Slashdot Mirror
Snow Leopard Missed a Security Opportunity
CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"
Yeah, but it doesnt matter. everyone knows that apples are immume to viruses and malware. and they look better than ordinary Pcs.
Surely this is only of any use to a hacker if they manage to run in "ring zero" anyway. Otherwise wouldn't normal page protection stop them. Am I missing something?
Praise for MS on /.
Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista.
DEP has been around for a long time and has been in XP since at least SP2.
"[the quicktime rewrite] was really smart, since it's been the source of lots of bugs in the past."
bugs != security failure (although they can cause one... the bad math issues in excel 2007 aren't particularly exploitable, just annoying)
Get a web developer
Another quote from the article:
Because Snow Leopard lacks fully-functional ASLR, Macs are still easier to compromise than Windows Vista systems, Miller said. "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said.
The summary alleges Miller said it "today". Except he didn't.
The article linked to is dated September 14, which means he allegedly said it 2 days ago. Except he didn't.
He actually said it *two weeks ago* on August 29th.
Wake up, editors!
Could it be all these 'experts' are just a tiny little bit self serving? Anyway, every time I read a headline about an OSX exploit it turns out to be either a trojan or local (which is bad but not *that* bad afaik). Are there even any known remote ones? Not trying to troll here, maybe I'm just uninformed. Please enlighten me.
Call me a cynic, but I somehow think he, and everyone else that looks at OS security, will still find things to complain about. The tech blog and journalism industry depends on it!
If you want to win again the contest
They make it sound like freakin' M$ invented the technology... it was in Linux long before and other system even before that! M$ is just using other peoples' ideas, as usual.
See wiki:Address space layout randomization.
I was expecting something new in OS security when I was reading the title and first lines of the summary, and I saw the friggin' ASLR and I was like "What? They haven't got *THAT* done?"
Water is wet and Pope is Catholic and men are lazy. nothingtoseeheremovealong
Colorless green Cthulhu waits dreaming furiously.
Actually since a few years the M$-fanboys are a majority at this place. But keep on ranting, if it makes you feel superior.
Microsoft's Windows Vista and Windows Server 2008 have ASLR enabled by default, although only for those executables and dynamic link libraries specifically linked to be ASLR-enabled.[citation needed] This did not include Internet Explorer 7 on Windows Vista prior to Service Pack 1; ASLR and DEP are both disabled for application compatibility purposes. Newer versions, including Internet Explorer 8, enable these protections. A registry setting is available to forcibly enable or disable ASLR for all executables and libraries. The locations of the heap, stack, Process Environment Block, and Thread Environment Block are also randomized. A security whitepaper from Symantec noted that ASLR in 32-bit Windows Vista may not be as robust as expected, and Microsoft has acknowledged a weakness in its implementation.
It appears that only OpenBDD and some hardened Linuxes (not mainstream distributions) have a complete implementation.
I thought OpenBSD already does this. Or was that just randomizing PIDs? I keep thinking the small amount of BSD-ness left in OS X would help make such things easier. No matter, I worked with a Mac all day yesterday; purty, but I'll not buy one. (Or Windows, for that matter.)
OpenBSD has been using these techniques a lot longer than Microsoft has, so I suspect that there is not (yet) an issue of patents to be licensed.
Linux has had this feature for quite some time in the form the of grsecurity patches.
Security researchers and various crackers have been saying for a few years now that OS X hasn't implemented a lot of security features that even Windows has. Each release, OS X gets a little better, but they are relying mainly on people wanting to break Windows more than OS X.
With snow leopard, they had the perfect opportunity to make a release that focused on performance and security over bells and whistles. It's modestly faster on my MacBook Pro, and I think most users would have gladly paid under $30 for an upgrade that just focuses on the internals to get more out of their system. Since most Macs cost at least $1100, $30 is nothing for an average Mac user.
ASLR makes executing code on the stack quite a bit more difficult, regardless of what privileges the program being exploited may have. Also makes calling libaray functions and pretty much anything in RAM far more difficult for a hacker. Page protection doesn't protect against these attacks per se.
I don't even use a MAC, I just don't understand how you can exploit known addresses if the only writaeble addresses you see are private to your process. Of course you are going to explain the "big gaping security hole" to me.
