A Closer Look At Apple Leopard Security

Last week we discussed some of the security features coming in Leopard. This article goes into more depth on OS X 10.5 security — probably as much technical detail as we're going to get until the folks who know come out from under their NDAs on Friday. The writer argues that Apple's new Time Machine automatic backup should be considered a security feature. "Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X — perhaps in the history of Apple — from a security standpoint. It marks a shift from basing Macintosh security on hard outside walls to building more resiliency and survivability into the core operating system."

Security

[jcicora]

Why doesn't everyone (Apple, Microsoft, Linux/Unix people) work together on security? Its the one thing that everyone benefits from.

Re:Security

[jellomizer]

Well Linux and Apple people like seeing Microsoft with security holes. How many articles about microsoft security problems are tagged "HAHA". Windows People like seeing Apple and Linux security holes because then they don't feel as bad about choosing Windows. Linux people are not normally to happy to see Apple Security holes because it usually means Linux has a simular problem and vice versa.

It is basicly a case if one can say I am more secure then you then I win.

Re:Security

[NatasRevol]

It's simply http://en.wikipedia.org/wiki/Schadenfreude.

Re:Security

[krunk7]

Why doesn't everyone (Apple, Microsoft, Linux/Unix people) work together on security? Its the one thing that everyone benefits from.

Microsoft is free to use any and every security feature ever developed by the open source community. This includes virtually 100% of Linux/bsd's development and lion's share of OSX's security features as well.

The reason we can't say the same for a Microsoft->open source is because for a lot of security in windows...no one has access at all.

Re:Security

[SethJohnson]

This is not an insightful post. It is a naive question. The post does not contribute any insight or information. Please mod appropriately.

To answer the parent question, security is a feature that business perceives as a competitive advantage. Not to mention the ridiculousness of people from one company taking recommendations from outside programmers on how they should do their jobs.

Seth

Re:Security

[anagama]

The venerability of my enemy is my friend.

The "worthy of respect" of my enemy is my friend? Perhaps you meant "vulnerability".

Re:Security

[Qwerpafw]

Apple contributes a lot to the open source community. Safari/khtml is perhaps the best example of that, but they open source their kernel (darwin), quicktime streaming server (darwin streaming server), OpenDirectory, bonjour (mDNSresponder) and a number of other tools and software packages. Apple also owns CUPS, though they bought that and didn't develop it in house (it's GPL2).

On top of that Apple regularly credits security researchers and links to their websites in software updates when they report vulnerabilities to Apple. They work with the community, not against it.

You can work with Apple on these open source projects. The fact that you don't, and that you don't know about them in the first place probably means you aren't a programmer, and aren't really serious about contributing to open source. What you really like doing is feeling superior.

It's perhaps most telling that you use the iPhone as an example of why you're upset at Apple's lack of security. You have it all backwards. The issue with the iPhone was that there were security vulnerabilities. The iPhone was cracked with a buffer overflow exploit. Apple fixed the exploit, which broke hacked phones. They did not intentionally brick phones, and instead told people not to update if they had hacked phones. You're probably remembering the whole thing wrong because you were too smug to learn the facts. Hint: fixing buffer overflows is good security, not bad. Apple is under no obligation to preserve a buffer overflow on a product they ship. If you don't want a security hole patched, don't update the product.

Apple hasn't violated the terms of any open source license. They give back to the community. They maintain a number of open source products. You can be mad about the iPhone being locked, but that's a separate issue from security or open source.

Significance

[Mikey-San]

"Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X -- perhaps in the history of Apple

Maybe in the history of Mac OS X, but definitely not the history of Apple itself. I'd say that would be, oh, the shift to Unix.

Re:Significance

[noewun]

Well a lot of people considered Moving from OS 9 to OS X a downgrade.

It wasn't a lot of people. It was a vocal minority, the same minority which swore up and down that they'd never touch Apple again after the Intel switch and who spend hours debating the tiniest "flaws" in OS X's GUI. In other words, people for whom computers are an obsession or a fetish.

