Apple Adds Memory Randomization To Leopard

.mack notes a ZDNet blog outlining some of the security features added to OSX Leopard (10.5). Here's Apple's brief description of all 11 new security features. "Apple has announced plans to add code-scrambling diversity to Mac OS X Leopard, a move aimed at making the operating system more resilient to virus and worm attacks. The security technology, known as ASLR (address space layout randomization), randomly arranges the positions of key data areas to prevent malware authors from predicting target addresses. Another new feature coming in Leopard is Sandboxing (systrace), which limits an application's access to the system by enforcing access policies for system calls."

Woo!

[gazbo]

Apple is finally catching up with BSD, Linux and Vista!

Re:Woo!

[Corwn+of+Amber]

I, for one, am going to buy Leopard, the day it's out.
Then I'll put it on in a drawer.
Then I'll download the ISO of the version I'll install on my PC.

And I'll be a happy Apple customer :)

(I'm NOT going to buy a Mac unless I win the lottery or something. But I can spend $139 on the company that's produced the best OS for my use.)

Re:Woo!

[rootofevil]

memory randomization and filesystem snapshotting? are you serious?

Re:Woo!

... or, an OS with popularity of BSD, the consistent feel of Linux, the security of a Windows, with the openness and price point of OSX.

After an old joke about the EU, sorry.

Re:Woo!

[bunratty]

As far as I can tell, even the Linux kernel doesn't have memory randomization. You need a patch like PaX to get that feature.

Re:Woo!

[suv4x4]

Apple is finally catching up with BSD, Linux and Vista!

Hehe, you were modded +5 Funny, but if it was the other way around:

"Vista is finally catching up with BSD, Linux and OSX!"

You would be modded +5 Insightful... Where are the scores of Microsoft fanboys bashing Apple, damn it!

Re:Woo!

[suv4x4]

Actually, weren't all these features available in XP?

ASLR is not present in XP. Sandboxing.. that is vaguely defined in the article/summary.

All OS-es in the world make use of *some* sandboxing on the hardware level, ring-0, ring-1 etc.
Also all OS-es have privilege implementation (file system privileges, etc.), including pre-Leopard OSX.

But I think Leopard implements something more granular. Windows 7 is also said to run all Win32 code in more pronounced and more granular sandbox than before (which means it's not in XP). Managed code (.NET) won't need this sandbox as it's natively supported in the runtime already.

Microsoft definitely has something going on with .NET code though. The kind of security you can get there can't be compared with anything you can do on the software or even hardware level, with pure unmanaged code.

Re:Woo!

[bzzzt]

Microsoft definitely has something going on with .NET code though. The kind of security you can get there can't be compared with anything you can do on the software or even hardware level, with pure unmanaged code.

Nice to hear those Microsoft people are about to catch up with the Java sandbox model from 1997 ;)

Re:Woo!

[jsiren]

Even I have a random memory!

Re:Woo!

[pohl]

Where are the scores of Microsoft fanboys bashing Apple, damn it!

90% of them don't have any real passions or sense of quality and are just playing follow-the-market-leader.

The other 10% are too busy chewing Ayn Rand's carpet

.

Re:Woo!

[ergo98]

Microsoft definitely has something going on with .NET code though. The kind of security you can get there can't be compared with anything you can do on the software or even hardware level, with pure unmanaged code.

Such as?

Exactly as you stated, all modern systems have some sandboxing and security constraints. Everything that unmanaged code wants to do -- beyond simply spinning in its own little memory box -- requires the cooperation of the OS. Want to open a network socket? Ask the OS. Want to open a file in read mode? Ask the OS. Want to put something on the screen? Ask the OS. With completely unmanaged code, there is a framework for the finest granularity of security -- .NET didn't invent that.

Which is a funny comment, really, because .NET took the potential security advantages and just tossed them all in the dumpster. Extraordinarily few .NET developers have any comprehension of the security namespaces and framework...because they don't need to -- the overwhelming majority of .NET code runs with FullTrust.

