Member-only story
Kernel Extensions on macOS
Introduction to security behind the KEXT loading process
14 min readDec 8, 2024
INTRO
In my latest article, I introduced the MACF on macOS and discussed how it utilizes Policy Modules in the form of kernel extensions:
This article shows how macOS defends us from malware that wants to load a new kext to gain kernel-level code execution. Below is a summary:
The article has two parts: the first is more theoretical, and the second involves building our own kext to explore security barriers in practice. Enjoy!
Kernel Extensions
Kernel extensions (kexts) are packages with a .kext
extension that loads directly into the macOS kernel. They execute code in Kernel Mode (EL1).