Slashdot Mirror
Snow Leopard Missed a Security Opportunity
CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"
The summary alleges Miller said it "today". Except he didn't.
The article linked to is dated September 14, which means he allegedly said it 2 days ago. Except he didn't.
He actually said it *two weeks ago* on August 29th.
Wake up, editors!
Microsoft's Windows Vista and Windows Server 2008 have ASLR enabled by default, although only for those executables and dynamic link libraries specifically linked to be ASLR-enabled.[citation needed] This did not include Internet Explorer 7 on Windows Vista prior to Service Pack 1; ASLR and DEP are both disabled for application compatibility purposes. Newer versions, including Internet Explorer 8, enable these protections. A registry setting is available to forcibly enable or disable ASLR for all executables and libraries. The locations of the heap, stack, Process Environment Block, and Thread Environment Block are also randomized. A security whitepaper from Symantec noted that ASLR in 32-bit Windows Vista may not be as robust as expected, and Microsoft has acknowledged a weakness in its implementation.
It appears that only OpenBDD and some hardened Linuxes (not mainstream distributions) have a complete implementation.
"Microsoft perfected nearly three years ago"
OpenBSD has had this for many, many years. Microsoft used the OpenBSD code as a starting point for their own product. Love the BSD license!
OpenBSD has been using these techniques a lot longer than Microsoft has, so I suspect that there is not (yet) an issue of patents to be licensed.
ASLR makes executing code on the stack quite a bit more difficult, regardless of what privileges the program being exploited may have. Also makes calling libaray functions and pretty much anything in RAM far more difficult for a hacker. Page protection doesn't protect against these attacks per se.
1. You identify a system API that has a local escalation vulnerability. These aren't that uncommon and because they cannot be directly exploited remotely they're not generally as high of a priority.
2. You identify a vulnerability in a service or other application that permits execution of arbitrary code remotely.
3. You exploit the remotely exploitable vulnerability with a payload that calls into the known mapped address of the system API with a second payload in order to escalate to root and then execute a third payload with those increased privileges to outright p0wn the machine.
Linux's implementation of ASLR is substantially inferior to Windows Vista/7's, which was covered the FIRST time this guy won the pwn2own contest. However, it is far superior to OSX's, which appears to not really do anything useful, and which appears to have not even changed since it was discovered that OSX ASLR is useless. Please try to keep up, or don't comment. Thank you.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If there's a phrase that should trigger skepticism, that's it. ASLR isn't "perfect", and has been reported (and confirmed) exploited as recently as 7 months ago:
--
make install -not war
Praise for MS by kdawson.
There fixed that for you.
"Apple .. failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista"
Address space layout randomization is a technique to randomize memory addresses of the base of the code, stack, heap, and libraries. First used by PaX and OpenBSD
Tagging doesn't work for me anymore, so I picked the post with the most use of the word 'obscurity'.
This is not security through obscurity (STO). STO can always be exploited when you know how the algorithm works. Address space randomization cannot be exploited (immediately). You still have to start the executable maybe hundreds of times before the exploit works. This is easy if it's some short piece of code you've crafted yourself, but with real applications, it's not so simple.
Imagine a hack where you send some exploit to somebody over IM. If it doesn't work, the IM client *will* crash as it tried to execute some random portion of memory. How are you going to try your exploit at a different address now?
Huh, your post makes it seem like you know what you are talking about but I don't really think you do. There are multiple ways to exploit OS's. Just having privilege escalation doesn't solve every security problem. ASLR is a technique that addresses a specific vulnerability that allows you to get arbitrary code execution. This is just one of many techniques to gain root and ASLR (as far as I know) is the most effective way of addressing this issue. There are some issues with it but it isn't really a performance thing, more of a compatability thing and being used uniformly by the applications.
Should Apple implement it? If they want to be secure, then yes.
Quite frankly, Macs are more secure against certain classes of attacks. Making a global statement about it being more secure is wrong, though. Macs enjoy being less of a target since they are a small number of them out there. To think they are safe is pretty naive. The guy has proved multiple times he can hack them without much trouble.
Support a great indie game: http://www.abaddon360.com