Re:Woo!

[jocknerd]

Be serious. Do you expect Apple to change the way you use OS X? Just order the damn thing. Its going to be great. I've been playing with the 9a559 seed for a couple of weeks. Its working really well. Fortunately, I get a copy for free. Well, not really. I'm an Apple Consultant so there is some money spent there.

Re:Woo!

[Yahweh+Doesn't+Exist]

your plan doesn't give him the option to continue using it but to forget to pay for it.

or to decide that it's good enough to use but not worth his money - maybe he'll spend a few hours learning what's new and consider himself even with Apple after they forced him to 'waste his precious time'.

Re:Woo!

[shmlco]

"DVD Player.app won't skip past things that the movie studios put on the DVD..."

True. In order to license the codecs and software needed to play DVDs legally a DVD Player has to honor the DVD player spec, which means honoring the stupid "operation not allowed" messages embedded in the DVDs.

Re:Woo!

[kestasjk]

Were you born yesterday? Seems you know absolutely nothing about OS X.

# Tagging Downloaded Applications Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent -- telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from. This was introduced by Microsoft in Windows XP SP2

# Application-Based Firewall Gain more control over the built-in firewall. Specify the behavior of specific applications to either allow or block incoming connections. You guessed it; Microsoft, SP2 (it was available in third party firewalls before then of course)

# Library Randomization Defend against attackers with no effort at all. One of the most common security breaches occurs when a hacker's code calls a known memory address to have a system function execute malicious code. Leopard frustrates this plan by relocating system libraries to one of several thousand possible randomly assigned addresses. As the GP said, this has been in lots of OSes for a long time, including Windows Vista.

# Signed Applications Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications. Again, Microsoft, SP2.

I'm guessing "Well, good ideas should be shared around and used by all kinds of companies", and I agree; but why does it apply to Microsoft security and other internal OS technologies, and workspaces, etc, and not stuff Apple makes?

Re:Woo!

[Holmwood]

Memory randomization, no, that was new as of Vista as parent suggests. And I'm amazed it took everyone that long, especially Microsoft whose OS's were absolutely being hammered by Malware.

File system snapshotting?

With the genius that Microsoft shows for marketing, they called the feature "Volume Shadow Copy". Steve Jobs foolishly called it "Time Machine". Everyone knows you want to label interesting features with unwieldy acronyms.

(that's sarcasm). http://en.wikipedia.org/wiki/Shadow_Copy And yes, it's available on Win 2K and Windows XP (as of circa 2003), but wasn't included by default until Windows XP SP2.

So parent is right about memory randomization and wrong about filesystem snapshotting. 1/2. Is parent serious, I dryly ask.

Speaking as a BSD/Ubuntu/Win XP (that last for games, and certain legacy apps) fan -- in roughly that order -- Leopard will be the easiest to install, configure and use BSD going. And that's pretty tempting.

I just wish Apple permitted ordinary users to virtualize OS X on whatever hardware they wanted.

-Holmwood.

Re:Woo!

[kestasjk]

Safari asks. Most modern browsers have security settings that can do this. No as in any foreign executable, including executables downloaded via network shares, are flagged as foreign. This isn't the same as your browser asking "are you sure you want to download this executable file?"

It is called Little Snitch. It works great. Okay, but it wasn't part of the OS. We're talking about the OS here, not applications for the OS.

Nice feature, but if you were really concerned with security you would have memory encryption enabled anyhow. No problems with this when using encrypted memory. Encrypted memory? Can you elaborate on this? I'm guessing you're talking about encrypted swap files, but that doesn't make it any harder for foreign code to know where in the address space useful libraries are.

Public Key signing anyone? This has been around for decades - even on OSX! Manual public key signing isn't the same as automatic digitally signed binaries. Manual public key signing means that the user has to know to download the digital signature separately and check the executable, which is a big hassle and pretty unrealistic for most users.