Yes, this would be just "security by obscurity", which, imho, is not the way to go.
Then how does your network card work?
The article asks why they didn't do ASLR, especially since snow leopard is touted as a "performance and reliability" update...
Since when does ASLR improve performance or reliability? If anything, it would decrease performance and could cause compatibility issues with some badly written code (and exploits) and thus decrease reliability too...
Also, the article talks about windows but doesn't mention that linux had dep and aslr long before windows did, and still has a far more complete implementation.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
1. You identify a system API that has a local escalation vulnerability. These aren't that uncommon and because they cannot be directly exploited remotely they're not generally as high of a priority.
2. You identify a vulnerability in a service or other application that permits execution of arbitrary code remotely.
3. You exploit the remotely exploitable vulnerability with a payload that calls into the known mapped address of the system API with a second payload in order to escalate to root and then execute a third payload with those increased privileges to outright p0wn the machine.
Yeah. Why license when you can steal?
*cough*xerox*cough*
Hush, you fool! Do you want to invite down the wrath of Father Steve?!?!
SJW: Someone who has run out of real oppression, and has to fake it.
It does not make it obscure, it makes it unpredictable.
You may figure out the location of something once, but it will be somewhere else on a different computer, or even on the same computer after a reboot.
The masses are the crack whores of religion.
The parent post's reference to OpenBSD seem spot on to me. See OpenBSD Security Features. This uses a BSD license and is written for a BSD 4.4 derivative (just like OS/X). Why doesn't Apple just adopt the OpenBSD mmap and just close this hole?
Think global, act loco
Yeah, that's why the intensely security-minded OpenBSD folks implemented it first...
You are an idiot.
If there's a phrase that should trigger skepticism, that's it. ASLR isn't "perfect", and has been reported (and confirmed) exploited as recently as 7 months ago:
--
make install -not war
address space layout randomization
I though this was a feature in OS X 10.5? Was it not implemented or just not implemented as well as other OS's?
I remember hearing about it as a feature for 10.5.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
So they're at least using some ASLR, which they can patch for later, and they got Snow Leopard out the door earlier rather than later.
If you're running your business on OSX Server, you didn't immediately go upgrade anyways, so where's the harm, other than early adopters claiming their ASLR isn't as cool as it could be?
I want to delete my account but Slashdot doesn't allow it.
He's obviously still on dial-up.
Not that I wish to stop you frothing at the mouth, but I'd recommend viewing one of the posts above yours.
This is the sort of posting that makes me think Slashdot should rename the "Anonymous Coward" account to "Anonymous Idiot." Random selection of addresses is not "obscurity," it's "unpredictability." It's at least as strong as a four-digit bank pin.
I followed you until you said "p0wn", at which point you became just another internet putz. Try harder next time.
I want to delete my account but Slashdot doesn't allow it.
it's really just leopard sp2
vendor lock in
defectivebydesign
Yes, let's not let facts get in the way of observing that, theoretically, PCs are more secure. Macs are only empirically more secure. Stupid Mac users.
blog
That's ok, you only missed 2 words...
Slashdot loves to underestimate "security by obscurity". However it is usually the first line of defense, and it works quite often. It is like locking your door without a deadbolt, It keeps the honest, honest. If it is hard to know how to get in. Then most "hackers" will not be able to get in, until some real hackers actually take their time un-obscuring and getting familiar with the system, and then write an easy script for the script kiddies to take advantage of. However having it obscure could put years of being unhacked. To a system... Sometimes enough for it to be increadibly out of date that when they find a way to get in they no longer want to anymore.
Now for Windows, OS X and Linux There are a lot of people who have oddly Strong emotions about their Computer Operating System and there are a lot of people who would love to wipe the smug expressions off each other faces so there is a lot of focus of trying to un-obscure their competitors and hack in. However if you are a no-name brand system security threw obscurity could have saved you a lot of money in development and testing and not have a system broken into. Unfortunately this creates a lot of smug developers who think they write secure code because it was never hacked into.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
If you can run code that you did not load then your system is broken, if it is at a random location then you should not have access to it, at all, ever
ASLR is all very well but if it ever succeeds in stopping something it just proves the rest of your security is not working .... ...and most exploits *still* just ask a user to run a program, at which point all this is moot ....
