Yes, the file access part of this product is exactly what I wrote too. They even made it with just the same codebase, inside the bundle "HandsOff.kext" is where all the action is. It's commendable that these guys have made it & kept it going and have it running as a product. It is so much more difficult than it initially appears. One of the first things that you come up against is you find out that at the kernel level, there are thousands of open()'s occurring system wide a second. Managing that in linked lists in the kernel without creating a speed or memory hit is the initial challenge. Then the other thing you come up against, which is a much greater challenge, is avoiding deadlocks by blocking open()'s to the wrong process.
However, if a technical user is using the product, it makes security 100% solid. You can literally intentionally download and run any virus, with full confidence that you can easily stop it from doing anything you dont want it to. Since a dialog box is created before it can read or write to any file, there is literally nothing it can do without your permission.
It's also useful for monitoring what an installer or app is doing to your filesystem, exactly what files it is touching as it goes along, and also how to thoroughly uninstall it if you want to.
I have been meaning to make a cut down version just for the filesystem monitoring and as an uninstaller that works 100%. You can even make an uninstaller that not only uninstalls all files that were created alongside the file you choose, but also any files that were created by any of those files (by logging the paths of the open()'s with O_CREATE by any of those files)
> You can literally intentionally download and run any virus, with full confidence that you can easily stop it from doing anything you dont want it to. Since a dialog box is created before it can read or write to any file, there is literally nothing it can do without your permission.
What about a virus that reads your keystrokes or screenshots your screen and sends them to the Internet? Or a virus that spams or does DDOS attacks?
That's the beauty of it. Take the keystrokes example you gave. Run it. Allow it to monitor your keystrokes (by clicking "Allow" when it's doing stuff related to that). Allow it to create the file logging your keystrokes, if you want (granting it write only access when the dialog box comes up). But after you have toyed with it, you might stop it at the point when it attempts to read from that file, in order to transmit it over the internet, or whatever it's going to do with it.
Same with the screenshots. You'd allow it to do whatever you feel like, but you might stop it when it tries to actually create the screenshot file, but allow it to do everything else in order to monitor its behavior. And since it's all in real time, with dialog boxes coming up for each of its actions, it makes it quite interesting to do so.
Isn't it dangerous to assume all malicious programs will use scratch files before communicating across the network? Won't you miss programs that use purely in-memory structures?
Yes, it is. And that was just a simplified example. In practice if you were running something you were very distrustful of, you would block access to almost all of its file access. You also wouldn't leave it running for long enough to feed it enough keystrokes to get you into trouble. But even if you did, you would catch it with all the file opens (and network connection open's) before it could transmit your keystrokes and get you into trouble. In practice many file open()'s are required to perform any function.
I’ve been using Hands Off! for the functionality for the past few years, but if I had known that the functionality was based on your kernel extension, I would’ve switched away from Hands Off! in a heartbeat (I already get the firewall features of Hands Off! from Little Snitch, so the only reason I use Hands Off! is for the disk access control feature).
Out of curiosity, could you provide a link to the website advertising your kernel extension (if it still exists)? As an OS X user, I feel pretty bad that I wasn’t aware of its existence (I would’ve certainly recommended it to my friends).
Sorry for being unclear, I didn't mean to say that it was based on my kernel extension. I meant to say that we both based it off of the same kernel extension. The extension in question is called kAuthORama and is provided by Apple. (note: I'm not 100% sure that they did use that, that was just an educated guess).
However, if a technical user is using the product, it makes security 100% solid. You can literally intentionally download and run any virus, with full confidence that you can easily stop it from doing anything you dont want it to. Since a dialog box is created before it can read or write to any file, there is literally nothing it can do without your permission.
It's also useful for monitoring what an installer or app is doing to your filesystem, exactly what files it is touching as it goes along, and also how to thoroughly uninstall it if you want to.
I have been meaning to make a cut down version just for the filesystem monitoring and as an uninstaller that works 100%. You can even make an uninstaller that not only uninstalls all files that were created alongside the file you choose, but also any files that were created by any of those files (by logging the paths of the open()'s with O_CREATE by any of those files)