These are not things that weren't available on OSX. They weren't gaping holes. Apple just decided to make them easier for the average user by including them out of the box and beefing them up a bit where necessary (like the memory randomization). They were already available? Where in Tiger is memory randomization, digitally signed binaries, flagged-as-new binaries, and the built in application-level firewall?

Re:Woo!

[naasking]

Microsoft definitely has something going on with .NET code though. The kind of security you can get there can't be compared with anything you can do on the software or even hardware level, with pure unmanaged code.

Of course, both of these statements are wrong. Lisp machines had finer grained authority management, as did earlier capability hardware (tagging down to the word level); we're talking technology from the 70s and 80s here which can surpass the capabilities of new millennium technology.

Typed Assembly Languages are "unmanaged code", ie. raw assembly, but are accompanied with a proof certificate proving various properties of the assembly code, including memory safety and beyond. This is more recent work under the banner of "proof carrying code". This counts as a software technique which is superior to .NET's managed code. Heck, .NET's managed code can't even express strongly typed function pointers, and must resort to ad-hoc delegate techniques in the VM (despite many researchers suggesting MS add them way back in the early design stages of .NET).

I like .NET to a certain extent, and I like Microsoft's Singularity project, but .NET is far from the true cutting edge in safety. Unfortunately, Java is no better off, and functional languages are only marginally better when it comes to security.

Re:Woo!

[shelterpaw]

Easy enough to write an applescript to bypass that, which I've done. It's ugly, but it works and you can add it to your dvd applescript menu:

tell application "DVD Player"
activate
set viewer full screen to true
try -- use try to bypass the FBI warning, menu's etc.
play dvd
set title to 1
set chapter to 1
end try
(* The following will wait for DVD's that refuse to bypass the intro's and jump to the beggining. Annoying!*)<br>
delay [3]
if title is not equal to 1 then
repeat until active dvd menu is equal to main
go to main menu
delay [15]
end repeat
go return to dvd
end if
(* The following will be used for odd dvd's like Questar Documentarys's they don't start with the standard title, they start with title 2 or something different. *)
delay [30]
set oddTitle to 2
-- check to see if we're still on the main menu page
if dvd menu active is equal to true then
repeat until dvd menu active is equal to false
set title to oddTitle
set oddTitle to oddTitle + 1
end repeat
end if
end tell

Re:Woo!

[Anpheus]

The problem is, there's no way for legacy apps to be smoothly updated with a new security framework without recompiling each of them with a new API. .NET apps, having been built with those requirements in mind, are able to, at compile time, determine what privileges they need and don't need.

Unfortunately I have yet to see the 'granularity' in .NET apps, I think most of the permissions are rather vague.

I think the point of a future Windows and .NET release will be to make security requirements part of the static analysis of code, probably required before execution. .NET compiled code is much easier to analyze after runtime than machine-code for only a few percentage points of a drop in throughput on a modern computer. Windows 7 might not even bother with reading the security information.

Re:Woo!

[MightyYar]

Re: Volume Shadow Copy

I might be mistaken, but isn't the Apple and MS implementation of this totally different? In the Mac implementation, you can get the history of a single file and resurrect any version of it.

In the MS implementation, if you want to resurrect a file you first have to restore the whole volume. This makes it useful for sytem backup, but not very practical for "oops, I just lost 15 minutes of work" file restore things.

So... I've never really bothered with Volume Shadow Copy but I will definitely be using Time Machine.

Re:Woo!

[Gr8Apes]

# Tagging Downloaded Applications

Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent -- telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from. This was introduced by Microsoft in Windows XP SP2 Really? It is? Amazing that the only time I'm asked whether I want to run an executable is when I download with a browser. There's no tagging of executables that I'm aware of nor have experienced. Nor is there anyway to tell where an executable came from once it's on your drive. Or maybe there's a new bug to report to MS about XP SP2....