The the rest of us--people for whom computers are tools used to make money--OS X, and the features it brought, were long overdue. The switch was entirely worth it if only for the addition of a modern memory susbsyetem to an Apple OS. No more preemptive multitasking and having to specify how much memory each application got.

Re:Significance

[ChronoReverse]

I believe you mean no more cooperative multitasking. The modern desktop OS's are all preemptive IIRC.

Re:Significance

[aftk2]

Umm...not entirely. I really like the power OS X and am quite enthusiastic about the Intel switch. And yet, as an Apple fan from the mid 90s, I can completely recognize that 10.0 was pretty rough when moving from OS 9. Do you remember how slow that felt? OS 9 still feels faster to me than OS X, although I'd never, ever want to use it again.

I mean really...you think the people who even know about the term "preemptive multitasking" wasn't outnumbered by those who groused about how the new Mac upgrade ran at glacial speeds and lacked spring-loaded folders? OS X is great...and I'm excited about Leopard...but there was a reason that the classic Mac OS inspired diehard fans.

Re:Significance

[Apotsy]

Talk about a false dichotomy! Do you really think the two are at all related?

There were people who understood the flaws, but (correctly) thought that moving to OS X should not require giving up good performance (which took years to get back), or UI niceties like the way the classic Finder worked. As to the latter, unfortunately Steve apparently didn't like the old Finder and never allowed the OS X Finder to work the same way. Spatial mode is still broken to this day, the "Show Package Contents" feature is inferior to the one from OS 9, the 1-1 relationship between folders and windows is still not as well enforced as it was in OS 9, and as the previous poster mentioned, it took years to get spring loaded folders back (and even longer than that to get its behavior on par with the old implementation), just to name a few examples.

None of that has anything to do with multitasking or event loop handling and you know it. Or hell, maybe you don't, in which case you're pretty dumb.

Re:Significance

[Just+Some+Guy]

Talk about a false dichotomy! Do you really think the two are at all related?

Definitely. The old OS model allowed certain shortcuts such as hacks that directly patched the code segments of other programs that were running to change their behavior. The new protected memory model flat-out makes that hackery impossible, so it was up to programs to add explicit support for message passing and other external control systems. There isn't a message passing system in the world that's as fast as just overwriting a destination application's buffers with new data.

That's just one example of why some things are inherently slower if done right. Sometimes it's just not avoidable. That doesn't mean that the new way is inefficient or bad, just different.

I was never into Macs back in the day so I can't comment on old vs. new Finder or spring loaded folders, etc., but I find it telling that the only people who seem to seriously dislike the new Finder are the ones who seriously loved the old one. To everyone else it's pretty spiffy and a reasonably good model of how such things are supposed to work. That is, I'm not at all convinced that the old Finder was actually superior; it's just that people liked it that way, darnit, and anything different is inferior by definition.

None of that has anything to do with multitasking or event loop handling and you know it.

You're right: it doesn't. I'm not sure why you even brought it up.

Re:Significance

[uncleFester]

Maybe in the history of Mac OS X, but definitely not the history of Apple itself. I'd say that would be, oh, the shift to Unix.

myself, i would consider the shift in architechure a greater historical shakeup. it's still amazing to me apple has shifted their core processor/architechure setup twice, including an emulation layer (each time) to ease transition. i had (and still own) a Motorola Mac (SE/30, Moto 68030 CPU) and remember the titanic shift it was migrating to the PowerPC. And, more recently, shifting from the Power/RISC platform to Intel. I think Apple's continued demonstrated ability to shift its underpinnings with damn near nary a disruption is scary impressive. :)

-r

Re:Significance

[abhi_beckert]

Did you intentionally chop off the last few words in your quote? The article actually says:

"Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X - perhaps in the history of Apple - from a security standpoint."

I think TFA is probably right, security has never been more than an afterthought for as long as I've been using mac os.

It looks like Apple has seen Microsoft's security struggle with XP, seen the strong-but-painful security in Vista, and is building up a security model that doesn't suffer from the same issues Microsoft is facing.

