Shellguard: blocking the execution of shell processes by unknown processes

Shellguard: blocking the execution of shell processes by unknown processes

- 1 min

Shellguard is a security application implementing the results found during Master thesis research. ShellGuard aims to provide an extra generic layer of security by guarding the execution of a shell process on macOS. My research shows that OS X malware is strongly dependent on a shell process to harm the system. ShellGuard prevents the execution of shells by unknown processes.

ShellGuard consists of a kernel extension (kext) and a userspace client/daemon that communicate through a PF_SYSTEM socket. The kext uses OS X’s TrustedBSD framework to hook the execution system calls to become aware of process executions. Based on the policies defined in the SG_config.json file, ShellGuard allows or denies the execution of shell processes (/bin/sh, /bin/bash, /usr/bin/python etc.).

The ShellGuard daemon/client remains in userspace and runs in privileged mode, which is why I have chosen to write it in Swift, a memory safe language. The daemon parses the ShellGuard policy file (JSON) and passes these rules to the kernel extension.

ShellGuard is available for download on Github.

rss facebook twitter github youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora mastodon