[OliverTwist]

On Windows, I love using programs like Anti-Executable or Exe Lockdown that install kernel-level modifications to block all executables that aren't on a whitelist. Is there a similar app for Mac OS X that does this?

[- - e r i k - -]

Parental Controls?

[OliverTwist]

Originally Posted by - - e r i k - - 

Parental Controls?

No, Parental Controls are very different. They let you restrict usage of certain apps bundled on the Mac. I don't see any option to block any unauthorized executables from running.

[besson3c]

Take away executable permissions from these apps:

sudo chmod -x /Applications/YourApplication.app

[Chuckit]

That's a blacklist, not a whitelist.

[besson3c]

Whopps.. Duh, you're right

Well, you could set the default permissions of the Applications folder to not be executable, and place your Whitelisted apps in a folder and assign the apps in this folder executable permissions.

[OliverTwist]

Originally Posted by besson3c 

Whopps.. Duh, you're right

Well, you could set the default permissions of the Applications folder to not be executable, and place your Whitelisted apps in a folder and assign the apps in this folder executable permissions.

The Applications folder is not the only place with executables. The entire operating system is filled with them. I'd like a program that scanned the hard drive and put every executable file into a list, and then prompted you whenever a new executable tries to run. It's essentially a fool-proof way of blocking all malware without having to update signatures and whatnot.

[Art Vandelay]

Parental Controls in Leopard will provide you with what you want.

[besson3c]

Originally Posted by OliverTwist 

The Applications folder is not the only place with executables. The entire operating system is filled with them. I'd like a program that scanned the hard drive and put every executable file into a list, and then prompted you whenever a new executable tries to run. It's essentially a fool-proof way of blocking all malware without having to update signatures and whatnot.

Ahhh... You definitely did come from a Windows background

A Unix OS consists of literally thousands of binaries that interoperate and pass data between each other in a consistent and predictable fashion that has become standardized among all Unix/Linux environments. Instead of big monolithic applications (which Microsoft is notorious for designing), the Unix philosophy is specialized, small, tools that do one thing well, and these tools are in turn utilized by a number of other programs. OS X itself is likely simply a GUI to many of its Unix underpinnings. It is likely (although I can't prove this) that when you open a folder, you are invoking a Unix "ls", and the Finder simply outputs the results. This would make sense, since unlike in the Windows world, Unix designs tend towards not reinventing the wheel.

So, there is a Unix find command (find -perm) that could be used to find executables, but this wouldn't do you much good, the list would be gigantic and unwieldy. There are about 800 or so binaries in /bin, /sbin, /usr/bin, and /usr/sbin. These binaries are hidden from view from normal users, but if you did a search for all binaries on your system, these would be included.

The Unix command for finding executables files is:

Code:
find /path/to/search/folder -perm -100 -type f

You could take the output of this list and change permissions on each of these files by modifying this command, but I wouldn't suggest doing this.

[zro]

Doesn't Launch Services warn on opening a new application?

[OliverTwist]

Originally Posted by Art Vandelay 

Parental Controls in Leopard will provide you with what you want.

After some googling I did find a Leopard screenshot showing where you can only allow checked applications. However, I'm very skeptical that this blocks all files capable of executing commands. It's not a rigorous security tool, it's just a simple way to stop kids from installing programs you don't want them using.

Originally Posted by besson3c 

Ahhh... You definitely did come from a Windows background

[...]

The Unix command for finding executables files is:

Code:
find /path/to/search/folder -perm -100 -type f

You could take the output of this list and change permissions on each of these files by modifying this command, but I wouldn't suggest doing this.

Thank you for the informative post. This would be useful for designing my own app for white-listing binaries, and it's a task I may end up taking if I can't find an existing one.

[besson3c]

Originally Posted by Art Vandelay 

Parental Controls in Leopard will provide you with what you want.

Yes and no. It likely will help you customize access to user space applications, but if you were really hardcore into your security you'd also have to be mindful of the apps in /bin, /sbin, /usr, and /usr/sbin - these are not OS X package apps.

Of course, without admin/root privileges the damage you could do would be very limited, but it is probably possible to circumvent Parental Controls this way. Parental Controls was not designed to be a security mechanism, but simply something for parents to use with their kids.

I don't know if this guy is really interested in this level of security, but...

[besson3c]

Oliver: if I'm scaring you off by being too nerdy here, the basic answer is that we don't run applications like those you listed in your first post. We have a sane permissions model which prohibits applications from doing nasty things without our permission, and only administrators can grant applications temporary escalated privileges to do stuff which could harm the system. Unlike Windows XP, one can get by being a regular user and not an admin user.