# Application-Based Firewall

Gain more control over the built-in firewall. Specify the behavior of specific applications to either allow or block incoming connections. You guessed it; Microsoft, SP2 (it was available in third party firewalls before then of course) SP2's firewall is an add-on application. Yes, it ships with but is not integral too the OS, and can be replaced. It's also a piece of crap, IIRC. There's much easier and more efficient ways of securing your system. (FYI, I don't run it as it's too flaky for what I do and far too big a pain to even try and configure for the port ranges I use - it'd essentially be open)

# Library Randomization As the GP said, this has been in lots of OSes for a long time, including Windows Vista. And how easy has it been to implement? It's not in XP SP2.

# Signed Applications

Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications. Again, Microsoft, SP2. I believe MS had signed drivers and DLLs (not applications, just drivers and DLLs) long ago. Guess what, no one does it. When's the last time you had a signed driver or DLL? My sound card, video card, motherboard chipsets, network chipsets, printers, and scanners all came with unsigned drivers, despite being "Made for Windows". Having something and using it effectively are two entirely different things. Those would all be from mom and pop companies, like Creative, nVidia/ATI, MSI/Asus, broadcom, Konica-Minolta/HP, and HP/Epson, respectively.

BTW, since OSX is BSD, then OSX has potentially had anything BSD has, especially things that are "ages" old as the other poster said.

Re:Woo!

[petermgreen]

you can't have a shadowed volume on XP, you can access them (including previous versions) from it but you can't have them on it. The volumes must be hosted on server 2003 or above.

Re:Woo!

I'm frustrated enough with the subtle restrictions in iTunes & iPod

Mind telling us what those restrictions are? So far as I can tell, iTunes has no restrictions unless you choose to buy restricted (DRMed) content. My solution is to not buy DRMed content...

After one too many inappropriate trailers on DVD's that my family was unable to skip, DVD app is no longer in use.

You have the MPAA to thank for that, not Apple. Any company which wishes to create a DVD player (or DVD player app for a computer) through the normal, fully legal route has to sign up to enforce all the restrictions the MPAA wants to shove down your throat... one of which is that the player must honor disabling of navigation controls by the DVD. (That is, DVD authors can selectively disable navigation controls for specific content on the DVD.) The reason for this was originally just to force you to watch the copyright warning when you stick the disc in, but it's now also being used to force you to watch trailers. Once again, blame the MPAA (and content producers who abuse the feature) for this, not Apple: if Apple didn't go along, they wouldn't get a license for any of the IP involved in playing back a DVD, a CSS decryption key, and so forth.

You may have found other apps which play DVDs and do not enforce these restrictions. I am reasonably certain that all of these apps are not properly licensed, and are built on the technique of using the known methods for attacking CSS encryption. For obvious reasons, a big corporation like Apple is not going to do anything legally questionable like that.

By the way, something you may be interested in: in the past people have written patchers for DVD Player.app to hack it so navigation controls are always enabled. I have no idea whether they're still being updated for current versions.

Re:Woo!

[konohitowa]

I'm NOT going to buy a Mac unless I win the lottery or something.

Wow. What's the jackpot currently sitting at for the Lotto in your state? Like $2000 or something? (I'm assuming you plan to take it as a cash disbursement rather than spread out over 20 years)

obligitary troll

[pat+mcguire]

If only this broke bootcamp compatibility - then they'd really prevent viruses.

Cool, but even better...

[Just+Some+Guy]

From the changelog:

CalDAV Group Scheduling
Schedule a meeting with colleagues, check availability, and book conference rooms when using iCal with a compatible CalDAV server like iCal Server.

Reserve Rooms and Equipment
Reserve meeting rooms and equipment as you create your meeting invitations. If your calendar is administered through a CalDAV server, iCal automatically displays availabilities when you add a room or resource to your meeting.

