santabs

The santabs process is an XPC service for the santad bundle, meaning only binaries within that bundle can launch santabs. It will be launched with the same privileges as its calling process. Currently, santad is the only caller of santabs, so santabs runs as root.

Events

The santabs process is quite simple and only does one thing: it generates non-execution events for the contents of a bundle.

When there is an execve() that is blocked within a bundle, a few actions take place:

1. The highest ancestor bundle in the tree is found

   • So /Applications/DVD Player.app/Contents/MacOS/DVD Player would be /Applications/DVD Player.app
   • Or /Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension would be /Applications/Safari.app

2. The ancestor bundle is then searched for Mach-O executables

   • For Safari that would currently be 4 binaries

   • Hashing time: 53 ms
     4 events found
     BundleHash: 718773556ca5ea798f984fde2fe1a5994f175900b26d2964c9358a0f469a4ac6
     BundleID: com.apple.Safari
     SHA-256: ea872e83a518ce442ed050c4408a448d915e2bae90ef8455ce7805448d864a3e
     Path: /Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
     BundleID: com.apple.Safari
     SHA-256: 1a43283857b1822164f82af274c476204748c0a2894dbcaa11ed17f78e0273cc
     Path: /Applications/Safari.app/Contents/MacOS/Safari
     BundleID: com.apple.Safari
     SHA-256: ab0ac54dd90144931b681d1e84e198c6510be44ac5339437bc004e60777af7ba
     Path: /Applications/Safari.app/Contents/Resources/appdiagnose
     BundleID: com.apple.Safari
     SHA-256: f49c5aa3a7373127d0b4945782b1fa375dd3707d66808fd66b7c0756430defa8
     Path: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService
     

3. Events are created for each binary and the bundle hash is calculated

4. These events are sent to the sync server for processing

Bundle Hash

The found events are sorted by their file SHA-256 hash. The hashes are concatenated and then SHA-256 hashed. This is now a strong indicator on what Mach-O executables were within the bundle at the time of scan. This can then be verified by the sync server when deciding to generate rules.