Slashdot Mirror
How to Save Mac OS X From Malware
eXchange writes "Well-known hacker Dino Dai Zovi has written an article at ZDNet discussing last week's discovery of a critical threat to Mac OS X, and another announcement of a Trojan horse exploiting this discovery. He suggests that Snow Leopard, or Mac OS X 10.6, should integrate more robust means of preventing malware attacks. Some of the suggestions he has include mandatory code-signing for kernel extensions (so only certified kernel extensions can run), sandbox policies for Safari, Mail, and third-party applications (so these applications cannot do anything to the system), and some lower-level changes, such as hardware-enforced Non-eXecutable memory and address space layout randomization."
Make Mac OS X like Windows Vista (64bit Vista has almost all of the things listed in his article).
If it does get implemented, it'll be interesting to see how Jobs talks it up since Apple wouldn't have been first.
hahahahah fgts RAEP
Sometimes the old ways are best. Sticking apps that deal with Internet facing untrusted stuff 24/7 in a chrooted jail is probably one of the best ways to ensure sanity if the app gets compromised. However, this would create usability issues, say if someone wants to upload a document or whatnot, although a secondary program could do that task.
Signed kernel modules would not just stop malware but it would stop some of the hacked (and custom written) kernel modules being used to get OSX to run on non apple machines (or being used to make the experience of using OSX on those machines better)
Isn't that excactly the same stuff Microsoft talked about years ago and many ppl on slashdot cried "foul!" about it?
But then again it all makes sense for Apple. The iPhone's App Store pretty much does all that. And when it works out Apple might just start an Mac App Store. No executable program launchable if it doesn't originate from the App Store. Or only in some considered insecure sandboxed VM. That could even work, but is that really what users want?
please, the mach kernel was hacked to bypass TPM, it'll be hacked to bypass driver-signing.
Better for Apple = Worse for consumer. Let's face it: after what they've done to the Mac experience in the last couple of years, Apple (cough, Computer) is more interested in selling iPods and other crap then keeping the Mac user friendly and intuitive. Signing execs and modules would only allow the engineers to let the Apple Gestapo lock down their OS rather than intuitively fixing the problem.
This doesn't make sense--I always thought Macs were impervious to the simple things that "plague" my Windows PC.
Why would a sandbox for Mail, Safari, etc. be necessary if the user isn't running these applications with root privileges?
I write sci-fi for metalheads
I feel that Slashdot and ZDNet (and probably the rest of the interbuttz) has beaten the Mac OS X security horse into nothing but mush...
It's a local-only root privilege escalation exploit.
If you're in a position to exploit this, you're already running code with full local user privileges.
Once the system is penetrated, it's game over. You don't need to get root access, or Administrator access, or even break out of the "Reduced Security" sandbox to win basically everything that the guy writing the malware actually needs. Multiuser security is there to protect users from each other, not from themselves.
Recent studies of anti-lock brakes and safety have discovered that ABS doesn't improve safety in general. It improves braking, by letting people brake faster and smoother, but people get used to it and enough people end up depending on ABS that they end up just braking later and when they need the extra edge from ABS they've already used it up.
Before going off half cocked proposing more layers of complex software that has to work correctly to maintain system integrity (because if it's there, enough software developers will end up depending on it) how about looking at what features of systems promote malware distribution? Design applications so they are inherently safe, rather than filling them with holes and backfilling with kernel patches and warning dialogs?
Apple already does address space layout randomization in Leopard (Mac OS X 10.5)
See "Library Randomization" on
http://www.apple.com/macosx/features/300.html#security
Notice that the new security features list also includes code signing and sandboxing. The technology is there, it's just not setup throughout the system.
What's just by Windows?
Well, it has never been successfully tested.
How to save Mac OS X from malware: wipe the disk and install Ubuntu.
It was always going to eventually happen. Given the increasing market share of OS X it was only a matter of time before the hackers got interested. Yet even they had to wait till a sufficient base of idiots got into OS X to make their job easier. I know people who significant other has trashed home PCs more than once opening attachments or running attachments even after all the pop ups. Note the more than once.
People forget or get in a hurry. Its the hacker's job to exploit that nature. That makes it difficult for the owners of the OS because even if you require a password/etc to execute something many people will just do that, type in the password regardless. Its like the story of the young girl who was a latch key kid, told to never ever let people in the house while mom was gone. Yet she did three times and even denied it until shown the film showing these people being let in. Worse, she didn't recall because it was so automatic. She was distracted by something else and that focus let her pass over doing what was right.
