What ShieldKey does today
* Process-level wallet cage via EndpointSecurity + Sandbox: blocks anything touching wallet paths (~/Library/Application Support/…, browser Local Storage, USB HID for Ledger/Trezor) unless it’s on an allow list
* Network Extension blocks known phishing domains before the browser even loads them
* Clipboard / window-title watcher for seed patterns (base58 / hex)
* 1 800 macOS stealer hashes in a compact YARA+SHA table (mmap, ~20 µs lookup)
* One-click “wallet lock”: chmod browser-wallet storage to 000 and auto-eject HW wallets
* 100 % offline; UI is SwiftUI, engine is a 4 MB static Rust daemon
Why bother when objective-see or commercial AV exist?
- Objective-see is awesome but pops LOTS of alerts—ShieldKey ships wallet-specific heuristics so users get one actionable alert, not 200. - Commercial AVs flagged <10 % of the macOS stealer hashes we collected since Jan 2024 (VirusTotal data). They also don’t understand Ledger HID traffic or MetaMask’s plaintext vault.
Architecture
- shieldd (daemon): Rust, Tokio, subscribes to EndpointSecurity, FSEvents, HID, NetExt - shieldctl (CLI): sends YAML → gRPC to daemon, emits JSON for UI - ShieldKey.app: SwiftUI menu-bar wrapper - Rules pack compiled into a single kcdb file (mmap B-Tree, O(log n))
Limitations
- No in-browser JS detection; if you paste a seed, JS phishing can still grab it - No rule revocation yet - whole pack must update - Only tested on Monterey through Sonoma
Roadmap
- Signed rule updates over Tor (opt-in) - Hardware-wallet micro-firewall (USB endpoint filter) - Transparency log for notarized releases - Public repo once code is hardened
Try it / tear it apart
Get DMG : https://getshieldkey.com brew tap coming this week. shieldctl --dry-run shows every ES event.
Looking for feedback: missed attack surfaces, EndpointSecurity edge cases, UI nits. If you’ve got macOS stealer samples I don’t detect, send hashes (or encrypted zips) to bugs@getshieldkey.com.
bobman420•8mo ago