Puteulanus fenestra mortis
He didn't even spell pwn right. What is the world coming to when people can't even write in l33tsp34k properly?
"That exploit took advantage of code MS left in the beta version of IE8 that opted out of DEP and ASLR, the RTM IE8 disables that code on the internet zone, and it can be disabled on the intranet zone as well, so it's not much of an issue in the RTM IE8"
An interesting hypothesis. Why would they put opted-out non-DEP and non-ASLR code in IE8. And do you have any verifiable third party citations for the above. Wouldn't a more likely explanation was that MS fixed the vulnerability after the fact.
Snow Leopard does actually improve on Leopard's security. I can't even get processes that run as admin to save files to world-writeable locations anymore.
Sandboxd reports a "deny file-write*".
Fecked if I can get it to work.
ASLR is sorta like moving the location of the barn door, while keeping it wide open.
Hint: The cows can still get out.
Perhaps the guys at Apple realize this and give ASLR a low priority for implementation.
Even so, adding ASLR to the Apple OS is something they could do with relative ease-- change the kernel and user-space mallocs() to be less predictable, munge the call stacks tobe less predictable, etc, etc, etc,---- mostly stuff that can be done with 50 lines of code here and there and not too many other places.
But again, it would be much more efficient to put that effort into closing any open barn doors, rather than painting the open gateways in random colors. Every five seconds.
The biggest security problems with Windows still remain, namely that:
a: compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things
b: Microsoft's reliance on proprietary protocols, many of which have a lot of known and probably even more unknown vulnerabilities.
c: security policy on Windows has about 0 coherency, making it really hard to properly secure windows and really easy to accidentally miss something/screw something up. Windows security polices are all over the place, in the registry editor, in the windows security center, in the user/computer policy app(which at least as of xp wasn't searchable, so if you were looking for something and you didn't know EXACTLY where to find it you end up having to look through every single freaking policy. Whats worse is that Windows freely mixes client and server policies, even when the machine isn't a server! Most users get so frustrated and just leave everything open.
I tried to recently secure a Windows XP box after coming from a background of unix(including OS X) and Linux, and I just could not believe how insanely obfuscated Microsoft made everything. What is insanely simple to do in the Unix world takes massive effort to even attempt in the Windows world, if it will even work at all.
I swear Microsoft makes a lot of this stuff pointlessly complicated just so they can persuade more people to take the MCSE exams.
Monstar L
I see many more posts complaining about mac fans than I see posts by mac fans. Don't you guys have anything better to do than get emotional about a blob of hardware+software?
"Apple .. failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista"
Address space layout randomization is a technique to randomize memory addresses of the base of the code, stack, heap, and libraries. First used by PaX and OpenBSD
There is no such thing as bugproof code. That's the entire reason for ASLR's existence in the first place.
Once someone writes an entire fully-functional OS with absolutely no security vulnerabilities (take your stab at it and tell me how that turns out for you), the need for ASLR will vanish... oh wait, no it won't because there'll still be other applications, drivers, etc. from third parties which will be insecure.
*sigh*
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
http://db.tidbits.com/article/10509
Most Slashdotters don't understand what security is. Security and safety are not synonymous. Obscurity may make you safer, but it does not make you more secure.
I wouldn't equate Mac OS X as a 'Unix' for a comparison with Windows if I were you. The amount of stuff running setuid on a Mac is a little scary.
I always find articles about OS X security, especially in discussion, painful. First you either have a security expert writing and being translated by a fairly clueless reporter, or you have a clueless reporter writing. In the former case what makes a good article and gets press is usually a security person pointing out weaknesses or flaws in OS X. After all, saying OS X still doesn't have much risk of malware for the average user is like reporting that most GM cars still use gas. It's old info and not news. The other type of article that gets picked up are soft articles about how cool OS X is and how it can't get malware, written for the 90% of the populace that has never used it, but from an uniformed perspective.
Inevitably when either kind of story goes up on Slashdot we see tons of people who know little or nothing about what security is actually implemented in OS X, spouting off one way or the other, usually emotionally defending their favorite OS.
