Shellguard: blocking the execution of shell processes by unknown processes- 1 min
Shellguard is a security application implementing the results found during Master thesis research. ShellGuard aims to provide an extra generic layer of security by guarding the execution of a shell process on macOS. My research shows that OS X malware is strongly dependent on a shell process to harm the system. ShellGuard prevents the execution of shells by unknown processes.
ShellGuard consists of a kernel extension (kext) and a userspace client/daemon that communicate through a
PF_SYSTEM socket. The kext uses OS X’s TrustedBSD framework to hook the execution system calls to become aware of process executions. Based on the policies defined in the
SG_config.json file, ShellGuard allows or denies the execution of shell processes (
The ShellGuard daemon/client remains in userspace and runs in privileged mode, which is why I have chosen to write it in Swift, a memory safe language. The daemon parses the ShellGuard policy file (JSON) and passes these rules to the kernel extension.
ShellGuard is available for download on Github.