The only thing an application you download could do is delete/alter your personal files, it can't touch the rest of your system without your explicit permission.

[Art Vandelay]

True, but I think you'd break the OS if you went to the level he's wanting. You can't possibly make a practical whitelist of every executable in the OS. Leopard's Parental Controls are the easiest and most practical way of going about it and will cover most situations.

[besson3c]

Originally Posted by zro 

Doesn't Launch Services warn on opening a new application?

Yes, but I don't think it warns against launching upgrades to existing applications - just new applications it hasn't seen before. I could be wrong about this though. This might be completely adequate for the original poster's purposes though... Forgot about this, thanks for reminding us!

[besson3c]

Originally Posted by Art Vandelay 

True, but I think you'd break the OS if you went to the level he's wanting. You can't possibly make a practical whitelist of every executable in the OS. Leopard's Parental Controls are the easiest and most practical way of going about it and will cover most situations.

Yeah, that's what I was trying to say. I wouldn't recommend altering any permissions of system binaries. If they are executable it is most likely because they need to be executable (or else why put the thing in one of the binary directories in the first place?)

[OliverTwist]

Originally Posted by besson3c 

[...]

The only thing an application you download could do is delete/alter your personal files, it can't touch the rest of your system without your explicit permission.

I'm not just worried about a virus nuking my system. I'm mainly worried about spyware, such as keyloggers, that do non-destructive malevolent behavior.

Oh, and your nerdiness does not frighten me. I like your posts. :-)

Originally Posted by Art Vandelay 

True, but I think you'd break the OS if you went to the level he's wanting. You can't possibly make a practical whitelist of every executable in the OS. Leopard's Parental Controls are the easiest and most practical way of going about it and will cover most situations.

Exe Lockdown made a list of all the executables on my XP computer in about a minute. And again, I highly doubt Parental Controls would do anything like this.

[besson3c]

Originally Posted by OliverTwist 

I'm not just worried about a virus nuking my system. I'm mainly worried about spyware, such as keyloggers, that do non-destructive malevolent behavior.

Oh, and your nerdiness does not frighten me. I like your posts. :-)

Cool

When you do a process listing, it will show you every running process on the system and who owns the process. The only way for the system to own the process is if you authenticate and give this thing a higher level of access. All processes owned by you are killed off as soon as you logout, so this keylogger wouldn't last very long.

I would suggest downloading and install Little Snitch. Little Snitch is a sort of dynamic firewall that will report on all network traffic and ask you whether you want to permit these packets (you can have it retain record of your decision so that it isn't a constant nag). Keyloggers need to phone home in order for them to be useful, Little Snitch should catch them.

[Art Vandelay]

Parental Controls made a list of every single GUI app on my system in about a minute. I did some testing and I made a shell script and even though it wasn't in the checklist, it was blocked from running both from the GUI (as a .command file) and via the Terminal. So, in effect it seems to block all unknown executables too.

[besson3c]

Originally Posted by Art Vandelay 

Parental Controls made a list of every single GUI app on my system in about a minute. I did some testing and I made a shell script and even though it wasn't in the checklist, it was blocked from running both from the GUI (as a .command file) and via the Terminal. So, in effect it seems to block all unknown executables too.

Does it spit out an error message to one of your log files (console.log or system.log) or to standard out?

[OliverTwist]

Originally Posted by besson3c 

Cool

[...]

I would suggest downloading and install Little Snitch. Little Snitch is a sort of dynamic firewall that will report on all network traffic and ask you whether you want to permit these packets. Keyloggers need to phone home in order for them to be useful, and Little Snitch should catch them.

Little Snitch looks fantastic, I might end up buying it. In fact it's probably a better approach than blocking executables since my main concern is with malware spying on me. Thanks!

Originally Posted by Art Vandelay 

Parental Controls made a list of every single GUI app on my system in about a minute. I did some testing and I made a shell script and even though it wasn't in the checklist, it was blocked from running both from the GUI (as a .command file) and via the Terminal. So, in effect it seems to block all unknown executables too.

Very interesting, I'll have to look into it more. Exe Lockdown actually made a list of everything, including *.sys and *.bat files. It would be quite a surprise if Leopard's Parental Controls did something similar and turned out to be a good anti-malware app. Thank you for the info.

[Art Vandelay]

GUI apps bring up a dialog stating that it's blocked and allows you to add "Allow Always" or "Allow Once" access provided you authenticate as an admin. Via the Terminal, you get a permission denied message, just as you would if the POSIX permissions or ACLs denied you access. It's also logged in system.log.