So in this case we have a fairly knowledgeable security expert talking about security in OS X. His sentence about ASLR begins, "One major disappointment in the midst of all these security enhancements..." Based upon what reporters have made of his paper, do any of you know what those security enhancements are? Contrast the expert's conclusion:
While the only true test of security is how effective it is in the real world, on paper it looks like life is now at least a little harder for any potential Mac attackers.
With the title of article linked to:
Apple missed security boat with Snow Leopard, says researcher
That's not to say the article is a filthy lie. It is completely true. Apple did miss the opportunity to improve ASLR for the heap. That's very true and important and disappointing. It's also the only OS X security news most people will hear and that, is misleading. It's not the writer's fault either, they're just writing what's interesting and "news". Writing an article on how Apple's security got moderately better in a number of ways and Macs are still unlikely to have many serious or widespread malware problems going forward for a few years, is not news.
And Apple is not blameless about what press reaches the public either. Apple is pretty quiet about security features in OS X because they don't like to bring up the topic for the general public, except in very generic ways. Their plan seems to be "tell users the security is cool and good and make sure they know they're unlikely to get viruses, but don't confuse them with details. Experts can read the whitepapers." This leaves out the whole middle portion of the spectrum, not security experts but not completely clueless either.
It would be nice to have meaningful discussion on some of the OS X security features, but that might be too much to hope for. What do people think about the sandboxing approach and has anyone noticed any particularly surprising sandboxed services in Leopard? The mixed 32-64 bit thing seems like an interesting choice, with 64 bit application development now motivated by artificially restricting access to some new APIs. Since a lot of the security improvements are tied to 64 bit applications and/or 64 bit processors, do people feel this was an attempt to direct developers for security reasons or just to speed the transition for other reasons? What do people think the other heap protection checksums and protections for 64 bit kernels. Will we transition to 64 bit fast enough so that they will be useful? How about the application signing being tied to the application level firewall? It seems like Apple could have made that a default and really motivated developers to use it, but decided to go in baby steps instead. And why in the world has Apple not created a proper application and update manager that extends to third parties? That seems like a no-brainer from a security and usability perspective.
Tagging doesn't work for me anymore, so I picked the post with the most use of the word 'obscurity'.
This is not security through obscurity (STO). STO can always be exploited when you know how the algorithm works. Address space randomization cannot be exploited (immediately). You still have to start the executable maybe hundreds of times before the exploit works. This is easy if it's some short piece of code you've crafted yourself, but with real applications, it's not so simple.
Imagine a hack where you send some exploit to somebody over IM. If it doesn't work, the IM client *will* crash as it tried to execute some random portion of memory. How are you going to try your exploit at a different address now?
Yes, this would be just "security by obscurity", which, imho, is not the way to go.
It is not THE way to go. Though that is exactly how you start to secure something. Anything. Even a big building full of Gold. First you put it nowhere. then you don't talk about it. Then you put in the guards, cameras, locks, guns, armor and such. The best security STARTS with obscurity and goes from there.
Why is it so hard to only have politicians for a few years, then have them go away?
Calling Mac users stupid is not 'informative', the parent must be modded down.
The parent's article goes into more detail and even points out other features. This seems to be the source of the other article, and it also looks like the other article cherry picked the results: rather than mentioning the four sections of software improvements, the Computerworld article focused on the one area of disappointment. Oh well, what is journalism without a little baiting to improve ratings?
Think global, act loco
>compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things
Id say this is the one part of Windows MS has been improving. Running as limited user, runas, etc in Vista (especially SP2) and 7 is lightyears ahead of what it was in XP or 2000. Developers are pretty much being told to write software correctly or it just wont run in Vista/7. This is a sea change in how things are done in the Windows world and even today a lot of users without legacy cruft to support run without much hassle from the UAC. Eventually those old pieces of software causing these issues (lets write to c:\temp why not?) will be retired in favor of compliant newer versions.
microsoft only uses one of 512 different offsets meaning that a bruteforce attempt to guess the correct offset will still successfully exploit a known vulnerability.
microsoft even says so in their own documentation. and their approach is not the only way of achieving address randomization, but as usual they are more interested in backwards compatibility (which is particularly important for closed source. with open source everyone can simply recompile, or even JIT)
True however most "Security" Fixes are Safety fixes. Security is a 100% Guarantee, Safety if better then nothing.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I read somewhere that the OSX had ASLR, but only for the PowerPC, not for x86. I can't remember if it was part of the PPC architecture or Apple just being lazy in porting ASLR. Can somebody point me to an article more about this (or explain more about what is so special about PPC)?