It sounds like a high-level player finally decided to take on Exchange. My biggest questions: are there Windows programs that support these features via CalDAV, and is there a CalDAV server in FreeBSD's ports?

Re:Cool, but even better...

[gEvil+(beta)]

My biggest questions: are there Windows programs that support these features via CalDAV, and is there a CalDAV server in FreeBSD's ports?

It looks like there are a handful of Windows apps that support CalDAV at this time. Since it's an open standard, it shouldn't be long before more calendar apps support it. As for the server, this is what I could find with a 10 second search. Looks promising, too.

Re:Cool, but even better...

[link915]

Currently no viable solution exists on a Windows box. There are things like Sunbird and Yagoon but they don't work well with Outlook (i.e. no real integration). Currently there is a project called Open Connector that exists to bring caldav support to Outlook. It is quickly reaching beta but the main developer needs help. I am pitching in and hope that others will as well. Check it out at http://www.openconnector.org./

Also, the calendar server that is used in Leopard is nothing more than the open-source Darwin calendar server at http://trac.calendarserver.org/projects/calendarserver

So, although nothing exists in ports that I can find you can run the Darwin calendar server on FreeBSD.

Re:Cool, but even better...

[PeeweeJD]

It sounds like a high-level player finally decided to take on Exchange.

According to this article, apple corporate has switched from a third party calendaring program to iCal so those feature additions make perfect sense.

from page 3:

Even home users that have no need for group calendaring will benefit from the new server-side improvements to iCal. That's because Apple didn't just build its iCal Server to fill out a feature check list. It has also begun using it company wide as its own corporate scheduling software in place of Meeting Maker. That means Apple employees are also now using the iCal client, and the result is that iCal itself has progressed rapidly.

Re:Cool, but even better...

Chandler Server is also a CalDAV server: http://chandlerproject.org/Developers/DownloadChandlerServer

Re:Cool, but even better...

[tcoady]

Yes, that's one of them - maybe mod up my parent? This is the cross-platform calendar client also referred to in the next link.
Also according to http://www.appleinsider.com/articles/07/10/18/study_iphone_already_nibbling_away_at_motorolas_dominance.html

Mozilla's Sunbird calendar and even Microsoft's Outlook--with the installation of a third party plugin--can be used with iCal Server. Boeing has also developed a CalDAV connector for Exchange Server. Microsoft itself has been quiet about supporting CalDAV. That may be related to the fear that an open market in calendaring would not help the company maintain its dominance over Windows-bound IT shops

Even Windows does this

[OriginalArlen]

Even Vista has a not-completely-broken implementation of ASLR. Linux, of course, has been doing it for years...

Re:Even Windows does this

[BadAnalogyGuy]

It works like this: Everyone cheers on the guy that they like and boo the guy they don't like, but in the end they are having beers with the winner who is pretty much never the guy that they like.

Just look at the U.S. election this year. Everyone and their brother loves Colbert because he is cool and hip and represents a stick in the eye to every other goddamned POLITICIAN out there who can't help but pander to big money and special interest groups. But come election day, it ain't OSX you're putting on your servers.

Know what I mean?

Re:Even Windows does this

[Just+Some+Guy]

From your Wikipedia link:

ASLR is enabled by default in Linux since 2.6.20

Since that release was made on 2007-02-05, you could more accurately say that "Linux, of course, has been doing it for months". OpenBSD didn't even really get a strong version of it until 3.8, and that wasn't quite 2 years ago. It sounds like Windows had problems with it as recently as February 2007, but maybe that's fixed now.

This is still fairly cutting-edge stuff. It's not like they just now implemented memory protection for the first time.

Re:Even Windows does this

You have an apt nickname.

Re:Even Windows does this

[Just+Some+Guy]

July 2001 was the first release with ASLR.

I'll give you that, but PaX was never accepted into the mainline kernel. That's what I was using as my criterion for "supported by Linux".

