Input to Apple Concerning KEXT-CONSENT

Question

Created Jul ’17

Replies 4

Boosts 0

Views 3.8k

Participants 3

The following was filed as a suggestion in Apple's Bug Reporter. By adding it here, it might fuel ideas. Security is a tough challenge.

Input concerning KEXT-CONSENT TN2459

As described in TN2459 (kext consent) Apple is introducing a security change that will have a significant negative impact on the user experience. Since our product requires a KEXT, we are very concerned about this. This will lead to disruption in users trying to install and use our applications. In addition, the current recovery method for users not responding properly to the current UI flow will be extremely difficult to support. It might even lead to a reduction in security on many systems by support opting to disable SIP instead of adding a Team ID to the security policy, which requires dictating a complex string to a user. Let's remember that in a typical support situation, users are already flustered and support people are under time pressure.

First of all, let me state that I am in full support of increasing system security. I understand that even with signing of KEXTs by authorized developers, KEXTs represent a significant risk as a malware vector. However, I do not think that intervention or decision by the average user can help this issue.

In our testing and support experience with tens of thousands of users (our active user base exceeds 250k,) we have found that the majority do not read dialogs, especially if their wording does not make any sense to them. Many users click out of instructional videos, they close screens with tutorials. They do not click on Help buttons. Pro users and technical users tend to be different, but the majority of consumers like Mac because they do not have to know about technical issues.

When they see the currently proposed dialog, many of them will not fully understand its meaning and just click ok. I have thought about the wording and cannot think of a way to make it more understandable while retaining brevity. They are not likely to load the Security Preferences panel immediately. If they run into trouble with the app, we can guide them to the Security panel. But they might not use the app for 30 minutes and in that case the reference to "Allow" the extension will be gone!

They will call support and the current remedy is a daunting challenge. Very few users will have ever booted into the Recovery Partition. More importantly, these inexperienced users are usually helped via remote screen sharing. This is not possible in recovery mode. They will have to be guided to select the Terminal from the menu and then will be asked to type in a terminal command using a Team ID different from the warning dialog such as

spctl kext-consent allow GMTXYZA3F4 (not a real ID)

Support will then have to make sure, it was entered correctly by asking the user to type

spctl kext-consent list

and asking for the correct string to be read back. They will not know, whether this worked correctly until the system is rebooted and folks try to run the app. If an error was made, they need to start over. As I mentioned, I suspect many support people with hold queues will simply ask the customer to type

csrutil disable

We would all agree, this is undesirable. We will ask our support folks not to do this, but not everyone will be that disciplined.

More important, this is not an Apple Mac experience.

Here is my input in order of preference to help this situation:

Reevaluate this feature altogether and look at alternatives.
I do not think that for the majority of users, their decision to allow a KEXT run will contribute to security. Personally, as a technical person I would like the notification. But most users cannot really make a knowledgeable decision. Alternate solutions to the issue would be proactive revoking of TeamIDs certificate with frequent system updates of root certificates or white listing known good KEXTs, which would require a registry. I would consider going all the way to proactive scanning for signatures of all kinds of malware. With my family I have gone to using BitDefender even on Mac to precent issues arising from social engineering etc. As an engineer and long term Mac user since 1984, this is distasteful, but just realistic. Having it built in would be seamless and not noticeable by users.
If you retain KEXT CONSENT, improve the user flow and management functionality. Instead of a separate notification dialog immediately bring up the Security Panel and use it to communicate the issue and allow users to OK in a simple way. Currently using two steps makes it much more confusing and requires locating the correct panel.
Consider eliminating the 30 min. timeout altogether. It makes it impossible to recover in case of an error.
Consider changing the Security Panel to add a section that lists all 3rd party KEXTs that either have consent (even if inherited from an upgrade) or are disallowed. Changing the state should be done with a simple check mark followed by a confirmation dialog. This has the following advantages:- It allows users and support to easily remedy a problem. - It allows for easily checking on known malware KEXTs without pulling up terminal and doing a kextstat | grep etc.

Would love to hear, what other developers are thinking.

Boost

Answer 1

steveatinfincia OP

Jul ’17

I agree the user flow is confusing. It should be OK to simplify it to a single approval step as long as the authorization request looks different from other common "enter your password" or "approve what this app wants to do" scenarios. Perhaps a desktop overlay that shades the rest of the screen and presents a prompt in the middle, I don't think anything else looks like that right now.

There aren't *that* many kexts in the Mac ecosystem anyway, users won't get prompt fatigue from seeing them all the time.

The 30 minute limit could probably be turned into a reminder every 30 minutes until they approve or reject the kext.

And I agree that there should be a list of authorized kexts, similar to privacy permissions for location services and address book access that users are already familiar with, and a lot like the list of Extensions that the user has enabled, which already has a preference pane.

I would just put another section in the left hand side of the existing Extensions preferences pane and call it "System" or "Kernel", perhaps add the permissions elevation design (the lock icon) used in other preference panes, and require the user to enter their password to enable or disable system extensions.

Just make sure it's clearly marked as something that could potentially make their Mac less secure or stable, and most people will get it.

0

Answer 2

HaraldS OP

Aug ’17

It turns out that the 30 min limit does not require Recovery Boot. It is SILENTLY RESET without a dialog on attempting to load the KEXT.

Still not sure the "secrecy" is useful in this context.

0

Answer 3

Portgordon OP

Aug ’17

So far (including Beta 5) I am actually unable to approve any blocked KEXT. I receive about 5 seperate blocked messages on boot (which is not a good UE at all) and the fact that they cannot be unblocked / allowed there and then is also poor. Each alert instructs the user to visit the Security & Privacy section of settings, yet when I go there - the UI which is meant to present me with the blocked KEXT and the approval buttons is missing. It has never been present for me , even after attempting to relaunch the KEXT.

Does anyone else see this and know of a way to allow the KEXT when the UI is missing? I was really hoping Beta 5 would have fixed this but not yet - have certainly submitted feedback on it so hopefully resolved before general release at least.

0

Answer 4

HaraldS OP

Aug ’17

I think, blocked KEXTs on boot is still a known issue in the Release Notes.

The only way to get those to work now is to find out the team signature code and than do an spctl kext-consent add <TEAM ID> in the Recovery Boot Terminal.

0