Security Conserns of Time Machiene?

[jellomizer]

Reading this made me wonder. What would happen if you had an important file you temprarly drop it in a public location then move it out. once the person downloaded it. Then someone goes and runs time machine on the public directory and picks up the file that you deleted.... Also will time machiene pick up different permissions set on a file at different time. You made it and tested it as 777 then after you assure it physically works you bring it down to 755 will it allow you to go back in time and get the permission 777 of the file...

While I do agree having good backups is important part of security... Perhaps just perhaps because it is so easy there is a security problem with it.

Re:Security Conserns of Time Machiene?

[99BottlesOfBeerInMyF]

What would happen if you had an important file you temprarly drop it in a public location then move it out. once the person downloaded it.

If it is an important file, why would you drop it in a public location in the first place, instead of just transferring it directly to that user or putting it in a password protected location or them? The scenario you envision is already a security problem because you're posting private data in public temporarily. I'd argue the right solution, is not to do that at all.

Evil bit?

[grassy_knoll]

From tfa:

While Apple can't prevent people from downloading dangerous stuff, Leopard has a new feature to tag downloaded applications as coming off the Internet.

Wait... don't tell me they implemented RFC 3514 . ;-)

Re:Evil bit?

[aristotle-dude]

It seems they invented another great thing. (No matter that this is implemented as a alternate file stream on XP SP2) They will market it as something innovative, of course. You might not be aware that NTFS alternate file streams were implemented in order to support the resource fork paradigm in Mac OS on windows file servers serving mac os client machines on a network back in NT 4.x IIRC. Even with XP SP2, multiple file streams in NTFS presents a serious potential security hole where an innocent looking 1K readme.txt file could house an ever growing alternate stream that exhausts all disk space or it could be used to house a trojan payload hidden from the filesystem.

Re:WTF???

[99BottlesOfBeerInMyF]

Time machine is a security hole from hell. Just suppose you record some pr0n of yourself using the built in iSight, then think better of it and delete the files. Now anyone can casually sit at your desktop and retrieve all the compromising files.

Apple just made it easier to recover deleted files, if you're using backups. If you're not using backups, there is no problem. OS X has also long had a "secure delete" option that not only deletes the file, but writes over it with random data multiple times, ala DoD requirements. I'd be willing to bet that also does the same on your time machine backups.

Delete Instructions

[BoldAC]

Deleting from Time Machine is as easy as deleting from any other folder in finder.
Here are some step-by-step directions if you really need it: Leopard Time Machine: Delete Files or Folders from Backup

AC

Re:WTF???

[wodgy7]

Just exclude your homemade porn folders from the Time Machine backup set. Easy. If you forget to do this, just delete the files on your Time Machine drive; it uses the standard .snapshot-style folder layout. No binary databases or big backup blobs that you can't parse and delete yourself. If you want public key encryption of the backups, set an encrypted DMG to be your Time Machine target. You can even use AES-256 in Leopard.

Re:Apple can no longer hide behind small markets

[El+Lobo]

I still remember in the late 90s in the apple advocacy newsgroup people telling: "why do I need memory protection and preemptive multitasking"? We don't need that... The it was implemented "finally" on OSX and it was a great thing. Then I remember them telling me the greatness of non-intel processors and how great was that Apple never went Intel. Then they DID move to Intel and boy, what a great move this was :-)

So don't worry, you will get the same story here.

Re:It's to bad that 10.5 is not comeing out for al

[AntEater]

"Mac OS X has the "it just works" reputation because of the limited number of hardware configurations on which it runs."

I've heard this for years but I still haven't seen ANY hardware sample where Windows "just works". I'd put more value on the fact that Apple based the core of their OS on a unix-like system not the registry/spaghetti mess that has been windows for the past decade plus. I'm sure that eliminating poorly written drivers from the mix does help prevent some of the problems that plague windows but it's not the whole story by a long shot.