[besson3c]

Originally Posted by Art Vandelay 

GUI apps bring up a dialog stating that it's blocked and allows you to add "Allow Always" or "Allow Once" access provided you authenticate as an admin. Via the Terminal, you get a permission denied message, just as you would if the POSIX permissions or ACLs denied you access. It's also logged in system.log.

Interesting... Can you type in "ls" or do any terminal command? If so, how do you suppose it lets you do that and not your shell script?

[Chuckit]

It's kind of an interesting discussion, I guess, but this whole idea seems a bit like buying 10 trained attack dogs, digging a moat and installing a 20-foot electric fence around the moat for your suburban house.

[Art Vandelay]

If you provide Terminal access, yes you can do standard terminal commands. I didn't try anything exotic though. Probably doesn't really matter since a non-admin user won't be able to do anything via the terminal except screw themselves up. I'm guessing Parental Controls knows which are bundled CLI executables and which aren't.

[Art Vandelay]

Originally Posted by Chuckit 

It's kind of an interesting discussion, I guess, but this whole idea seems a bit like buying 10 trained attack dogs, digging a moat and installing a 20-foot electric fence around the moat for your suburban house.

I agree.

[OliverTwist]

Originally Posted by Chuckit 

It's kind of an interesting discussion, I guess, but this whole idea seems a bit like buying 10 trained attack dogs, digging a moat and installing a 20-foot electric fence around the moat for your suburban house.

Originally Posted by Art Vandelay 

I agree.

I'm curious, do you guys use virus/spyware scanning software at all? Because that's what this is meant to replace. I get the feeling that many Mac users aren't worried about malware infections and hence don't bother protecting themselves.

[Chuckit]

Originally Posted by OliverTwist 

I'm curious, do you guys use virus/spyware scanning software at all?

Not on my Mac at home. There aren't any viruses or spyware for it to detect, so it seems like a waste of processor cycles to me. I use it on one of my work computers to weed out macro viruses in Word documents that clients send.

[besson3c]

Originally Posted by Chuckit 

It's kind of an interesting discussion, I guess, but this whole idea seems a bit like buying 10 trained attack dogs, digging a moat and installing a 20-foot electric fence around the moat for your suburban house.

I don't run Little Snitch for this reason, but I do think that it is good to have a handle on all of this stuff so that if you ever have a reason to protect your system this way, you would know what to do and how things work.

[besson3c]

Originally Posted by OliverTwist 

I'm curious, do you guys use virus/spyware scanning software at all? Because that's what this is meant to replace. I get the feeling that many Mac users aren't worried about malware infections and hence don't bother protecting themselves.

I don't. In order for Malware to become a permanently running process, it will need your admin password. I'm just careful what I grant admin access to.

[- - e r i k - -]

Originally Posted by OliverTwist 

I'm curious, do you guys use virus/spyware scanning software at all? Because that's what this is meant to replace. I get the feeling that many Mac users aren't worried about malware infections and hence don't bother protecting themselves.

Nope. In seven years there has been nothing to protect against.

Not to say that it won't happen, but when it does it'll be such a big news story that'll you'll probably know about it before it hits you. Yes, so just take care of what you are giving admin passwords to etc. and you should be fine.

[besson3c]

And (if you are indeed a recent Windows switcher), welcome to an OS with a sane security model! (Although I guess Vista's is okay now too)

[analogika]

Originally Posted by OliverTwist 

The Applications folder is not the only place with executables. The entire operating system is filled with them. I'd like a program that scanned the hard drive and put every executable file into a list, and then prompted you whenever a new executable tries to run. It's essentially a fool-proof way of blocking all malware without having to update signatures and whatnot.

Um, that is DEFAULT behavior already.

Any time a new executable file is run for the first time (that isn't installed with the OS), Mac OS X will give you a warning dialog with the options to Cancel, Show Application, or Run.

[TETENAL]

Originally Posted by analogika 

Any time a new executable file is run for the first time (that isn't installed with the OS), Mac OS X will give you a warning dialog with the options to Cancel, Show Application, or Run.

No, it doesn't.

[Art Vandelay]

Right, it only does that currently when you try to open a file that's associated with an application you've never run. However, Leopard will warn you about any application you've downloaded from the Internet, whether you're opening directly or indirectly via a file.

[besson3c]

Originally Posted by Art Vandelay 

Right, it only does that currently when you try to open a file that's associated with an application you've never run. However, Leopard will warn you about any application you've downloaded from the Internet, whether you're opening directly or indirectly via a file.

Unless it is invoked by the Terminal and is not an OS X package (or whatever OS X applications are called), right?

[besson3c]

What happens if you launch a new app via the following Terminal command?

/Applications/yourApplication.app/Contents/Resources/yourApplication


(note that I left out the "open").. It would seem to me that this would bypass LaunchServices?

