Ostiarius
Ostiarius is tool for El Capitan that blocks unsigned internet binaries from executing.
Though OS X's Gatekeeper attempts to provide this functionality, I discovered it was trivial to bypass.
The bypass was detailed in: 'Gatekeeper Exposed'.
compatibility: OS X 10.11
current version: 1.2.0 (change log)
zip's sha-1: e33b3cd9310cb36afc1876f7eea3904cf2694750
kext source code: Ostiarius.kext
current version: 1.2.0 (change log)
zip's sha-1: e33b3cd9310cb36afc1876f7eea3904cf2694750
kext source code: Ostiarius.kext
› Apple finally fixed the Gatekeeper flaws I'd discovered and reported that Ostiarius protected against. As such, if you're running macOS Sierra (10.12+), Ostiarius is no longer needed!
› Ostiarius utilizes undocumented aspects of the OS to provide global protection. Though carefully designed to not break any legitimate functionality, it has not been tested on all possible systems & scenarios. As such, run at your own risk ;)
And, if you find any issues while using this tool, please send an email to bugs@objective-see.com and I'll try fix them ASAP!
And, if you find any issues while using this tool, please send an email to bugs@objective-see.com and I'll try fix them ASAP!
To install Ostiarius and gain continual protection, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:
Then, simply double click on 'Ostiarius.app', and enter your password to authenticate. Press the 'Install' button to complete the installation.
The installer copies Ostiarius' signed kernel extension (Ostiarius.kext) to /Library/Extensions/. Then starts it, to begin process monitoring and protection. On subsequent reboots, Ostiarius.kext will be automatically started by the OS:
With the kernel extension loaded, any unsigned binary or application from the internet will be automatically blocked by Ostiarius. This will happen automatically and transparently - regardless of other system settings (e.g. Gatekeeper). However, a message (similar to the following) will be logged in the system log (viable via Console.app):
Since Ostiarius runs at the kernel-level, its protections are global and will affect all users. Once Ostiarius is installed & running, if you do want to execute an unsigned binary from the internet, there are two options: 1) remove the file's quarantine attributes, or 2) uninstall Ostiarius.
Ostiarius determines if a file is from the internet by looking for quarantine attributes (that are, automatically added by the application that downloaded the file). Use the xattr command from within Terminal.app to both view, and remove the quarantine attributes for a file:
As shown in the image above, one can remove the quarantine attribute via: xattr -cr <path to app/file>. Note that if the file is mounted from a downloaded .dmg, the quarantine attributes should be removed from the actual .dmg file. Now the unsigned binary will be allowed to execute; Ostiarius won't block it.
To fully remove Ostiarius, simply re-execute the Ostiarius application, and click the 'Uninstall' button:
FAQs
Q: Why does Ostiarius need my password?
A: The main component of Ostiarius is an open-sourced kernel extension. In order to install and load such a component, the OS requires Ostiarius to be authorized.
Q: Can I override Ostiarius, allowing an unsigned application to run?
A: Yes! Ostiarius only monitors binaries that have a quarantine attribute set (i.e. anything downloaded from the internet). If one manually removes a binary's quarantine attribute, Ostiarius won't 'interfere' and the binary (or application) will be able to run, even if unsigned. To remove (or clear) the quarantine attributes, simply execute the following (in Terminal.app):
$ xattr -rc <path to app/file>
Q: How do I remove Ostiarius?
A: Simply re-run the Ostiarius.app. It will detect that Ostiarius is installed, and display a popup with an 'Uninstall' button. Clicking this will fully remove Ostiarius.
To manually uninstall Ostiarius, run the following commands:
$ sudo kextunload -b com.objective-see.OstiariusKext
$ sudo rm -rf /Library/Extensions/Ostiarius.kext
$ sudo rm -rf /Library/Extensions/Ostiarius.kext
Q: I installed the latest upgrade (e.g. OS X 10.11.3). Do I need to re-install Ostiarius?
A: Perhaps. Ostiarius makes use of several unexported functions and undocumented structures, which may change in subsequent OS X upgrades. Check this website after each upgrade, to see if you need to install the latest version of Ostiarius. Incompatible/older versions of Ostiarius shouldn't cause any issues, but may cease to provide protection!
Q: Why can't I just enable vm.cs_enforcement?
A: You can, but this will apply to all binaries; not just those downloaded from the internet. Moreover, as this 'feature' is undocumented, it may break legitimate Apple binaries and OS functionality.
Q: Will Ostiarius protect me against all Gatekeeper bypasses?
A: While it will protect against the major of attacks, there still exist ways to bypass both Gatekeeper and Ostiarius. For example, a trusted (signed) Apple executable that either dynamically loads an external but relative dylib, or creates and executes an attacker controlled script file, may be abused for a bypass. Perhaps Gatekeerper can be used to prevent the dylib bypass. However, until Apple fully fixes Gatekeeper you can stay safe by only downloading software from legitimate trusted websites over HTTPs.