Besides, with that argument, Linux should be even more unstable because very few of it's hardware drivers are written by the device manufacturers - many are reverse engineered.

Re:Code randomization a bad idea

[Potatomasher]

"Virus writers will write something that searches around for the right place to patch"

No, they won't be able to do that. At that point, they haven't gained execution yet.
Buffer overflows require you to jump to code which is in a known place in memory (usually libraries), which in turn slingshots you back to the exploit code stored on the stack (or other). Without knowing where to jump to, your malicious code will just sit there in memory, not doing anything.

Re:Code randomization a bad idea

[bucky0]

ASLR works using the dynamic linker. For the vast majority of programs (I can't think of any counter examples off the top of my head), the dynamic linker works transparently to match up in-program function calls with their proper library addresses. If ASLR adds bugs to the implementation, it must be because of a faulty linker, which can be debugged out.

Virus writers will write something that searches around for the right place to patch
It's not quite that simple. Virus writers have a practical limit of how much code they can squish into a buffer overflow (which reduces the effectiveness of a NOP slide) Not only that, protected memory operating systems will bomb out if you start randomly poking at memory addresses. Since the addresses are randomized, you don't really know where to start looking which means it becomes a probability game of how many valid addresses the code your looking for could be at compared to the total address space.

Developers will think buffer overflows are now OK, and write worse code.
Developers have known about buffer overflows for years, and people still use sprintf over snprintf. I doubt anyone who is doing any serious coding will look at ASLR and say, "Hurray! We can forget about string validation!"

Re:Code randomization a bad idea

[Lally+Singh]

- Which class of bugs depends upon the memory layout of your libraries? E.g. what kinds of bugs happen or don't happen depending on that layout?

- Do you have any idea how less vulnerable you are to an attack when the attacker can't get you in 1 hit? A networked-based attack would essentially have to flood you to get the right address, and bandwidth limitations could prevent them from ever doing it (searching through a multi-gigabyte address range a few dozen bytes at a time takes a *long* while when you're doing at least one packet per try). Local attacks to local processes are only threats to suid programs, of which there are *very* few, and which can sound an alarm pretty easily if they were getting queried thousands of times/sec.

Re:impossible; other strategies

[Yosho]

Their description makes it sound as if everything Just Works, and will never fail to let you recover old files.

Come on, at least read the whole page if you're going to start flaming Apple. I quote:

One day, no matter how large your backup drive is, it will run out of space. And Time Machine has an action plan. It alerts you that it will start deleting previous backups, oldest first. Before it deletes any backup, Time Machine copies files that might be needed to fully restore your disk for every remaining backup. (Moral of the story: The larger the drive, the farther back in time you can back up.)

TM has that option

[SuperKendall]

Watch the Apple leopard video. I believe in there, they talk briefly about how TM has the option to permanently remove all versions of a file. It should also be mentioned on the TM feature page Apple has on the web site... in any case it's possible.

It's such an obvious feature it's no surprise it's included. This is versioning 101 stuff.

Re:What about the insecure default settings?

[SuperKendall]

Trying to protect non-encrypted data from an attacker with physical access is a fools errand.

Re:impossible; other strategies

[nine-times]

If you look at Apple's description [apple.com] of the time machine functionality, it's not possible for it to work the way they claim.

Could you please explain how you think Apple is claiming Time Machine works, and why you think it's not doing that? I ask because I'm not sure what you find objectionable about the page you linked to. In a simple answer to your question, you can use Time Machine to back up to either an external drive or a server. When space runs out, OSX will warn you, and you'll then be given the option of overwriting your old files. That's what Apple has said about running out of space. I would assume that you'd also have the option of adding additional storage (e.g. getting another external hard drive), and keeping your old backups.

It'll be a very sensible solution for 99% of users. (Yes, that statistic was pulled out of thin air. But it's very sensible.)

However, my OSS solution works much better for me than Apple's expensive, proprietary system would work for me.

Ok, that's great. Nobody is stopping you from using that solution, and Unison has been available on OSX for a while now. In fact, I don't see any reason to think you won't be able to use both Unison and Time Machine. So what's the problem?