Re:Even Windows does this

[martin-sandsmark]

It has been the default in certain distros (e. g. Gentoo Hardened) long before it was set as default in vanilla Linux. So, Linux has been doing it for years, although Linus hasn't.

Re:Leopard?

[Just+Some+Guy]

Why would Apple chooses such a gay name for its operating system?

To give you closeted folk an excuse to talk about your feelings in public.

Simple.

[Lethyos]

Because the Macintosh is the Gay Computer.

Re:Simple.

[stewbacca]

I can't tell if that is a serious blog or if it is a Steven Colbert quality parody. Surely people THAT stupid aren't intelligent enough to post a blog....are they?

Re:Simple.

[NatasRevol]

I think this one is even better.

Microsoft4Life | October 13, 2006 at 3:34 am | Permalink
Having never used an iMac, eMac or any other apple computer ever in my life i can truly say they suck. Shelley is just the only one brave enough to enlighten you people and what do you do? Criticize all the way?
Why dos the mac mouse have only one button? Because they are made for islamic terorist that lost most of their fingers in accidents trying to assemble bombs. How could they rightclick on normal mice when they are designing their bombs? They can't.
And MacOS is not easy to use it's just so simple and devoid of functions that even iliterate terorists can use it. Go Shelly, Go USA.
Cheers from Romania

Re:Simple.

[jagdish]

After reading your comment, I had to post this.(taken from the comments section of that page)

# Glyn | October 13, 2006 at 6:37 am | Permalink

I am from freedom loving England. The news coming across the Atlantic seems to be that it is the Republican Party who were the ones trying to have sex with under-age boys. Apparently they use Microsoft Messenger to seduce them online. Microsoft seem to be developing software specifically to facilitate homosexual acts between leading Republicans and young boys.

Have I gotten this wrong?

These are just bandaids

[Cthefuture]

All measures like this are just bandaids and may in fact open up more holes because it adds complexity to an already complex beast.

There is just no way to do this in software. The future is going to be implementing these types of features in well proven hardware. Things like the no-execute bit, virtualization extensions and such are steps in the right direction but eventually I think we will see some really good security measures put into hardware.

Re:These are just bandaids

[_merlin]

Eventually? Look back at the past! IBM System/390 mainframes (and the zSeries derived from it) have all those features in hardware. Array overrun? Hardware exception. Integer overflow? Hardware exception. Touch memory you deallocated? Hardware exception. ALU produces a spurious result? System picks it up because it runs all the code on at least two cores, and the same fault is unlikely to occur in two cores simultaneously - operation is retried on two more cores to determine which of the two original cores was correct, and the failing core is taken out of service.

You know why we don't do all that in hardware in PCs? Because it requires a huge amount of silicon. Sure, it's great. You learn good programming practices, because you can't get away with slipping even a little. But it costs a lot, gets hot, and goes slow. PCs are meant to be a good enough and cheap enough solution - not necessarily the best solution.

Re:These are just bandaids

[suv4x4]

All measures like this are just bandaids and may in fact open up more holes because it adds complexity to an already complex beast.

99% of security is bandaid and "obscurity" under cover. Even cryptography with large prime numbers is just obscurity: they give you the number and if you could factor is quickly, you can break it. You just can't break it quickly yet.

Still though, it's the nature of the beast. It's in uphill battle with the hackers. Tech gets sophisticated, hackers get sophisticated, tech gets more sophisticated... It's evolution in a way.

There are very few security concepts which aren't "bandaids", for example privilege levels are such a security measure, and still, most apps that take advantage of this have a bunch of "bandaids" in them to avoid privilege escalation situations.

ASLR is a practical approach to easily calling known adresses after buffer overflow exploit. If all apps in existence made proper use of the no-execute bit and made sure not to overrun buffers in the first place, ASLR could've been useless.

OS designers though meet a world with imperfect apps, and their task is to improve security in this *existing* situation. They do good.