I look at it this way on my iMac, if that password prompt comes up and I didn't click initiate it from some update I know came from Apple or I was loading a package I downloaded I am going cancel the process. Yet I am quite sure my friends SO would dutifully type the password in. Can't be helped. Sometimes people cannot accept they did something wrong even when you show them
* Winners compare their achievements to their goals, losers compare theirs to that of others.
The Mac system now has a large enough user base that malware is being written for it? Microsoft should be worried... what are they doing wrong, dang it?
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
would having a trusted repository for some of these 3rd party applications help (to a certain extent)? at least the applications grabbed from the repository is *probably safe to run*.
hardware-enforced Non-eXecutable memory?
Unless you can could turn it off, it just sounds like DRM. Why we let third party stuff do anything to the OS is totally beyond me. Yeah, let's leave the cockpit door wide open.
What?
which we don't need. if we make the malware AUTHORS more like Vista 64, they won't be able to infect anything else.
Accept or Deny?
if this is supposed to be a new economy, how come they still want my old fashioned money?
What is you can't? You can do all of the things listed in TFA, but you can't secure any system period. Unless it's buried in a room no one knows about that is completely undetectable and isn't connected to anything else. I'll take Redundant Questions for $200 Alex!
That's a pretty bi-polar way to look at it. Apple might be making a killing off their iPods but surely for many people their cross-pollination is a gateway drug into Macs and Thinking Differently (even though by default OSX gives you no room for customization, you're practically expected and heavily advised to use the stock proprietary software and they'll try their damnedest to lock any third party stuff out of what they can. See: iPhone).
They don't have to do anything to keep 'the Mac user friendly and intuitive' because OSX stands like a great monolith just begging you to try to mess with it and to see who's boss. Then you do, then things stop working, then you have to reinstall back to Graphite Monolith.
I hate proprietary software but for some damned reason I love Macs. Maybe it's the mind control rays that Apple has put so much work into in their secret labs.
That's it! Apple is like smoking! It's cool, it's addictive, it's rebellious, and you're sure to assault anyone who talks down to you for being into it with an ice pick.
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
Apple's OS becomes the paragon of security people think it is and Linux gets more devs. Everybody's happy.
Where Microsoft went wrong with code signing, is that insist the code be signed by them, because the user or administrator is an enemy (i.e. might install a video driver that doesn't respect DRM).
Code signing is harmless if the machine's administrator is the ultimate authority.
The issue is: whose interests should the OS serve: the OS maker, the user, or (in the case of malware) anyone who manages to get their code onto the machine? If the OS designer answers that question correctly, then there's no problem with code signing (or other whitelisting approaches).
Naturally, the author of TFA got it wrong:
Required by whom? A certificate from whom? And the amount of trust delegated to this CA is what?As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
iMpossible
Mit der Dummheit kämpfen Götter selbst vergebens
If I look out my window, there's an apple tree. bBut perhaps that's not what OP meant. /shrug
Modding Trolls +1 inciteful since 1999
Signed kernel modules would [...] stop some of the hacked (and custom written) kernel modules being used to get OSX to run on non apple machines (or being used to make the experience of using OSX on those machines better)
Opinions on whether or not this is a good thing are varied.For the last time, PIN Number and ATM Machine are redundancies!
Mac OS X is immune from malware. The story is a hoax meant to scare people. The author probrably want to sell an antivirus program for the Mac, which of course is completely unneeded.
Follow the money, people!
A car with an uneducated driver is a potential very powerful weapon.
A computer used by an uneducated user... well at worst he'll screw his computer. Maybe piss off some innocent other web users with the spam mail that the zombied PC will spit. And even eventually might got some money stolen if too much personal data is spied.
But unless the random guy is operating a computer controlling a nuclear core (and those already *are* selected and trained to be good at their job), it's very unlikely that the screw-up will result in deaths.
That's why you won't see computer license any time soon, because the perceived risk (nobody will die at the end) is much lower than the perceived advantage (internet usage has become pervasive, it's so important and useful that anyone *must* have access to it).
The only thing that you could remotely imagine is a tiered approach to internet security :
the global net is accessible to anyone, but only common service are found on it. Special service are connected to a different network, which is more secure and more reliable but does necessitate special clearance.
Think in terms of "Internet freely available for all, Internet2 & GEANT only for hospitals, nuclear reactors and those who pass some license".
