Google hopes to sniff out OS X badware
'Santa' will tell MacAdmins if code is naughty or nice?
Google's Macintosh Operations Team has quietly been working on a whitelisting application for OS X .
Code-named Santa, the software (currently described as pre-1.0) has an SQLite database holding a list of permitted and blocked applications; a userland daemon to check the database; a kernel extension to monitor for executions; as well as a GUI and an admin command line interface (CLI).
The Chocolate Factory has both individual and fleet users in mind, since Santa's designed to let a sysadmin centrally manage a single naughty-nice database.
To try and avoid an attacker substituting any of Santa's components, the three userland components (daemon, CLI and GUI) validate each other with XPC, checking that they're using identical signing certificates.
To reduce the number of queries made, whitelisted binaries are cached in the kernel; and the kernel extension only uses kernel programming interfaces, to try and make sure that code keeps working through operating system upgrades.
In operation, Santa has two modes: a monitor mode and a lockdown mode. In monitor mode, it only blocks blacklisted binaries, but logs all executions; in lockdown mode, it only lets whitelisted binaries run.
Sysadmins can add binaries to the whitelist either with a hash, or a signing certificate (from the software publisher). Apps can also be listed by their execution path, and the binaries in OS updates are automatically whitelisted.