Mod parent +1 Sarcasm.
Funny would also be appropriate, as many slashdotters don't seem able to detect sarcasm when it comes to their favorite X vs Y debate.
This sig is intentionally left blank
It is like improved security for your house. If someone is really determined he will get in. But the point is, a thief doesn't really care which house he robs. Every thief will just move along if he needs more than 5 minutes to enter the house.
I wouldn't equate Mac OS X as a 'Unix' for a comparison with Windows if I were you. The amount of stuff running setuid on a Mac is a little scary.
What's interesting is how in the same paper where Miller mentioned the ASLR in Leopard, he also praised Apple for getting rid of a lot of the setuid use.
Why would they put opted-out non-DEP and non-ASLR code in IE8.
If the "Internet" zone uses DEP and ASLR but the "Local intranet" zone opts out, that's probably designed to keep ActiveX-based intranet sites working.
If all else fails, yeah, you should have done it better, but why should the user suffer for it? Wouldn't you (and him) wish there was one more obstacle that might just trip the hacker? Anything? ASLR is something.
Computer security (good security) goes for redundancy. You add as much protection as makes sense. You never say 'that layer is perfect, there's no need for another layer' (there's no such thing as perfect). You don't say 'we're not a target' (everybody is, since attacks have been automated). You don't say 'but why would someone do that?' (because they can). These are just dumb excuses from people who STILL DON'T GET IT.
If you have two extra methods of protection you damn right put them in there, no matter how redundant they seem. Apple put just one, and Miller asks why oh why can't they just put the other one in already?
To make an analogy, it's like using 3 condoms. Yeah, one should be enough and 2 is already over the top, but when you deal with computers and you have 3 of them, you use 3.
Or, it's like placing extra guards inside the bank safe. Yeah, there are guards outside, the door is locked, police 30 seconds away and the safe walls are 2 feet thick, of steel and concrete. If all that fails something went terribly wrong. But when you deal with computer security, you still put a guy with a shotgun inside the safe.
Computers aren't real life. They are a mostly theoretical realm where the slightest possibility, no matter how unpractical, sometimes happens. That's what you plan for, to expect the unexpected.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
Um evil genius. You need a five year old on your board of advisors.
If you put the building full of gold nowhere and tellno one you create a security vulnerablity when you tell guards and the contarctors who install the rest of the security. Once you tell anyone. You already start putting holes in yoursecurity.
i thought once I was found, but it was only a dream.
Actually macs are just not attractive targets by virus and malware writers, its just too small a target. So we mac users simply don't have to worry about it. I mean seriously why take over a few million macs and have them as your legion of doom, when you can pwn a few billion windows boxes with ASLR security technology?
This is the sort of posting that makes me think Slashdot should rename the "Anonymous Coward" account to "Anonymous Idiot."
So says someone posting as Anonymous Coward.
And seriously, "M$"? Is anyone still using that in 2009?
Microsoft's first product was a BASIC interpreter for the Altair computer. In the BASIC implementations common on Altair, Apple II, Commodore 64, and many other 8-bit home computers, names of string variables ended in $. For example:
I see the usage of "M$" in posts as analogous to "thank $deity", which alludes to the syntax for naming a variable in Bourne shell, Perl, or PHP. At least to me, it carries a connotation of "the world might have been a better place had Microsoft stuck to its BASIC compiler and not ventured into monopolizing operating system market."
I thought ASLR existed to make life difficult for trojans and viruses. So that, even if you did click on those pictures of Britney, you would'nt end up with your credit card information stolen.
"Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago ..."
Sign of the times that I thought this might be a flashback to April Fools...and then I remembered. Slashdot doesn't hate Microsoft on GP and actually gives them credit where credit is due. Everyone's not an Apple or Linux fanboy anymore. But this shift to admitting that Microsoft has succeeded in an area Apple has overlooked...
Wow. How times have changed...
Apparently they haven't support for Non-Uniformed Memory Architecture either, witch means a big performance hit for some apps.
How do I uncompress my MD5 archive?
