undefined | Better HN

0 pointsphilistine1y ago0 comments

Apple took the lead on this front. It has closed easy access to the kernel by apps, and made a list of APIs to try and replace the lost functionality. Anyone maintaining a kernel module on macOS is stuck in the past.

Of course, the target area of macOS is much smaller than Windows, but it is absolutely possible to kick all code, malware and parasitic security services alike, from accessing the kernel.

The safest kernel is the one that cannot be touched at runtime.

0 comments

nullindividual1y ago

I don't think Microsoft has a choice with regards to kernel access. Hell, individuals currently use undocumented NT APIs. I can't imagine what happens to backwards compat if kernel access is closed.

Apple's closed ecosystem is entirely different. They'll change architectures on a whim and users will go with the flow (myself included).

becurious1y ago

But Apple doesn’t have the industrial and commercial uses that Linux and Windows have. Where you can’t suddenly switch out to a new architecture without massive amounts of validation costs.

At my previous job they used to use Macs to control scientific instrumentation that needed a data acquisition card. Eventually most of the newer product lines moved over to Windows but one that was used in a validated FDA regulated environment stayed on the Mac. Over time supporting that got harder and harder: they managed through the PowerPC to Intel transition but eventually the Macs with PCIe slots went away. I think they looked at putting the PCIe card in a Thunderbolt enclosure. But the bigger problem is guaranteeing supply of a specific computer for a reasonable amount of time. Very difficult to do these days with Macs.

nullindividual1y ago

> validated FDA regulated environment stayed on the Mac

Given how long it takes to validate in a GxP environment, and the cost, this makes sense.

adolph1y ago

Sounds like they need a nice Hackintosh for that validated FDA regulation app-OS-HW combo.

becurious1y ago

Good luck getting that through a regulated company’s Quality Management System or their legal department. Way too much business risk and the last thing you want is a yellow or red flag to an inspector who can stop ship on your product until all the recall and remediation is done.

philistineOP1y ago

See Satya Nadella has recently said that Microsoft will now put security above any other value at Microsoft. He specifically even singled out backwards compatibility.

https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...

Microsoft is a big boat. It takes a long time to turn if the captain orders it. But the captain has ordered it. I expect the sacrosanct nature of back compat to eventually die. Windows will never turn into the moving target that macOS is, but I expect a lot of old stuff to just stop working, when security concerns dictate they should be removed.

Xunjin1y ago

> The safest kernel is the one that cannot be touched at runtime.

Can you expand what you mean here? Because depending on the application you are running, you will need at least talk with some APIs to get privileged access?

Agingcoder1y ago

Being allowed to talk to the kernel to get info and running with the same privileges ( basically being able to read / write any memory ) is different.

odo12421y ago

Yeah, Apple doesn’t allow any user code to run in kernel mode without significant hoops (the kernel is code signed) and tries to provide a user space API (e.g. DriverKit) as an alternative for the missing functionality.

Some things (FUSE) are still annoying though.

duskwuff1y ago

> Some things (FUSE) are still annoying though.

That should get much easier in macOS Sequoia with FSKit.

https://developer.apple.com/documentation/fskit/

j / k navigate · click thread line to collapse

0 comments

nullindividual1y ago

I don't think Microsoft has a choice with regards to kernel access. Hell, individuals currently use undocumented NT APIs. I can't imagine what happens to backwards compat if kernel access is closed.

Apple's closed ecosystem is entirely different. They'll change architectures on a whim and users will go with the flow (myself included).

becurious1y ago

But Apple doesn’t have the industrial and commercial uses that Linux and Windows have. Where you can’t suddenly switch out to a new architecture without massive amounts of validation costs.

nullindividual1y ago

> validated FDA regulated environment stayed on the Mac

Given how long it takes to validate in a GxP environment, and the cost, this makes sense.

adolph1y ago

Sounds like they need a nice Hackintosh for that validated FDA regulation app-OS-HW combo.

becurious1y ago

philistineOP1y ago

See Satya Nadella has recently said that Microsoft will now put security above any other value at Microsoft. He specifically even singled out backwards compatibility.

https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...

Xunjin1y ago

> The safest kernel is the one that cannot be touched at runtime.

Can you expand what you mean here? Because depending on the application you are running, you will need at least talk with some APIs to get privileged access?

Agingcoder1y ago

Being allowed to talk to the kernel to get info and running with the same privileges ( basically being able to read / write any memory ) is different.

odo12421y ago

Some things (FUSE) are still annoying though.

duskwuff1y ago

> Some things (FUSE) are still annoying though.

That should get much easier in macOS Sequoia with FSKit.

https://developer.apple.com/documentation/fskit/

j / k navigate · click thread line to collapse