Inferring High-Level Semantics from Low-Level Operations

This thread has been locked by a moderator.

This is a topic that comes up regularly, both in my Day Job™ with DTS and here on DevForums. This situation is a bit subtle, and it’s long past the time I should have written a proper explanation of it.

If you have questions or comments, put them in a new thread here on DevForums. To ensure that I see your thread, tag it based on the technology you’re using. For example:

  • If you’re working with Endpoint Security, use the Endpoint Security tag.

  • If you’re building a Network Extension provider, use the Network Extension tag.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Inferring High-Level Semantics from Low-Level Operations

Apple supports a number of APIs that let you observe low-level operations. For example:

  • An Endpoint Security (ES) client can learn about low-level file system operations, like open and close.

  • A Network Extension (NE) filter provider can learn about outgoing and incoming network packets.

Folks using these APIs often want to infer high-level semantics from these low-level operations. For example:

  • An ES client might want to prevent the Finder from copying files to an external drive.

  • An NE filter provider might want to block Safari from fetching specific URLs.

While DTS supports these APIs, we don’t support this sort of low-to-high inference. That’s because our goal is to help developers use Apple’s APIs in a sustainable way, and it’s impossible to do this inference in a way that will be binary compatible in the long term.

Let me illustrate this with an example. Consider the NE scenario above. It’s easy for an NE packet filter to drop packets being sent to a specific host. However, that approach is very brittle. If something changes in the implementation path from Safari requesting a URL to how that’s rendered as IP packets, your product will break. A great example of such a change is iCloud Private Relay.

This isn’t to say that such inference can’t be done at all, just that it’s not possible to do it in a sustainable way. Given that, here’s my advice:

  • Try to work with high-level operations where possible. For example, ES recently added high-level log in and log out notifications, which means you no longer need to infer such events from lower-level ones.

  • If the system doesn’t support the necessary high-level operations, file an enhancement request that describes your requirements.

  • In the meantime, you can have a go at doing this inference yourself, but be aware that DTS can’t support you in that task.

Up vote post of eskimo
291 views
Posted by
eskimo
Reply
Add a Comment