Many of these approaches have already failed

[argent]

Application signing, warning dialogs for downloaded files, and the like... these have been Microsoft's first line of defense against cross-zone exploits for a decade now and they have systematically failed. Now Microsoft is using Sandboxing, and that will also fail.

I wish that Apple would decide to photocopy good ideas from Microsoft rather than bad ones. The single set of application bindings for helper applications and URL handlers? That comes from Windows. The idea of giving users the opportunity to open potentially hostile files directly from mail and browser software? That comes from Windows. Open Safe Files? That comes from Windows. Popping up dialogs before automatically doing stupid things, instead of not automatically doing stupid things? That comes from Windows.

The last straw for me was when Safari on OSX warned me that I was downloading an EXE file because it's executable. Not that I was running it. Just that I was downloading it. Holy Mother of Turing!

*sigh*

At least they don't have anything like ActiveX yet.

Re:hardlinks

[SuperKendall]

Okay try this one on for size. Make a hard link of a file. Now edit one of the hardlinks and save it (not save-as, just save). Now which one is the copy?

There are no "copies". You had one file that you modified. This would be reflected in Time Machine by simply re-creating the two hard links you had to the same file.

From the file systems POV the edited one will be a copy.

There are no copies, there is one file (from the filesystems point of view). Try it and look at BOTH hard links.

The save will sever the link.

Are you SURE you are using hardlinks? On what OS and filesystem? If you're on a mac and using Tiger (HFS+) you are not using hardlinks!

Leopard will support real hardlinks.

If you are using any other kind of link, and you create a new file that replaces a hardlink... then that is in fact a brand new file that would be backed up by TM.

Re:Leopard Screenshots and Tutorials

[NtroP]

Your sig as it stands makes it sound like Apple would base an OS on Windows for some reason, which is obviously ridiculous... Actually, when Apple was looking around for a replacement kernel for their new operating system they briefly considered the NT4 kernel before rejecting it and BeOS for NeXT.

Re:Code randomization a bad idea

[puetzk]

I can't say for sure that Apple did this, but do note that randomizing it once per computer (e.g. ramdomize it *while* prebinding) is very nearly as effective as randomizing it every time. It still means someone can't write exploit shellcode that works on all (or even a significant fraction) of machines. This is the approach glibc's prelink uses.

Re:Time Machine is not Volume Shadow Copy

[TheNetAvenger]

How freaking stupid can this get? The person that wrote the content at the link you provided knows NOTHING about what they are talking about, confusing terms, and not even 'getting' the context of what they are trying to argue. And you post links to technical articles you apparently don't even understand or you would realize how off track you were.

Here try this...
Instead of 'Volume Shadow Copy' introduced in WindowsXP/2K or 'System Restore' introduced in WinME and effectively in WindowsXP; Go look up 'Previous Versions', released in Windows 2003 Server and turned on by default on Windows Vista.

Previous Versions is NOT System Restore, and it is NOT Volume Shadow Copies.
http://technet2.microsoft.com/windowsserver/en/library/cfddaf10-24fa-4d6d-a34d-cfb84c5223781033.mspx?mfr=true

http://shellrevealed.com/photos/windows_vista/picture123.aspx

System Restore is an Application/OS restore tool, something OS X doesn't even offer.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
FTA: (System Restore does not affect your personal data files!)

Volume Shadow Copies are a way to copy or backup 'in use' files, in basic terms.
And then go re-read the Volume Copy Service link 'you' provided, as it is another tool that OS and developers use, and is NOTHING the user ever deals with...

This is freaking stupid that Mac users can't even discuss the proper terminology or see a Vista user right click on a folder or document and bring up a 'time-line' of the folder and files, just like freaking time-machine on OS X.

Additionally...
Previous Versions is 'transparent' to applications unlike OS X that needs applications to be aware if they use 'special data stores', requires NO setup, and is working from the moment Vista is installed or the PC is turned on.

