MATCH BY SIGNATURE

Murus
Post Reply
hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

MATCH BY SIGNATURE

Post by hany » Sat Jan 12, 2019 4:58 pm

Announcing a new experimental AFW feature: match by signature.
As all Vallum and Scudo users know, AFW is the core of their application-layer firewall.
Current AFW version (Vallum 3.1 and Scudo public beta 1) is able to identify a process only by its absolute path. This means that each afw rule is matched if a process path matches rule path. While this approach is quite obvious and easy to understand and manage, it does not always offer the best level of protection. It is very easy to overwrite an existing legit file with a malicious one, provided that this binary is not protected by SIP and that the attacker has the right credentials to do so.
Matching by signature is, in some cases, a much better choice. AFW is able to create a signature stamp for each signed app or binary executable. Vallum and Scudo can issue "By path" or "By stamp" rule, according to user choice. Matching by stamp means that each process is identified by a string generated reading some parameters inside app or binary signature. Assigning a "by stamp" rule to an app ensures that this rule will be always applied to this app. Should you rename or move the app, rule will be always enforced. If the original app is replaced with a fake app, this fake app will not match the original rule. In a typical case scenario (using "ask" as main policy) when a legit passed app is replaced by a malicious app, should the malicious app try to connect you would see a new notification window for that app. Additionally, Scudo and Vallum should be able to alert the user about a known app that has suddenly changed its signature stamp. The stamp generating procedure is designed in order to keep the same stamp after an app update. So it's not a true "hash", it's only a reference to the signature. This is in order to avoid AFW users the need to update their configuration after each app/os update.
Additionally, this new feature allows Scudo and Vallum users to do things like "always pass Apple signed software", "always block unsigned binaries", "always pass software from this developer", and things like that.
Both Vallum and Scudo will use, in most cases, mixed rulesets. That is, ruleset will contain both "by path" and "by stamp" rules. Logic does not change: connection is passed or blocked according to the last normal matched rule, or the first quick matched rule, be it a "by stamp" or "by path" rule.
The first true implementation of this feature will be available to all users in Scudo 1.0 public beta 2, very soon. Scudo is a simple app and may not offer access to all AFW features. However Scudo installer includes afwctl, so the user is free to quit Scudo app and configure AFW using the afwctl shell command, and explore all it features.

...Stay tuned!

Image

Image

Post Reply