number of platforms. He told The Reg that, in theory, any games engine with a decent API, not just Apple’s, could in theory be linked up to a set of system calls and alerts to create a similarly powerful security suite on any number of devices and operating systems. The tight developer constraints of iOS mean MonitorKit is pretty much a non-starter, though.