Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Google’s “Santa” Tracks Naughty and Nice Binaries on Mac OS X

Google’s Macintosh Operations Team announced the availability of the source code for “Santa,” a tool designed for whitelisting and blacklisting binaries on Apple’s Mac OS X operating systems.

Google’s Macintosh Operations Team announced the availability of the source code for “Santa,” a tool designed for whitelisting and blacklisting binaries on Apple’s Mac OS X operating systems.

Threats designed to target devices running Mac OS X are increasingly common and increasingly successful. A perfect example is the recently-uncovered WireLurker malware which is believed to have infected hundreds of thousands of devices in China.

Santa, named so because it “keeps track of binaries that are naughty and nice,” is just one of the many tools and scripts developed by Google’s Macintosh Operations Team for managing and tracking a fleet of Mac computers in a corporate environment. The search engine company uses tens of thousands of Macs and managing them is not an easy task.

Santa is not an official Google product and it’s not even at version 1.0 due to some issues that still need to be addressed, but the project looks promising. The tool has four main components: a kernel extension for monitoring executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a graphical user interface (GUI) agent that notifies the user when an execution is blocked, and a command-line utility that’s used to manage the system and synchronize the database with a server.

The tool is designed to run in two modes: monitor and lockdown. In the “monitor” mode, all binaries are allowed to run, except for those that are blacklisted. In “lockdown” mode, only whitelisted binaries can be executed.

Users are given the possibility to blacklist or whitelist binaries based on the signing certificate, which allows them to block or trust all binaries from a certain publisher. Because whitelisted binaries are cached in the kernel, processing required to make a request is only carried out if the binary isn’t cached already, Santa developers said.

As a safety feature, the daemon, the GUI agent and the command-line utility check to ensure that their signing certificates are identical before accepting any communications.

Because logging events is important in an enterprise environment, Santa is designed to log all executions processed by the userland agent. In addition, unknown and denied binaries are stored in the database.

Advertisement. Scroll to continue reading.

According to the project’s developers, there is still a lot of work to be done and several issues to address, including kernel extension (kext) communication security, protection for the SQLite database, and completing the code for the management server synchronization.  Furthermore, the developers say no documentation has been written and not enough tests have been conducted.

Santa has been released as open source and the project’s developers say they welcome contributions from anyone. However, those who want to make changes to the tool are required to sign a contributor license agreement.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.