From Unsanity.org
Aladdin and Kexts

I have recently came across just-released StuffIt Deluxe 8. Among other cosmetic enhancements, it includes a “new” (or rather, “new for OSX”, since the feature existed back in mac os Classic versions of StuffIt) feature called “Archive Via Rename” that allows you to compress or expand files or folders quickly just by appending or removing an archive file extension (.sit, .sitx, .zip, etc).

Whereas the feature is a real life-saver for many people, and undoubtfully a convenient feature, I could not agree with the technology decision used to implement the feature in the Finder: it is a Kernel Extension.

Just how stupid is that? For the ones of you who would like the scoop right now, this is a quick round-up: APE, mach_inject, InputManager and similar techniques operate on a process level—they can only access memory allocated to a particular process, and if things go very bad, that process will crash. Kernel Extensions load directly into the kernel, therefore they got access to everything in memory, including the sacred private kernel memory space. This means, if Kernel Extension goes haywire, you get a Kernel Panic (hello Bluetooth adapter drivers that got supposedly fixed with 10.2.8!). So in the first case, you get an application dying; in the second case you’ll have to reboot your Mac.

Kernel Extensions are mainly used for device drivers—these beasts have to have direct access to the kernel; some tools like Little Snitch also install their own kexts to trap on fundamental processes of the system (network operations in this particular case). But using a Kernel Extension to tweak Finder.app is not just plain silly, it is dangerous and stupid – Aladdin risks the stability of your whole system just so their single feature only affecting Finder.app could work. Moreover, if you launch the StuffIt AVR Preference Pane and turn off the feature, the Kernel Extension will stay there, silent, and ready to strike if anything goes wrong.

In real world, there are half a dozen solutions that do not involve making a Kernel Extension: above-mentioned APE, a quicktime component, a Contextual Menu Module. Aladdin just picked the most outrageous out there – the approach can very well be compred to killing a mosquitoe with a nuke blast. Sure it works, but the impact is just slightly bigger than needed.

This entry was posted on Monday, November 14th, 2005 at 10:01 am and is filed under OS X Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.