Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Level up Mac security, and say game over to malware? System alerts plus Apple game engine equals antivirus package

Wise Wardle waves wand, whacks wily worms which work without Windows

RSA Infosec guru Patrick Wardle has found a novel way to attempt to detect and stop malware and vulnerability exploits on Macs – using Apple's own game engine.

The boss of Objective-See, a maker of in-our-opinion must-have macOS security tools, explained at this year's RSA Conference, held this week in San Francisco, how he and his colleagues developed a series of rules to potentially identify malicious software and network intruders, then plugged them into Apple's macOS games development toolkit to create a capable Mac security suite.

The idea, said Wardle, was to develop a package that would address what he saw as serious deficiencies in the Mac security space, both technically and culturally, from insecure Safari browser code to Apple fans convinced their computers can't fall victim to software nasties.

"If you look at the market for zero-days, Safari vulnerabilities are cheaper than Windows browsers, and it's not because of supply and demand," Wardle mused. "Macs are softer targets, they're easier to attack, and Mac users are overconfident."

To address these issues, Wardle and his team took a two-phase approach. First, they developed MonitorKit, which is open-source software due to appear on GitHub, that ties into multiple macOS components to fire off alerts whenever suspicious stuff such as keylogging, downloads, simulated clicks, and file encryption occur. The idea here was to create a system that could collect up tell-tale signs of a potential malware infection, ransomware attack, or even an attempt at a zero-day exploit.

"It ingests all these events using a variety of low-level subsystems and generates an output of standard events," Wardle explained.

Golden rules

The second phase was to create an engine that could sort through those events using rules and event triggers to filter potentially malicious actions from everyday activities, the ultimate goal being to detect and thwart bad actors or at least warn the user that shenanigans are afoot. This part is where Wardle turned to video games.

He realized that the basic function of a computer game engine – to receive events, apply rules to them, and generate an outcome based on that information – would be the perfect platform for his new security system, and Apple's Gameplaykit was a particularly easy framework to work with.

Using Gameplaykit's GKRuleSystem as a logic controller, Wardle had a way to apply sets of rules and triggers to MonitorKit's signals to alert the user of suspicious events – such as attempts to disable system monitoring processes (as would happen during an infection attempt), perform mass encryption of files (the main step of a ransomware attack) or the appearance of applications emblazoned with a vendor's name without a matching certificate (such as a fake Adobe Flash installer). These should quickly add up to alarm bells going off.

Taking things a step further, Wardle said, administrators could also apply their own rules to detect and block dangerous user behavior, rogue employees, and other insider threats. The tool can be set up to flag up misuse of superuser privileges, or the insertion of USB drives, or after-hours log-ins, and so on.

What's more, Wardle thinks the approach is something that could be applied to any number of platforms. He told The Reg that, in theory, any games engine with a decent API, not just Apple's, could be linked up to a set of system calls and alerts to create a similarly powerful security suite on any number of devices and operating systems. The tight developer constraints of iOS mean MonitorKit is pretty much a non-starter, though. ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like