Having run Vista it really only prompts me for admin privileges doing things like:
Setting the clock
Installing software
Uninstalling software
Bringing up "Computer Management" - which allows me to partition disks, look at the system log, install/uninstall drivers.
I never get UAC prompts just running apps, unless Firefox or some other app wants to install an update, but I categorize that under installing software.
Guess what though - my Mac asks me for the admin password doing the same exact tasks. Granted it doesn't always ask me for the password to install programs, but isn't that less secure?
I'm sure you'd find a windows centric admin saying the same thing about Unix sadly - where there is no one central place to set security. Most modern distro's have gotten much better about this, but in the past it wasn't always enforced that all settings sit under /etc or all logs sit under /var/log - in my own experience Linux seems more organized over more commercial/proprietary OS's like Solaris or Tru-64.
On policies btw - its really quite simple. There's two really - one for the machine, one for the user. Machine policies are applied to anyone who logs in, user policies are like it implies only for that user session. Policies set by server are for machines being managed by a domain controller in active directory and set at a central location. All its doing is writing settings to the registry (hkcu\software\policies\ if its a user policy and hklm\software\policies if its a machine policy).
All it is is simply an api to change settings on windows and other 3rd party apps (yes - plenty of non ms stuff can be set via group policies).
its security by obscurity the same way that setting your password to anything other than password is!
IranAir Flight 655 never forget!
>> again failed to implement fully a security technology that Microsoft perfected nearly three years ago
This just made my morning. Microsoft hasn't ever perfected anything.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
whooosh!
ID: the nose did not occur naturally, how would we wear glasses otherwise? (apologies to Voltaire)
Enter SELinux to prevent the app from calling said system API, or being able to do anything once it escalates?
I followed you until you said "putz", at which point you became just another strange Yiddish using delinquent. Try harder next time.
Fear is the mind killer.
Executing code on the stack is prevented by the NX bit, it has nothing to do with address space layout. What it does prevent would be something like return to libc attacks and other nice things.
"Civis Europaeus sum!"
Microsoft is better than Apple!
"it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista"
a: compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things
I would have said the same.
/home/reallyNiceGuy/). It can be done --but its a bloody pain. Add the fact that our admin dude it a total computer looser who turns up to work less than 2x per week...
But at work I don't and can't get a "root" password for a machine only I use. Well fair enough I guess. But you quickly find out that Linux sux just as hard as windows for all the same reasons. And that is that everything you download, every package, every installer *assumes* that you have root access. Its a real pain to install a lot of normal things in user space (aka
In the end I got a laptop where i *do* have root access.
The Grey Goo disaster happened 3 billion years ago. This rock is covered in self replicating machines!
ASLR makes executing code on the stack quite a bit more difficult, regardless of what privileges the program being exploited may have. Also makes calling libaray functions and pretty much anything in RAM far more difficult for a hacker. Page protection doesn't protect against these attacks per se.
How is ASLR any more effective than the DRM on offline products like DVDs? The OS and each individual program need to have the "guidebook" to the randomized locations stored somewhere, or they wouldn't work. So all the malicious software needs to do is look in the same place. I mean, if it has access to modify the memory of another process, it should be able to do that, right? Or am I missing something?
It seems to me as though this is just adding a tiny little hurdle at the expense of performance.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Well, if it were enabled and configured correctly, then yes. On a Mac, SELinux doesn't work so good.
"Implement fully a security technology that Microsoft perfected"
You mean the one that Vista put out? Yeah, I guess I'd have to agree that that its "perfect" security. Application balh is trying to access blah. Press Allow or Cancel.
That's an unfortunate analogy, since 2 condoms is far worse "security" than 1 condom.
I use Linux distro disks for spacers under my desk when it wobbles. The AOL disks have rotted away it seems.
Why bother
https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa
"Most users get so frustrated and just leave everything open."
Most users have no clue about 90% of what you said.
"I tried to recently secure a Windows XP box after coming from a background of unix(including OS X) and Linux, and I just could not believe how insanely obfuscated Microsoft made everything."
What were you trying to do?
Don't take life so seriously. No one makes it out alive.