The Summary, as seen by Leopard users

[strength_of_10_men]

some to Another policies arranges (10.5). notes 11 the and brief Here's has in as by is key security to feature add access Leopard, more positions Mac (systrace), resilient of access X for code-scrambling blog prevent "Apple to new Leopard virus The aimed the to diversity ZDNet at move announced an (address application's enforcing OS worm calls." Apple's security OSX data added security limits technology, Sandboxing description new system Leopard the addresses. making predicting features to layout .mack plans randomly from system malware system to a of a features. ASLR outlining the space which of known operating coming authors areas attacks. randomization), target

Re:Pre-Binding?

[dreamchaser]

The OS knows where it's bits and pieces are and anyone using published API's will be fine; it's rather transparent to the programmer. Where you'll run afoul is if you are trying to directly access a 'known' code entry point illicitly, without going through the proper channels via the OS. This is why it is a step that can help prevent some types of attacks.

It's still a bandaid though, just as it is in every other OS that's implemented it (pretty much everything OTHER than OS X has a form of this already).

crash logs (was Re:ASLR == Windows Feature...)

[WillAdams]

When I first started using Quark XPress 6.5 in Mac OS X here at my new job, it took a while to work out the kinks for a rather complex project (doing layout for a journal w/ a 24 hr. turn-around), to the point that I actually put up a ``crash log'' outside of my cubicle, so that people could gauge my mood before entering. It's been a year now, and while I've gotten the project in question worked out (had to train myself _never_ to undo re-sizing a text box &c.), the totals might be interesting to people:

2006:
Quark XPress: 207 crashes (as many as 9 per day)
Adobe Illustrator: 25
InDesign: 35
PhotoShop: 15
Acrobat: 65
Microsoft Word: 23
Macromedia FreeHand: 9
Mac OS X: 14 (this includes Mac OS X apps like Mail.app and Safari.app)

The totals for this year are a bit more reasonable --- Quark XPress v6.5: 26, v7: 46 (I had to move the afore-mentioned journal over to Quark 7 after a re-design and that involved a new set of things to work-around) --- but I find Mac OS X overall reliable and workable as an environment (thought not as nice, consistent and synergistic as NeXTstep).

William

Re:ASLR == Windows Feature Since 3.1

[Tony+Hoyle]

When mac software crashes it usually just vanishes, with no user feedback at all. When the OS crashes it blackscreens (like, say, plugging in a firewire drive into Tiger, which they *still* haven't fixed) but I wouldn't say the information it gives is useful at all.. about as useful as a bluescreen.

Then there's the spinning beachball of death crashes which are a sore point with me.. they happen every time it decides it can't access a network resource* and the only way out is to pull the power cord (since if finder is dead you can't even power off or run the kill application). Got rather sick of doing that last night...

* Which happens rather a lot if you decide to use NFS. NFS under Tiger is broken on intel macs but works OK on ppc macs.. same OS version (allegedly), same NFS share, even the same damned cables.. different result every time.

Trend

[MadMacSkillz]

There is a trend emerging, ever so slowly... It used to be Mac users attacking Windows users... More and more I'm starting to hear Windows users attacking Mac users. Fortunately, so long as the argument is "Mac is gay," I don't really feel like Mac users need to bother responding. Linux I respect, though... because once I'm in the command line, it's just like OS X. (ducks)

Re:Why?

[tiocsti]

"Changing the memory address layout is roughly akin to doing home security by locking different doors on different nights, but always leaving one unlocked. The would-be burglar just has to try all the doors to get in. Doing this kind of thing is trivial on a computer."

Yes, it's just like that, except you have millions of doors, and a intruder can only try to open one door per night, and the unlocked door changes randomly every night.

"People really need to stop adding these kinds of things that increase complexity and do not address the real issue, which in this case is access to the memory space of another application without some sort of credential or approval. When the real problem is addressed, this overly complex and fundamentally useless random memory address layout 'feature' will be left in to cause bugs and complexity forever."

