Slashdot Mirror
Apple Adds Memory Randomization To Leopard
.mack notes a ZDNet blog outlining some of the security features added to OSX Leopard (10.5). Here's Apple's brief description of all 11 new security features. "Apple has announced plans to add code-scrambling diversity to Mac OS X Leopard, a move aimed at making the operating system more resilient to virus and worm attacks. The security technology, known as ASLR (address space layout randomization), randomly arranges the positions of key data areas to prevent malware authors from predicting target addresses. Another new feature coming in Leopard is Sandboxing (systrace), which limits an application's access to the system by enforcing access policies for system calls."
Apple is finally catching up with BSD, Linux and Vista!
If only this broke bootcamp compatibility - then they'd really prevent viruses.
[blockquote]Apple has announced plans to add code-scrambling diversity to Mac OS X Leopard,[/blockquote] Diversity Month was in April. Oh well...
From the changelog:
It sounds like a high-level player finally decided to take on Exchange. My biggest questions: are there Windows programs that support these features via CalDAV, and is there a CalDAV server in FreeBSD's ports?
Dewey, what part of this looks like authorities should be involved?
Even Vista has a not-completely-broken implementation of ASLR. Linux, of course, has been doing it for years...
Everything I needed to know about life, I learnt from Blake's Seven
To give you closeted folk an excuse to talk about your feelings in public.
Dewey, what part of this looks like authorities should be involved?
Okay, so from a practical standpoint, what does this mean for pre-binding? I understand that we don't need to pre-bind ourselves on Tiger, but what about the system libraries?
Because the Macintosh is the Gay Computer.
Why bother.
ASLR or 'Address Space Layout Randomization' has seemingly been a 'feature' since Windows 3.1. You never know just *where* or *when* a blue-screen-of-death(tm) will occur. Microsoft should sue Apple for copying this 'valuable' feature :)
Ok, jokes aside, wouldn't this make debugging programs hell? If something crashes (oh wait, nothing on apple ever crashes)...crash dumps would be almost meaningless.
Or, another way of looking at this, target addresses can still be found, since the program must have some sort of debug hooks. (Unless debuggers have access to kernel protected areas)..
In other words, another kind of useless feature...Crash Different!
All measures like this are just bandaids and may in fact open up more holes because it adds complexity to an already complex beast.
There is just no way to do this in software. The future is going to be implementing these types of features in well proven hardware. Things like the no-execute bit, virtualization extensions and such are steps in the right direction but eventually I think we will see some really good security measures put into hardware.
The ratio of people to cake is too big
Nifty patch that (among others) adds similar safeguards to the linux kernel. Too bad it's not in the mainstream kernel.
The Raven
Don't worry... Somehow people will soon think that ihey invented the thing and everybody else is copying int... I post anonymously of course. fear the macbois.
does anyone remember Kasey Kelp the Snork? Man, that was one hot piece of ass.
An interesting "read" (slide show) on issues related to the article -- http://www.openbsd.org/papers/ven05-deraadt/index.html
If sandboxing is systrace as the article mentions, does this mean they have solved the problems related to syscall wrappers first disclosed by watson's woot07 paper? Is the infrastructure tied directly into the system calls instead, or have they simply ignored the problem?
http://www.watson.org/~robert/2007woot/
I hope that there's a way to turn this stuff off.
Systrace has itself had holes discovered in it, and been the source of privilege escalation vulnerabilities.
Address space randomization makes a lot of legitimate techniques harder.
BOTH add overhead.
And there's no indication that Apple has fixed the real security holes in OSX - the single set of LaunchServices bindings for both local and remote objects, and the appalling 'Open "safe" files after downloading' feature in Safari.
Instead, they're adding more Microsoft-like bandaids and unnecessary security dialogs.
Security is like sex - once you're penetrated you're ****ed. How about doing something about the obvious avenues for penetration first?