But you can't just shut people of internet because our society relies on it and anyway, nobody will die.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The point of driver signing isn't to act as a copy protection mechanism. You can boot Vista64 in a mode that'll allow you to load any drivers. The point is to stop programs loading crap into the kernel without the users knowledge. If you have to put the OS into some kind of very obvious "unsafe mode" then the problem becomes much less serious. Can you imagine malware popping up a dialog explaining some complicated boot sequence to the user?
I don't care what kind of malware it might be, you can pry the CoolBook Controller extension from my cold dead hands!
Third-party extensions by dodgy developers are often required to extend the lame control panels that Cupertino sees fit to bless us with. I shudder every time I install an update to smcFanController or CoolBook, but if I don't want my laptop running at 170F what other choice do I have?
Signing isn't going to make the problem go away. I won't trust these random developers just because they have a certificate. If Apple engineers had time to certify the code itself, they would have time to fix the problems in OSX and firmware that require the use of third-party extensions in the first place.
No word yet on MacOS 10.8 Cougar, to be designed with the "active" older woman in mind.
Microsoft does not require that the code be signed by them. They simply require that the code be signed, by any certificate issued by a signing authority.
All the code we develop for Windows is signed by us, and installs perfectly fine on Vista, and Microsoft has never seen a single line of our code.
You can run it via SSH as long as someone is logged into the console.
If you can ssh in, you already have local access.
"Local" is the counterpart of "remote". A "remote exploit" is one that you can perform without already having local execution access on the machine.
What you are talking about is "physical access".
ACs don't waste your time replying, your posts are never seen by me.
(don't you mean Inconceivable?)
Well, maybe not impervious, but OS X is water-resistant (to a depth of 15 meters) and fire-retardant (up to 451F, this may be reduced if fans are present).
Someday, it's going to get to the point where you're not allowed a computer on a network unless it's maintained and certified by an admin as network-worthy, just like you're not allowed a car on the road unless it's maintained and certified by a mechanic as road-worthy. Until then, we're all doomed to endless spam, and users complaining that they should be able to maintain a complex computer themselves without any effort.
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Years ago.
I think the "Repair Permissions" thing should be extended to check/repair/normalise user home directory permissions too.
I am speaking about the "Reset home directory permissions" functionality inside Leopard DVD boot to be an option for disk utility. Also Disk Utility should alert users about SUID files whether they got BOM or not and label it clearly without creating panic. They say "These messages are true but not cause of concern". No, it is a very big concern. An unexpected SUID file on Unix is always a concern.
BTW, people calling the permission repair process "voodoo" are generally very advanced users, system admins and advanced developers. It is not put for them at first place, it is for average end user. That average end user has potential to share his/her home directory with whole planet to make sure his/her friend gets a single document from his Documents folder. I am speaking about some functionality to revert them to sane permissions. I guess they already do some stuff via ACL on Leopard but one can't repair the ACL without booting from Leopard DVD which is a real pain.
"Mandatory code signing for any kernel extensions. I dont want to have to worry about kernel rootkits, hyperjacking, or malware infecting existing kernel drivers on disk. Most kernel extensions are from Apple anyway and for the few common 3rd party ones, they should be required to get a code signing certificate."
It is possible to run old kernel extensions on OS X and many benefits from it. Kernel extensions have "minimum" and "maximum" version values. You can't expect every company to release Leopard signed version of their kernel extensions. Some are even out of business.
Some ATI owners saved themselves with OS X 10.3.x kernel extension in Leopard (10.5.0) until Apple fixed the issues. Now imagine ATI 10.3.x extension required signing. Would be a great way to get "Apple delivers the drivers" template as reply.
There is no TPM to bypass. You need to force decrypt certain binaries. However, there is a TPM Project that Apple has under APSL. (iow, open source.)
Are you stating that the concept of a stored program is where the security problem started and we should back up to that point and do something different? If so I want a patent on selling pictures of certain plugboard patterns that implement malware. And covering any processes that distribute those plugboard patterns to the users. I guess we don't really need compilers or assemblers if we are going to go back to plugboards. If Microsoft and Intel had the patent on plugs, this would have been the first fiat of the trusted computing initiative. Actually I thought that stored program computers was when things got interesting. Intel gdt/ldt entries with write protected code spaces was where things started getting clever, Aliased descriptors used to make code space look like data for use by the OS code loading routines was the soft spot. Things just went sour from there on.
Does this means you guys finally have to own up to the fact that the only reason Macs (and, therefore Linux) seem so secure is due to lack of desktop penetration? That is EXACTLY what we are seeing here. Macs start getting more popular, Macs start getting the attention of the malware writers, suddenly Macs have more vulnerablities than everyone thought (sort of like FireFox).