16/F/Iowa
In order to "look in the same place", you need to have code that does the looking. The NX bit will prevent arbitrary code from executing on the stack. One way to get around NX is to overrun a buffer and replace the return address of the stack frame with a known function address that does what you want. In order for this to work, you need to know the address in advance of the attack. ASLR makes it difficult to predict this address.
Not quite...consider this analogy:
The president is one of the most secured people in the world, with all of the body guards and various other lines of defense. However, he is not necessarily the safest, because he stands out and is a public figure.
Your so-called "monoculture" is sort of false out of the gate.
Self-defeating qualifier: ten yard penalty!
Bow-ties are cool.
....Once someone writes an entire fully-functional OS with absolutely no security vulnerabilities....
Which of course will never happen. The best security system I know to date is what Apple implemented for their iPhone. For one of those, or the iTouch also, every program gets inspected and signed by Apple before it will load. It is impossible, or at least very unlikely, for a nasty program to execute on the iPhone, unless of course the user deliberately hacked it.
Apple could extend that system to the Mac, except make it possible for it to be bypassed after a stern warning that this may be dangerous. They could have a warning something like: "this program has not been tested or signed by Apple and could be dangerous to your computer or your bank account. Install anyway, or cancel"? After such a warning to users still would have to enter their administrative password in order to proceed. Just as millions of iPhone users have clearly shown, many if not most people would be very glad to trade their freedom to install anything and everything on the computer at random, with the restrictions of getting all legitimate programs from the iTunes store. Non-malicious developers could also distribute their wares on discs, after Apple has approved and signed them for a reasonable fee. Apple is in a real good position to implement such an ultra-secure system for their computers, because unlike other manufacturers, they make their own system software.
All theory is gray
At least as secure as a 4 digit bank PIN ? So the Apple only has 10000 address locations ?
Renaming the account to Anonymous Idiot was inspired, starting with yourself.
b: Microsoft's reliance on proprietary protocols, many of which have a lot of known and probably even more unknown vulnerabilities.
And how is an open source protocol any better, seeing as how *everyone* has complete access to it's source code and can FIND a vulnerability that much easier than having to trawl through proprietary and possibly obfuscated binaries ?
In terms of fixing vulns, I agree with you ... but in terms of finding them in the first place, I don't understand your argument ?
'Because Snow Leopard lacks fully-functional ASLR, Macs are still easier to compromise than Windows Vista systems, Miller said. "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said. "When Apple has both [in place], that's when I'll stop complaining about Apple's security."'
Oh yeah? Is that a promise? I more expect he'll stop complaining when he stops making money by complaining.
http://lkml.org/lkml/2005/8/20/95
OK, I'll bite. Let's say I have a door with a very efficient, unbreakable lock. I lock it with a key.
I have two choices.
1. I can leave the key taped to the door with a label saying 'this is the key to this lock'
or
2. I can hide the key in a box which I bury in a location somewhere in mainland Europe known only to myself.
Are you arguing that in both cases the door is equally secure?
I would argue that the door is equally secure in both places, but that your key management system needs some serious work in the first situation.
The area behind the door is not secure in the first scenario using the definition of secure to mean "free from danger or harm."
Spam bunches of people over IM, possibly using a botnet to evade spam throttles in the IM system. And I get multiple chances per user, since most people will go, "Stupid IM client" and restart it without another thought. Many will restart it repeatedly, erroneously attributing the crashes to bad luck and not hostile intent.
Depends on the program I'm attacking, I might be lucky and be attacking a subsystem that forks when I connect, so I can attack over and over again. The program may have a watchdog system in place to automatically restart and recover after a crash to make the software appear more stable than it actually is.
Mind you, this isn't an argument against ASLR. I'm in favor of it! Maybe it doesn't stop everyone, but it will stop some attacks.
Search 2010 Gen Con events
When people compare Mac OS to Windows Vista or 7 this is basically academic because Microsoft is responsible for an ongoing tire fire with Windows XP that accounts for 80% of their users. It doesn't matter how many new security gee-gaws Microsoft shipped in 2007 if most of their users are using pre-2006 Microsoft software.
The main reason Mac OS does not have a commercial malware market like Windows does is that each version of Mac OS only lasts for 2-3 months before it is replaced by a new one, and Apple can patch 75% of the Mac user base automatically within a week or two. So whatever malware you make, before you can sell it, the version of Mac OS it worked on is gone and so is the vulnerability you were depending upon. On Windows, you have years to find and exploit a problem and years to sell it and then years for your malware-deploying users to reap the reward. It's completely different.