Previous Versions can be accessed in every Folder or File/Open/Save dialog box for every application running on Vista, all the way back to programs from Windows 3.1, and it works equally well on all of them.

A user can go back in the Vista Timeline on any file, folder, data store, etc. and all folders and files can be opened to view previous times, be dragged and dropped to the current time-frame.

Vista Previous Version also uses advanced FS level file and differential points so data is NOT stored 'as redundantly' as it is on OS X.

If OS X could have pulled off adding ZFS, they could have made time machine MORE like Vista with FS level snapshots instead of having to backup the files and folders to achieve a similar function.

Sadly, OS X's FS does not have the capabilities of ZFS or NTFS to do this, so data has to be actually backed up for Time Machine to work.

On Vista, there is NO Overhead of backing up 'Previous Versions' since it does work at the FS level. (See Vista doesn't technically have to copy the data each time a change is made, due to the way NTFS works. Go read more on this and ZFS to see why it is the only other FS that supports these types of transactions.)

Now I admit the OS X Time Machine interface is far more cooler than the Vista 'list' interface, but it is less functional, adds system overhead to maintain the backups,and wastes far more drive space.

So the functionality DOES EXIST in Windows, first appeared in the Windows 2003 Server Beta back in 2002, and has been around doing what Apple is just now catching up to in a less efficient way 5 years later. (4 Years if you count the Release date of Windows 2003 and not the Beta previews in 2002.)

Now take this information back to your Mac forums, and tell them they gave you crappy information and they have no idea what the hell they are talking about when it comes to comparing OS X and Vista.

The Classic interface

[Kadin2048]

I was never into Macs back in the day so I can't comment on old vs. new Finder or spring loaded folders, etc., but I find it telling that the only people who seem to seriously dislike the new Finder are the ones who seriously loved the old one. To everyone else it's pretty spiffy and a reasonably good model of how such things are supposed to work. That is, I'm not at all convinced that the old Finder was actually superior; it's just that people liked it that way, darnit, and anything different is inferior by definition. As someone who used the old (oops, "Classic") Mac OS from versions 6-9, while I do think there was a certain level of curmudgeonness among the people who swore they wouldn't switch, there were very legitimate concerns about the OS X Finder and GUI, which I'm not sure have really been resolved.

Don't get me wrong, I still think OS X is better overall, because of its underlying architecture and a functional CLI, but the Classic Mac GUI had been honed incrementally over almost two decades before Steve just decided to bin the whole thing and reinvent the wheel. It was that interface which made the crappiness of OS 9 worth dealing with, despite the fact that you could hang the whole system by holding down the mouse button, and had to manually allocate memory, and everything else. It was the Mac's saving grace -- perhaps its only saving grace -- throughout the 'lean years' of the platform. And that's why a lot of users just never got over its elimination; it was, for many people, the only reason why they'd stuck around for so long.

There was no real reason to change it when the old codebase was dropped for NeXT's: even if none of the code needed to be kept, the interface guidelines that had evolved as best practices, arrived at by painstaking trial-and-error by generations of Mac programmers, could have been retained. What I think happened is that Steve Jobs wanted more eye candy, and wanted to make the entire desktop reflect the OS's "newness." It was a sales tactic, and although I don't think there's any debate that it worked, it was a pretty huge cost.

OS 9 was an operating system with a great GUI and a terrible backend; OS X had a great backend, but a GUI that was almost unusable at first, and which has only very recently come back on par with the Classic OS circa System 7.5 or so. (They just recently snuck the option-click-to-close-all-Finder-windows trick back in, which I believe originated on the IIgs, and was definitely missing for a while in early OS X versions...)

(Incidentally, the interface scizophrenia isn't limited just to the Mac OS; you also see this behavior in some of the major Apple apps [e.g. iTunes] -- every time there's a whole-number version increase, some part of the interface gets changed, apparently for the sake of changing it. It's as if they realize that some people won't believe that anything is different unless the widgets change, so they scramble everything around periodically, just to keep everyone on their toes.)