[goMac]

Originally Posted by OliverTwist 

No, Parental Controls are very different. They let you restrict usage of certain apps bundled on the Mac. I don't see any option to block any unauthorized executables from running.

Huh? Parental controls can black list, and they can allow any app, not just apps bundled on the Mac.

[OliverTwist]

Originally Posted by goMac 

Huh? Parental controls can black list, and they can allow any app, not just apps bundled on the Mac.

Firstly, this thread is about using a whitelist, not a blacklist (perhaps that was a typo on your part). Secondly, I wasn't aware of Leopard's Parental Controls when I made this thread. Thirdly, I'm still not sure it blocks all executables (though Art confirmed that it can block Terminal apps).

[- - e r i k - -]

Between Leopard's warning about downloaded apps (it even lets you go to the web site that it came from to check it's origin) and using Parental Controls to allow apps you should be even safer than you were before.

It seems all your paranoia stems from using Windows really. Mac OS X is truly a paradise when it comes to security after that.

[cgc]

Parental Controls does what you ask...

[OliverTwist]

Originally Posted by cgc 

Parental Controls does what you ask...

I actually provided a link to a similar screenshot a while ago - the issue was that it does not indicate whether it blocks all possible executables. We really don't need to continue this thread, but thanks for all your replies.

[besson3c]

Originally Posted by cgc 

Parental Controls does what you ask...

If he wants to restrict Unix binaries as discussed, this screenshot does not demonstrate this.

[Art Vandelay]

As I had already indicated, Leopard appears to block unknown Unix binaries. And as has already been said, you can't block all Unix binaries without breaking the OS. If Leopard blocks non-Apple installed Unix binaries, that should be good enough for what he wants.

[OliverTwist]

Originally Posted by Art Vandelay 

As I had already indicated, Leopard appears to block unknown Unix binaries. And as has already been said, you can't block all Unix binaries without breaking the OS. If Leopard blocks non-Apple installed Unix binaries, that should be good enough for what he wants.

Yeah, I think some people are just reading the first few posts and saying things that have already been said. It's all good everyone. I can't wait for Leopard.

[besson3c]

Originally Posted by Art Vandelay 

As I had already indicated, Leopard appears to block unknown Unix binaries. And as has already been said, you can't block all Unix binaries without breaking the OS. If Leopard blocks non-Apple installed Unix binaries, that should be good enough for what he wants.

It appears so, and I didn't mean to disregard what you said, I was only responding to what was said in that specific post, trying to bring the poster up to speed.

I do have questions about what you've said here... I would have asked these earlier, but I thought we were getting bored with the subject, but... assuming there is some life left in this thread, how does Leopard know what are unknown Unix binaries? If you were to install something from Macports or something, would these be considered unknown if you have added the Macports binary path into your shell's path environment variable?

It seems to me that there is no reliable way to determine what are known and unknown binaries, unless there is a list hard-coded into the OS or something... If the criteria was simply what was in /usr/bin, /usr/sbin, etc. what would happen if you put an unknown Unix binary into one of these directories?

[Art Vandelay]

I wouldn't be surprised if all the installed binaries were signed. That is one of the features of Leopard. I'm not sure what happens if you install your own binaries. We'll know more when it's out. I've already said way too much for my NDA. Also, even though Parental Controls can probably meet the OPs needs, it certainly wasn't intended for that purpose.

Of course as many of us have stated, going to such extremes on OS X is really not necessary.

[besson3c]

Originally Posted by Art Vandelay 

I wouldn't be surprised if all the installed binaries were signed. That is one of the features of Leopard. I'm not sure what happens if you install your own binaries. We'll know more when it's out. I've already said way too much for my NDA. Also, even though Parental Controls can probably meet the OPs needs, it certainly wasn't intended for that purpose.

Of course as many of us have stated, going to such extremes on OS X is really not necessary.

A list of md5 hashes sounds like a sound theory, but at the same time it sounds like a lot of work for Apple to maintain such a list, and easy for mistakes to be made. This list would have to be hardcoded into the OS somewhere, because obviously if this was just a database it could be manipulated.

[Chuckit]

Originally Posted by besson3c 

A list of md5 hashes sounds like a sound theory, but at the same time it sounds like a lot of work for Apple to maintain such a list, and easy for mistakes to be made. This list would have to be hardcoded into the OS somewhere, because obviously if this was just a database it could be manipulated.

I'm confused as to why you think a database could be manipulated but any other system file couldn't.

[besson3c]

Originally Posted by Chuckit 

I'm confused as to why you think a system-level database could be manipulated but any other system file couldn't.

Wouldn't it be much harder to pick the data out of a compiled binary?