Mandatory Access Control

I’ve been using Objective Development’s Little Snitch for almost as long as I’ve been using a Mac; it lets me selectively deny outgoing internet connections based on a number of criteria, which lets me lock down what apps are allowed to talk to places on the network - local or internet.

Intego’s VirusBarrier X6 can also do this to a lesser extent, but it’s not as refined as Little Snitch, nor does it allow much in the way of ‘this program can only connect to this host, using this protocol and this port’.

I’ve recently become aware of a different app: Hands Off!, which appears to do everything Little Snitch does, but it adds a couple of new things:
  • File read/write access support: Hands off appears to do this based on file paths, which probably makes it similar in function to Linux’s AppArmor (and its cousin, SELinux). It’s nice to be able to sandbox applications and only let them write to places I approve of. OS X, being a flavor of Unix, uses Unix permissions; so there’s less of a security problem to begin with than Windows. This adds an additional layer (much like AppArmor & SELinux), that makes it harder to misbehave.)
  • DNS Resolution: You can allow/deny the ability of an application to resolve an IP address using DNS. I’m somewhat torn on this - on one hand, many programs rely on DNS to get addresses, so you can keep some things from phoning home; on the other hand, it’s hard to see how a DNS lookup can be a bad thing, and if a piece of malware uses an IP address instead of DNS, then blocking DNS resolution gives you nothing.
  • Handling of incoming connections in much the same way of outgoing connections: You can define what program can listen for what ports/protocols.
  • It’s also able to import rules from Little Snitch; which makes transitioning easier.

So for now, I’m giving Hands Off! a try. It’s definitely not for a regular user; it requires actual knowledge of what’s going on to use effectively.

It’d be nice if there were a curated location to get applications (hmm... Mac App store?), that has:
  • Cryptographically signed applications, to ensure integrity.
  • Crypto-signed Mandatory Access Control (MAC) lists: Describe what this application will read, write, and how it will interact on the network. The curator reviews the MAC list, and allows only the minimum functionality for the application to operate. This will (hopefully) reduce the number of applications that phone home with tracking data, etc.

That way, when a user installs the application, things like Hands Off! (or an equivalent built into the OS) can have the new settings added automatically, and the user doesn’t need to do anything.

The funny thing is Mandatory Access Controls (like SELinux or AppArmor) have been around in the Linux world for years; when you install a software package from the distribution maker, the package is verified against a crypto signature, and the mandatory access control settings are added automatically. In other words, in this respect, Linux has MAC lists that are simpler than anything you can find on a Macintosh.