Member-only story

Kernel Extensions on macOS

Introduction to security behind the KEXT loading process

Karol Mazurek
14 min readDec 8, 2024

INTRO

In my latest article, I introduced the MACF on macOS and discussed how it utilizes Policy Modules in the form of kernel extensions:

This article shows how macOS defends us from malware that wants to load a new kext to gain kernel-level code execution. Below is a summary:

The article has two parts: the first is more theoretical, and the second involves building our own kext to explore security barriers in practice. Enjoy!

Kernel Extensions

Kernel extensions (kexts) are packages with a .kext extension that loads directly into the macOS kernel. They execute code in Kernel Mode (EL1).

--

--

No responses yet