When I first started using Quark XPress 6.5 in Mac OS X here at my new job, it took a while to work out the kinks for a rather complex project (doing layout for a journal w/ a 24 hr. turn-around), to the point that I actually put up a ``crash log'' outside of my cubicle, so that people could gauge my mood before entering. It's been a year now, and while I've gotten the project in question worked out (had to train myself _never_ to undo re-sizing a text box &c.), the totals might be interesting to people:
2006:
Quark XPress: 207 crashes (as many as 9 per day)
Adobe Illustrator: 25
InDesign: 35
PhotoShop: 15
Acrobat: 65
Microsoft Word: 23
Macromedia FreeHand: 9
Mac OS X: 14 (this includes Mac OS X apps like Mail.app and Safari.app)
The totals for this year are a bit more reasonable --- Quark XPress v6.5: 26, v7: 46 (I had to move the afore-mentioned journal over to Quark 7 after a re-design and that involved a new set of things to work-around) --- but I find Mac OS X overall reliable and workable as an environment (thought not as nice, consistent and synergistic as NeXTstep).
William
Sphinx of black quartz, judge my vow.
Changing the memory address layout is roughly akin to doing home security by locking different doors on different nights, but always leaving one unlocked. The would-be burglar just has to try all the doors to get in. Doing this kind of thing is trivial on a computer.
People really need to stop adding these kinds of things that increase complexity and do not address the real issue, which in this case is access to the memory space of another application without some sort of credential or approval. When the real problem is addressed, this overly complex and fundamentally useless random memory address layout 'feature' will be left in to cause bugs and complexity forever.
If there is an argument for this that is not security-based, then I'm willing to hear it out, otherwise, this is an anti-feature.
From the fine article:
Signed Applications
Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications.
How does the third-party software signing work? How does this make a Mac safer? How does it prevent malicious software developers from signing their software and making it look nice and pretty?
obviously no deficiencies vs. no obvious deficiencies
These are bandaids because they're like "morning after" pills...
The first line of defense is being BADLY neglected.
Get rid of the dangerous APIs (such as the single set of bindings in LaunchServices) and browser features (who the hell thinks automatically opening 'safe' files after downloading is a good idea?) first.
How does this make a Mac safer?
It doesn't. It's really to make it easier to track whether different versions of an application are different versions of the same application.
How does it prevent malicious software developers from signing their software and making it look nice and pretty?
It doesn't. Any more than it does on Windows.
There is a trend emerging, ever so slowly... It used to be Mac users attacking Windows users... More and more I'm starting to hear Windows users attacking Mac users. Fortunately, so long as the argument is "Mac is gay," I don't really feel like Mac users need to bother responding. Linux I respect, though... because once I'm in the command line, it's just like OS X. (ducks)
Music - www.richardmac.com
Good post. Privilege enforcement in hardware is going to be much harder to crack than various obfuscation schemes in software, which in the end are sort of like a spread-spectrum technique to reduce the signal level of your software deficiencies by spreading them out over the address space.
I find it odd most of the comments like yours are complaints about Mac security. Isn't "insecure" kind of an oxymoron with Macs? If you want an overly complex OS check out a Vista machine. My PCs have constant security issues and my main machine is a trainwreck from all the damage done by malware and bots inspite of running constant checks. I've never done a single thing related to security with my Mac and I've yet to have a problem. The made thei system even more secure. Shouldn't they get a applauded not blasted? Just because people are fans of an OS doesn't make it secure. Amiga had one of the most devoted fan bases ever and was arguably one of the least secure. Windows seems to be moving in the direction of locking the OS to the point where software won't run. Mac has managed to make their machines secure without such draconian measures. Shouldn't this earn them geek points not have rocks thrown at them all the time?
Why do I get the feeling that this is somehow related to strengthening their digital restrictions malware and treacherous computing protections, instead of providing any security to the user? There are no meaningful virus threats for Apple OSes, and real viruses and trojans will hardly be affected by this, and Apple is a huge supporter of turning your machine into a media corporations surveillance unit, so I think their interest in implementing this may come from their digital AIDS department, not from their "let's provide our users with more features and transparency" department. It may be a trap.
"security by locking different doors on different nights, but always leaving one unlocked." A bad analogy IMHO. It is not that you leave things unlocked, but that locking is really hard. This is a measure to cope when all else fails. Its more like taking a different path to work everyday, to make it harder for enemies to attack you. Wish all you want for enemies to not exist or to have impenitrable armor, but common sense dictates to prepare for the attack anyway.
For performance reasons, it uses a fixed address (instead of going through __objc_msgSend):
http://gcc.gnu.org/ml/gcc/2007-03/msg00251.html
Doesn't this defeat address space randomization?