Instead of talking about how Apple could make Mac OS _academically_ better in order to avoid a _theoretical_ malware problem that does not exist, we should talk about what Microsoft is doing about their XP users. You cannot even put a Windows 7 disc into an XP machine and get back a Windows 7 system with the XP part lifted up into the XP Mode virtualizer. A simple upgrade path like that could have been enough to kill the botnet. But the tire fire continues and Microsoft acts like the very first version of Windows ever was Vista.
In short, Microsoft Address Space Randomization is no substitute for Apple Software Update. The latter has been replacing the Mac OS kernel every 3 months for a decade now. Please tell me why Windows doesn't have that feature.
That is a good point, but you can only do a small fraction of the damage. Rather than your spam overtaking thousands, it may only take over a handful. I cannot refute your second point. What it is, though, is the process is creating a security hole by bypassing the precautions provided by the OS. My main point is only that security-through-obscurity (in other words: a lie) is different from just being insecure.
But is the area behind the door in the second scenario more secure. And if so, isn't it more secure due to obscurity?
ASLR is not about preventing you from executing code after some exploit. There are other mechanisms for that. What ASLR does is make sure just because you were able to get some code executing you can't do much with it. The idea is to obfuscate the likely locations in memory of library functions, and other system values.
Yes you can get you code to run but you can't call some privileged function even if your code is running privileged because you don't know where its going to be, unless you can use the systems dispatch scheme.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
You are both right and wrong. If ASLR stops and attack its because something else was broken but the important thing is it still stopped the attack. Security is best done with a layered approach because you can't always predict what will and will not fail.
Is like a prison. The guy might get out of the cell some how, hopefully the guard in the hall can stop him. He might get past that guy, hopefully the cell block itself is locked and he can't get out. He might somehow escape that. Hopefully he can't get past the fences and barbed wire. Oh crap he is still moving, well hopefully the guy in the tower with the rifle and scope can put bullet through him.
Good security expects any given layer to fail somehow at some time. There should be another layer in place to cover that eventuality.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Keeping a password secret is not obscurity. Security through obscurity classically refers to wanting to keep an algorithm secret, not wanting to keep passwords secret.
The arguments were covered more than exhaustively in the Slashdot discussion which resulted from Charlie Miller pwn2owning the MacBook in two minutes because it was "easiest" of the machines in the competition and I should not have to hold anyone's hand in this case.
Do you also hang out in USENET forums and snottily tell people "this was discussed in alt.os.system.v.3.1 in 1991, fuck off"? It's not other people's jobs to read your mind or have read every relevant Slashdot discussion. It's your job to offer evidence for your assertions - anything else is pure laziness.
And as proof of that, drinky, why do you like to sleep with little boys and start neighborhood cats on fire? You know, since it's your job to disprove my assertion and all...
Just like how you're far more likely to meet a kool aid drinking PETA hater than a kool aid drinking member of PETA.
It seems to me that if write access to forbidden locations is permitted by the development platform vendor, randomizing the addresses is a disservice to the occupants of the "non target" places. From the viewpoint of an application developer or end user, I'd rather not have the OS supplier use an umbrella for themselves and leave me out in the scattered thunderstorms. I don't have time or a suitable temperament for that kind of support call (from either end).
If the OS is so poor to prevent people from reading "privileged" information that is the flaw to begin with. The operating systems I am familiar with allow anyone to read "common information" If the information is private it will only allow a very small subset to do so and you must jump through hoops to get there(and be authorized to jump through those hoops). The operating system (combined with hardware) should isolate information so much that it is essentially impossible to look at and of course alter any privileged information that does not belong to the user. Any OS that would allow this is not secure by any stretch of imagination.
ASLR is needed to prevent malware from taking over a system from any source, user intentional install to cracker breaking into the system. Apple should have used ASLR in Snow Leopard as part of the securing system.
The problem with ASLR is that anyone capable of getting around enough of your security to trouble ASLR is quite capable of bypassing that as well .... giving the guy with a shotgun a revolver as well will not help if he already asleep in the corner ...
Puteulanus fenestra mortis