This has nothing to do with access to the memory space of another application.

One reason banks run on mainframes

[slyborg]

Good post. Privilege enforcement in hardware is going to be much harder to crack than various obfuscation schemes in software, which in the end are sort of like a spread-spectrum technique to reduce the signal level of your software deficiencies by spreading them out over the address space.

Re:ASLR == Windows Feature Since 3.1

You be glad to read that Leopard makes connecting to network shares a threaded operation, so the spinning beachballs in finder related to this issue should be far fewer. In theory.

I've never had any problems plugging a Firewire driving into a Mac. Sure that something's not dodgy at your end?

Sandboxing != Systrace

[plsuh]

Another new feature coming in Leopard is Sandboxing (systrace), which limits an application's access to the system by enforcing access policies for system calls

Folks,

Just FYI, the sandboxing in Leopard is not systrace. Systrace is vulnerable to race conditions -- see Robert Watson's paper "Exploiting Concurrency Vulnerabilities in System Call Wrappers". I asked him about this at WWDC, and he told me that Leopard's sandboxing is based on a different technology and is not vulnerable to the same attacks.

--Paul

Re:ASLR == Windows Feature Since 3.1

[sith]

Seems like you might have some issues - I plug firewire drives into Tiger systems multiple times per day and have never had a crash. And even if it did, you'd get the multi-lingual "please restart" screen - I haven't seen OSX do a black screen panic since 10.1 ...

Also, if applications are "just vanishing" on launch, you may have disabled the little popup that tells you the 'application quit, wrote a crash log, and would you like to reopen it?' ...

Come to think of it...

[Kadin2048]

... or, an OS with popularity of BSD, the consistent feel of Linux, the security of a Windows, with the openness and price point of OSX. That's a pretty good description of Vista, actually.

Re:ASLR == Windows Feature Since 3.1

[Kadin2048]

When mac software crashes it usually just vanishes, with no user feedback at all. When the OS crashes it blackscreens (like, say, plugging in a firewire drive into Tiger, which they *still* haven't fixed) but I wouldn't say the information it gives is useful at all.. about as useful as a bluescreen.

Huh? When most Mac apps crash it produces that "The Application [ApplicationName] has quit unexpectedly" crashlog dialog box, where it shows you a trace and you can choose to type a friendly little note in and send it away to Apple. this thing.

I don't see it that frequently but I did find a pattern of actions that would repeatedly crash Aperture the other day, and it popped that thing up every time.

Don't know whether it only comes up for Apple applications or what (I don't think so; I remember getting it a few times when Vuescan crashed). Maybe it only comes up as a result of some types of faults, and not all of the fatal ones. But it seems to work fairly well for me.

Re:Why?

[lantastik]

Your analogy is completely confusing. Could you please rephrase it in the form of a car analogy? Thank you.

Re:Pre-Binding?

[shmlco]

"It's still a bandaid though..."

Actually, I'd tend to view it as just one of a series of preventative measures that one takes in order to KEEP from getting sick. A band-aid is something you throw on AFTER you've been cut up.

And yes, we probably could do more, but not until people are willing to take a minor hit in performance in exchange for hardened security features and layers. Linux in particular tends to erupt in flame wars over just a 0.12% increase/decrease in scheduler performance. And Window's folk won't give up an extra half-frame in Quake...

Re:I hope they let you disable this junk.

[NatasRevol]

the appalling 'Open "safe" files after downloading' feature in Safari. Seriously? This is one of your 'real' security holes? This one comes turned off by default AND HAS A CHECKBOX IF YOU WANT TO TURN IT OFF.

Windows had this around 1998

[Sockatume]

It forgot where the memory went, mind you, but it's the thought that counts.

ASLR

[caluml]

ASLR - Hmm. 32, Male, Bristol - what's the R for these days? I can't keep up with the youngsters.