Some of the things that Apple is doing in this pass are good and useful things. ASLR isn't one of them. It is pretty amazing to see a company adding something like this four years after the research literature has that ASLR is trivial for an attacker to beat. The question is: why add something that is so disruptive to legitimate code when it doesn't do any good?
Jonathan S. Shapiro (The EROS Guy)
Another new feature coming in Leopard is Sandboxing (systrace), which limits an application's access to the system by enforcing access policies for system calls
Folks,
Just FYI, the sandboxing in Leopard is not systrace. Systrace is vulnerable to race conditions -- see Robert Watson's paper "Exploiting Concurrency Vulnerabilities in System Call Wrappers". I asked him about this at WWDC, and he told me that Leopard's sandboxing is based on a different technology and is not vulnerable to the same attacks.
--Paul
It's not the hardware as much as it is the application....the flat memory model is the root of all security problems on Intelish hardware...
Even the 386 had some fairly largish number of selectors that could be assigned to an application, rather than just the one with a 2GB address space. So, you could have an application get some big amount of selectors, use them for guarded arrays and so forth, and it could be much more secure than now.
This is my sig.
I believe a better analogy is this. ;-)
It is akin to trying to remember to lock all 1 million of your doors every night, but knowing that you might accidentally forget to lock one or be unable to lock it because the lock is broken. So, you move your jewelry to a different, random room each night so that even if someone does break in, the room will probably be empty.
Yes, ideally, you should have all the doors locked every night, and you try to do so, but heck your kids are going in and out all day through various doors and sometimes you miss a lock or two by mistake.
All these secure features are welcome, but only if you can switch them off.
If I'm using a Mac for professional audio work and it's never connected to the internet then it doesn't need such high security. The performance impact of anti-malware software on low latency audio can be pretty vast.
just like this one :
http://www.adequacy.org/public/stories/2001.12.2.42056.2147.html
I always wait until 10.x.3 before even considering installing a new 10.x
Let some other sucker find out what programs don't work. By the time 10.5.3 comes out, most of the incompatibilites and bugs will be fixed.
"Was it a millionaire who said 'Imagine No Posessions?'" -- Elvis Costello
... or, an OS with popularity of BSD, the consistent feel of Linux, the security of a Windows, with the openness and price point of OSX. That's a pretty good description of Vista, actually."Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
This is already in Vista... right? -sammy / http://personafile.com/Apple-MacBook-13-inch-display-2.16-GHz-Intel-Core-2-Duo-Black-MB063LLA-P885909100187.htm
Yes, Linus rejected it as security through obscurity even though it has no significant cost and in general makes things safer. Its the whole theory/practice not exactly the same thing thing. Though redhat, etc. should do it on their own and it sucks they don't.
When I read the word "random" with Mac in the same sentence, why do I envision the iMac Shuffle?
The game.
Because its a poorly written hack that adds huge gaping security holes to the kernel?
"Another new feature coming in Leopard is Sandboxing (systrace), which limits an application's access to the system by enforcing access policies for system calls."
Has this got anything to do with the upcoming iPhone SDK? Sure sounds like they could ship the iPhone with only certain "safe" system calls allowed by policy and then you would have to get a Certificate or some kind of permission from Apple to "unlock" the other potentially dangerous sys calls for you application?
It forgot where the memory went, mind you, but it's the thought that counts.
No kidding!!! What do you say at this point?
There's no F in that. You fail.
ASLR works just fine, and is not disruptive in any way, shape or form. Quit trolling and go get bitc working (here's a hint, it will be faster to ditch the current pile of shit and start from scratch using a language designed for writing compilers instead of one designed to ruin C).
Then you'll like this one:
AutoFS
Automatically mount and dismount network filesystems on separate threads to improve responsiveness and reliability.
ASLR - Hmm. 32, Male, Bristol - what's the R for these days? I can't keep up with the youngsters.
Get your own free personal location tracker
The accelerated-dispatch feature is optional, so you might well expect that security-conscious developers would learn to disable it. I don't recall ever hearing of anybody writing an Objective-C based exploit before, even as a proof-of-concept (though I may have missed it). It sure sounds like it could be done. I guess in that case, you'd have to depend on other security features minimizing the damage.