.02
My issue with all this is the false sense of security most of you push. The idea that open source is more secure because more people look at it (which is just hog wash). The idea that mac os was more secure because we'd never seen a large virus outbreak. Same thing with Linux. It's all an illusion and you do everyone a disservice but suggesting otherwise.
None of these, as the Mac zealots are starting to see, actually prove that the systems are more secure. It just makes you feel better to say it.
Let me be clear - sure I'm a windows users - it's where I make my money (again, because, duh, it has the most market/desktop penetration) I have no illusions about it - I don't think windows is awesome - in fact, I think it sucks. I don't really give a crap what platform I work on as long as I can make a good living. So save the accusations of fan-boism. It's not my views that have that problem.
NONE of this software is safe once it's required to maintain any sort of backward compatiblity and/or needs to work easily for computer illiterate people. THAT is the reality that most people around here like to ignore.
My
EK
Just get a ma.. er, switch to lin... wait, what?
stuff |
Drivers are a threat because they live within the kernel memory space. A strictly defined and enforced driver model would limit the extent bad or insecure drivers can run.
A "good" driver can contain exploits and many likely do (remember the wifi driver problem?)
Drivers cause a great deal of the crashes out there; even on windows machines.
There are "old" mainframes that had hardware support for memory protection beyond the simple kernel / user model. Yes, if you move towards a more fine grained micro-kernel like system you WILL run slower, but its the price you pay for stability and better security. Virtual Machines are going in a odd-ball path towards this and people do not seem to mind their servers wasting tons of resources with the extreme overhead a VM involves-- so why can't we start trying these "old slow" techniques (which are more efficient) and have an OS that WORKS so good we don't need work-around "solutions" like VMs (most people using VMs are using it as a work around.)
Its as if we are moving towards a microkernel which manages DRM and VMs-- and may evolve into the next gen BIOS.
Democracy Now! - uncensored, anti-establishment news
I didn't say free, I said default. Windows gives you a bunch of fancy colors to choose from from or you can set your own for most elements. Almost every desktop dist of GNU/Linux gives you several themes to choose from for Gnome KDE or whatever and you can still set your colors for everything.
OSX gives you two color schemes (if you count Graphite as a color) for a few things, lets you change the colors of some fields, and it gives you a whole bunch of backgrounds which most of it essentially look the same in different colors.
That's WTF, though the latest version I've used is Tiger.
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
The entire point of 'driver signing' is that by default 'normal users' can't run it, can't install it, can't use it. The prompt will say it can't be run because its unsigned. period.
Similar how when logging into a domain without a valid password, it says "No". It doesn't say "Those credentials aren't in the domain, do you want to be added to the domain as administrator?" Yet domain admins can still go in and add/remove users.
Trouble is that home users are already administrators, who can add users to a machine. So why can't they add drivers for homemade devices to a machine?touche, sir.
What you said is "they'll try their damnedest to lock any third party stuff out of what they can."
This is simply not true.
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Go into the Internet Options control panel, Content tab, click the Certificates button, then the Trusted Root Certification Authorities tab.
I seem to remember reading that the certificates listed in Trusted Root CAs and Trusted Publishers are used for user mode, not kernel mode. I guess stuff that was in the kernel in Windows XP has to be either a driver in user space (User Mode Driver Framework) or a UI Automation client (because UMDF doesn't handle input devices) in newer Windows.
>>I seem to remember reading that the certificates listed in Trusted Root CAs and Trusted Publishers are used for user mode, not kernel mode.
Untrue once more. In fact, I know you're wrong with respect to kernel mode drivers. Do you have an actual reference or are you just going to assert that such information exists?
I'll quote the parts of the Kernel Mode Code Signing Walkthrough that I'm referring to. (Caution: It's a .doc file. Windows XP WordPad will open it after giving several dozen warnings about failure to load graphics conversion filters, and you won't see figures. I haven't tried it in OpenOffice.org.)
True, you can install a self-signed cert onto the test computer: "the test computer must have the certificate for the CA that issued the package's test certificate installed in the computer's Trusted Root Certification Authorities certificate store." But in order to use such certificates, you must "Enable the kernel-mode test-signing boot configuration option" and that causes Windows to "Display[] a watermark with the text 'Test Mode' in all four corners of the desktop, to remind users the system has test-signing enabled." How practical is it to use a computer that has the text "Test Mode" in all four corners of the desktop as one's primary computer?
Two words: Package Manager.