Dieser Abschnitt ist leider noch nicht auf Deutsch verfügbar. Wir entschuldigen uns für die Unannehmlichkeiten.
The Berkeley Packet Filter
The Berkeley Packet Filter (BPF) is a component of macOS which allows privileged programs to capture and inject network traffic on any network interface. It was originally designed to analyze problems in network communication with tools like tcpdump
or Wireshark.
BPF is not used to filter incoming or outgoing network data. This is the domain of firewalls. Since networks transmit large amounts of data and a debug analysis is usually only interested in a particular aspect of that data, BPF allows the debug tool to specify this aspect in the form of a script, the filter program. Access to BPF is controlled via pseudo-devices in the file system: /dev/bpf0
, /dev/bpf1
, …, /dev/bpf255
.
What relevance does BPF have for Little Snitch?
In addition to traffic capturing, BPF allows injection of data packets at the network interface. This means that a (privileged) app which opens a BPF device can send any data packet to any destination. The packet is injected directly at the network interface layer, circumventing all on-device firewalls. Little Snitch can therefore not detect packets injected in this way.
Since Little Snitch cannot filter network packets injected via BPF, it controls access to the /dev/bpf
devices instead. When a process opens a /dev/bpf
device, Little Snitch treats this in the same way as network connections and applies BPF-rules. If no rule allows or denies access, it asks with a connection alert.
How is BPF related to Endpoint Security?
In order to control access to file system objects (/dev/bpf
), Little Snitch needs to register an Endpoint Security System Extension. This is an additional install because it requires additional privileges. Choose Little Snitch > Settings > Advanced > Install System Extension…. When this System Extension is installed, Little Snitch is consulted whenever a file is opened.
Why is Endpoint Security a separate install?
Controlling access to BPF devices has a price:
- A second system extension must be allowed in System Settings > Privacy and Security > Security.
- Full Disk Access must be granted to “Little Snitch Endpoint Security” in System Settings > Privacy and Security > Full Disk Access.
- There is a slight performance impact because Little Snitch is involved in each file open operation.
On the other hand, there is currently (at the time of Little Snitch 6.0 release) no known malware which exploits BPF to circumvent firewalls. We therefore decided to make this an optional install.
Should I install Endpoint Security?
It depends. If you use Little Snitch primarily to protect your privacy by blocking trackers, you won’t need to care about BPF and probably want to avoid the additional complexity. However, if you use Little Snitch to identify zero day malware, you certainly want to control every possible communication channel.
War dieser Eintrag hilfreich? Hinterlass uns Feedback.
© 2016-2024 Objective Development Software GmbH