-Mark
That "vulnerability" was even mentioned as implementation bug on the manual page since 2002! That was an overrated piece of FUD. http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&sektion=1#BUGS Niels couldn't defend his tool because he was chair of Woot 07. Very unfair. He did ask OS developers for modifications in parameter checks for system calls, as to make that safe it should be kernel side. No matter what similar tool you use, arguments can be abused. Only kernel space checks can be 100% safe.
I've read that many solid state forms of memory (Flash, etc) have a limited lifespan in terms of the number of writes performed on an individual memory address. I also understand that this life cycle is very large, but could this be a way to balance the load on a given memory address over time? Would that then suggest that Apple will follow suit with (I forget who it was) who released a laptop with a Flash based drive instead of a spinning disk HD?
Could this sort of technology be used to help keep hacks out of games like WOW or SC2?
Wrong! We have had the silicon for almost a quarter century. The 286 and up are perfectly capable of a segmented memory model, where you specify the size of the segment down to the byte. Make a 101-byte segment and try to access the 102th element and *BOOM* the MMU raises an exception.
The 386 (which is what everyone uses today) is even better, with various stupid limits removed.
We don't do it, though, because it creates additional software complexity. Or maybe it's because old 8086 programmers complained about that chip's "fake" (i.e. stupid and well,' yeah, really fake) segmentation crap. So when the 386 came out and offered a 4GB flat model (4GB should be enough for anyone), all the OS designers went that way.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
So naming an operating system in the same order as german tanks, is "gay"? And please explain how an operating system having a cheerful name is bad thing?
10.0 Cheetah - Gepard(German for Cheetah)
10.1 Puma -Puma
10.2 Jaguar -Jaguar
10.3 Panther -Panther
10.4 Tiger -Tiger
10.5 Leopard -Leopard
It might just me being a history nerd, but I think naming an operating system after some of the finest tanks in the world is kinda bad-ass...
3 degrees of separation from Vladimir Putin
So that more women buy Macs. Remember, queers get all the chicks.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
It's nice that Apple will be stepping out of the Nazi-era with Leopard.
(yeah, yeah...Godwin...I lose.)
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
claim is BS - SSIA
Tagging Downloaded Applications
Feature in Windows since Windows XP SP2.
Signed Applications
Feature in Windows since IE4 / Windows 98, called Authenticode. Nearly everything in a base Windows XP or Vista is signed, as are many third-party applications. Authenticode is based on X.509 certificates - I'm not sure what Apple's tech is based on. Vista checks signatures before elevating, and the signed UAC dialog looks nothing like the unsigned UAC dialog.
Application-Based Firewall
Feature in Windows since Windows XP SP2.
Stronger Encryption for Disk Images
BitLocker in Vista uses AES-256. EFS can be configured to use AES-256 in Vista.
Enhanced VPN Client Compatibility
Don't really know on this one.
Sharing and Collaboration Configuration
ACLs have been in Windows since Windows NT. Sharing can be configured through the properties dialog box of any folder.
Sandboxing
Protected mode is implemented in Vista. The primary use is Internet Explorer.
Multiple User Certificates
The central certificate store in Windows has supported multiple user certificates since at least Windows 2000.
Enhanced Smart Card Capabilities
Unknown, but Windows has had smartcard support since Windows 2000.
Library Randomization
Vista introduced this to Windows. BSD and Linux distros had it before then.
Windows SMB Packet Signing
Obviously supported by Windows Vista.
So, it looks like most of the new security features in Leopard are direct rip-offs of Vista/BSD/Linux features. Time Machine is a direct ripoff of Previous Versions in Vista, albeit with over-the-top graphical effects. Spaces are a ripoff of a feature that has been in UNIX for decades. Every modern Linux desktop has terminal tabs.
Apple, stop it with your fucking bullshit. It's fine to copy features from other software. It's not fine to copy them, claim that you're being innovative, and then accuse your competition of copying you. It's dishonest, it's sleazy, and it's cheap. Your software can stand on its own.
No, I think they are after the enterprise market, or at least they're moving towards that target. iCal has been able to share calendars (with the 'Subscribe...' menu item) in the same way as Vista for ages now. "iCal server" is the grown-up solution.
Simon
Physicists get Hadrons!
http://en.wikipedia.org/wiki/Trusted_Computing
As a gay man i'd just like to say i find nothing remotely 'gay' about that name.
"Call us when the New age is old enough to drink" Beck